10 HIPAA Requirements for Business Associate Agreements
HIPAA requires that covered entities (CEs) enter into contracts with their business associates (BAs) to ensure that BAs will appropriately safeguard protected health information (PHI). The business associate contract also serves to clarify and limit the permissible uses and disclosures of PHI based on the relationship between the parties and the services being performed.
The Department of Health and Human Services (HHS) Office for Civil Rights in 2013 issued extensive guidance on handling BA agreements under the HIPAA privacy and security rules. This guidance has been condensed down to the following 10 requirements. Some requirements are commonly included in a business associate agreement, but others may not be.
1. Determine when and how the business associate is allowed to use or disclose PHI.
2. Require that the BA will not use or disclose PHI other than what has been permitted by the contract or required by law.
3. Establish what safeguards will be put in place to prevent unauthorized PHI disclosure. This includes implementing HIPAA requirements surrounding electronic PHI.
4. Require the BA to report to the CE any use or disclosure of PHI not covered by the contract, including incidents or breaches of unsecured PHI.
5. Ensure the BA will disclose PHI as specified in the contract to satisfy a CE’s obligation with respect to individuals’ requests for copies of their PHI. PHI should be available for amendments as well.
6. To the extent the BA is to carry out a CE’s obligation under HIPAA, require that the BA comply with the requirement relevant to the obligation.
7. Ensure internal practices, books and records relating to the use and disclosure of PHI by the BA will be made available to HHS to determine the CE’s HIPAA compliance.
8. Require that the BA return or destroy all PHI received from, or created or received by the BA on the CE’s behalf, upon termination of the contract.
9. Require that BAs enter into agreements with their subcontractors that may have access to PHI.
10. Allow the CE to terminate the contract if the BA violates a material term of the contract.
Other helpful tips include:
● Keep all agreements in a centralized location that can be accessed anytime;
● Know when agreements expire;
● Continually monitor BA compliance by issuing assessments; and
● Include BAs in your risk analyses.