The HHS Office for Civil Rights in 2013 issued extensive guidance on handling business associate contracts under the HIPAA privacy and security rules. LockPath, vendor of a software platform to manage corporate governance, risk management and regulatory compliance, has distilled the guidance down to 10 bullet points and four additional tips:

1. Determine when and how the BA is allowed to use or disclose PHI.

2. Require that the BA will not use or disclose PHI other than what has been permitted by the contract or required by law.

3. Establish what safeguards will be put in place to prevent unauthorized PHI disclosure. This includes implementing HIPAA requirements surrounding electronic PHI.

4. Require the BA to report any use or disclosure of PHI not covered by the contract to the covered entity, including incidents or breaches of unsecured PHI.

5. Ensure the BA will disclose PHI as specified in the contract to satisfy a covered entity's obligation with respect to individuals' requests for copies of their PHI. PHI should be available for amendments as well.

6. To the extent the BA is to carry out a covered entity's obligation under HIPAA, require the BA to comply with the requirement relevant to the obligation.

7. Ensure internal practices, books and records relating to the use and disclosure of PHI by the BA will be made available to HHS to determine the covered entity's HIPAA compliance.

8. Require the BA to return or destroy all PHI received from, or created or received by the BA on the covered entity's behalf, upon termination of the contract.

9. Require BAs to enter agreements with their subcontractors that may have access to PHI.

10. Allow the covered entity to terminate the contract if the BA violates a material term of the contract.

Other tips include: Keep all agreements in a centralized location that can be accessed anytime, know when agreements expire, continually monitor BA compliance by issue assessments and include BAs in your risk analyses.

The complete HHS/OCR guidance is available here. More information on LockPath is here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access