Under the HIPAA Omnibus rule, heath care providers have to be more careful than ever with how they handle protected information. This includes carefully managing any protected information that business associates might handle.
According to the U.S. Department of Health and Human Services, a business associate is:
“a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”
Almost all heath care providers interact with business associates on some level. For example, any cloud service used by a heath care provider to store sensitive information, like Office 365, becomes a business associate.
In order to define the relationship between a covered entity like a health care provider and a business associate, the updated HIPAA Rules require in most cases covered entities and business associated with enter into a contract. This contract endures that the business associate takes appropriate action to safeguard protected health information.
There are 10 main things that this written contract must accomplish:
- Establish permitted and required uses and disclosures of protected heath information.
- Ensure that the business associate will not use or disclose information other than as required by contract or law.
- Require appropriate safeguards to protect information, including implementing requirements of the HIPAA security rule.
- Require any use or disclosure of the information outside of the terms of the contract be reported to the covered entity.
- Require appropriate disclosure of information to individuals requesting to see or amend their information.
- Require compliance with the privacy rule, to the extent which it applies.
- Require transparency of internal practices, and any information disclosures, with HHS.
- Require return or destruction of any protected information at the end of the contract.
- Require any subcontractors to agree to the same restrictions as the business associate.
- Authorize termination of the contract of the business associate violates the terms of the contract.
To help small providers meet this contract requirement, the HHS issued a Sample Business Associate Agreement.
EMRSoap provides HIPAA compliance for small to medium size practices and can help you better establish a compliance strategy for business associates. To learn more about becoming HIPAA compliant, go to our HIPAA primer for small providers, or contact us today.