With the recent changes to HIPAA, now is a good time to review the HIPAA Business Associate requirements.
An entity or individual subject to the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA) (a covered entity (CE)) may have a legitimate need to disclose protected health information (PHI) to other entities or individuals that perform functions on the CE’s behalf, such as third party administrators, claims administrators, consultants and attorneys. These other parties are referred to as business associates (BAs). The HIPAA rules generally require CEs and BAs to enter into contracts (business associate agreements (BAAs)) with their BAs to ensure that the BAs will appropriately safeguard PHI.
The BAA also clarifies and limits, as appropriate, the permitted uses and disclosures of PHI by the BA, based on:
· The relationship between the parties.
· The activities or services being performed by the BA.
A BA may use or disclose PHI only as permitted or required by its BAA or as required by law. A BA is directly liable under the HIPAA rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that are not authorized by its BAA or required by law. A BA is also directly liable and subject to civil penalties for failing to safeguard electronic PHI in accordance with the HIPAA Security Rule.
In addition, under final regulations issued in January 2013 by the Department of Health and Human Services (HHS) (the Final Regulations), a subcontractor that creates, receives, maintains or transmits PHI on behalf of another BA is a BA (78 Fed. Reg. 5566). However, the preamble to the final regulations clarifies that a CE need not have a contract with its subcontractors. Rather, the BA must obtain satisfactory assurances (in the form of a written agreement) that the subcontractor will appropriately safeguard PHI.
The BAA must:
· Establish the permitted and required uses and disclosures of PHI by the BA.
· Provide that the BA will not use or further disclose PHI other than as permitted or required by the BAA or as required by law.
· Require the BA to implement appropriate safeguards to prevent the unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule regarding electronic-PHI.
· Require the BA to report to the CE any use or disclosure of the information not provided for by its contract, including incidents that are breaches of unsecured PHI.
· Require the BA to disclose PHI as specified in its BAA to satisfy a CE’s obligation with respect to individuals’ requests for copies of their PHI, and make available PHI for amendments (and incorporate any amendments, if required) and accountings.
· To the extent the BA is to carry out a CE’s obligation under the Privacy Rule, require the BA to comply with the requirements applicable to that obligation.
· Require the BA to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of, the CE for purposes of HHS determining the CE’s compliance with the HIPAA Privacy Rule.
· At termination of the contract, if feasible, require the BA to return or destroy all PHI received from, or created or received by the BA on behalf of, the CE.
· Require the BA to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the BA regarding such information.
· Authorize termination of the contract by the CE if the BA violates a material term of the BAA.
Under the Final Regulations , which had an initial compliance deadline of September 23, 2013, BAAs between BAs and subcontractors are subject to these same requirements.