HIPAA - Business Associate Contract

The HIPAA Rules that covered entities and business associates enter into contracts to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate

Agreement need to be between Covered Entities and Business Associates and between BAs and their subcontractors.

Agreement Not required with:

Payers or other providers
Workforce members
Conduits (USPS, FedEx, etc.)
No requirement to monitor BAs, but need to receive assurances
No BA needed if no access to or maintenance of PHI
Technical support services may need access to PHI (including systems, software, fax/copiers, etc.)

Key elements of agreement between covered entity and BA:

Signatures, Start/Expiration/Review Dates
Terms & Conditions (incl. how to use or disclose PHI, data rights, minimum security)
Recording and Reporting Breaches
Penalties for Breaches
P&P for Data Retention and Destruction
Subcontractors Held to Same Standard

Business Associate Agreement Provisions:

Establish permitted and required uses of PHI
Require the BA not to use or disclose PHI other than as allowed under the BAA or by law
Require the BA to use appropriate safeguards and comply with applicable privacy and security rules
Require the BA to report to CE any unauthorized uses or disclosures of PHI, including breaches of unsecured PHI
Require BA to comply with any HIPAA privacy rules applicable to the relationship between the BA and CE
Special provisions based on roles
- Breach notification - timing, evaluation, process
- Restrictions on certain disclosures
- Restrictions on marketing, fund raising and sale of PHI
- Accounting of disclosures
- Individual right of access to electronic PHI
- Minimum necessary and use of limited data set
- Subcontractor provisions

Key facts about Agreement between Business Associate and sub-contractor

As per the new rules contractors are now BAs so they must be under contract requiring similar protections and compliance as the BA
Contract should include rights of review of security, provision of evidence of good practices
Contract should specify privacy and security practices and they should be prepared to implement better security, secure communications, storage
"Agency" relationship rules also apply to BA-subcontractor relationships

If BA is an Agent, Covered Entity is responsible for BA's actions performing HIPAA obligations, BAA or not
If BA is an Agent, Covered Entity's clock on Breach Notification begins upon discovery by the BA
If BA is not an Agent, Covered Entity's clock begins upon notice by the BA

Popular Trainings

Navigating and Negotiating HIPAA Business Associate Agreements
Modifications made to the Final Omnibus Rule and the impact of these changes on agreements between covered entities and business associates.

Business Associate Agreements (BAA): Why the Pushback from Business Associates
Requirements of the Omnibus Final Rule regarding Business Associate Agreements (BAAb's) including what it was, what it is now, and what it might be in the future.

HIPAA and Business Associates - New Responsibilities and Obligations
Significant changes to the HIPAA rules for business associates, the new challenges for HIPAA covered entities and business associates, and new risks for non-compliance and penalties.

Effective Risk Analysis for HIPAA Covered Entities and Business Associates
Eliminate your confusion around conducting an effective security risk analysis to fulfill the core requirements of the HIPAA Omnibus Final Rule for covered entities and business associates.

By using this site you agree to our use of cookies. Please refer to our privacy policy for more information. Close

HIPAA - Business Associate Contract

Popular Trainings