Under the Privacy Rule, any entity that is involved in access of patient health and personal information is required to obtain written assurances from its business associates that the business associate will take appropriate actions to safeguard the health information that is protected that it may receive on behalf of the covered entity. The written assurance is required to be in writing in the form of a contract or other agreement between the business associate and the entity.
A “Business Associate” is defined as an entity or person that performs certain activities or functions that involve the disclosure or use of protected patient health or personal information on behalf of the covered entity or provides services to the covered entity. Business associates such as provider of health plan, technology, health care clearinghouse can be a business associate of another covered entity. The function or activity types that may make an entity or person a business associate can include health care operations or payments, as well as additional activities that are regulated under the Administrative Simplification Rules. Staff or workforce of a covered entity is not considered to be a business associate. The Privacy Rule includes some of the activities, functions, and specific services that can make an entity or person a business associate if the service or activity involves protected health information disclosure.
“Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.”
A BAA contract is the written arrangement for the covered entity with its business associates and must require some specific elements that are defined in 45 CFR 164.504(e). The detailed list of criterial must include the description of the permitted use of the protected patient health information by the business associate, and is required to indicate that the business associate will not share or disclose the protected patient health or personal information for any purpose other than what is required or permitted by the contract or as required by law. The contract must also include wording that states that the business associate will use appropriate safeguards to prevent the disclosure or use of the protected patient health information other than what is detailed within the contract. While the list of information that is required in a BAA contract is very detailed, it must also include the requirement that when a covered entity is aware of a violation or material breach by the business associate that the covered entity is required to take reasonable steps to end the violation or cure the breach, and if these steps are not successful, the contract or arrangement will be terminated and the covered entity is required to report the problem to HHS (Department of Health and Human Services) Office for Civil Rights (OCR).
Parent page – Safety & Compliance Training
Join thousands of other practices working with HWM.
"The only company you will ever need."