Goal: Obtain satisfactory assurances from an associate that he will safeguard ePHI that he/she creates, receives, maintains or transmits.
- Business Associates (BAs) are required to obtain "satisfactory assurances" from their subcontractors.
- Agreements between BAs and their subcontractors must follow the requirements of Section 164.314.
- All Business Associate Subcontractors must report security incidents, including breaches, to its respective BA (see 164.308(b)(3)).
The purpose of this policy is to describe the procedures used to establish agreements that should exist between the organization and its various business associates that create, receive, maintain, or transmit ePHI on its behalf.
Procedure: All contracts that contain the transfer of protected information will include as a minimum the following Business Associate contract terms as stated in the privacy regulations as required by the Health Insurance Portability and Accountability Act.
- Require that the Business Associate comply with privacy standards as defined by the Health Care Financing Administration and/or federal statue (implementing Sections 261- 264 of the Health Insurance Portability and Accountability Act of 1996) (the “Privacy Rules”).
- State that the terms “Business Associate”, “Use”, “Disclosure” and Protected Health Information” have the meanings stated in the Privacy Rules.
- Require that the Business Associate will:
- Not use or further disclose ePHI other than as permitted or required by the contract.
- Not use or further disclose ePHI in a manner that would violate the requirements of the Privacy Rules.
- Use appropriate safeguards to prevent use of disclosure of ePHI other than as provided for by the terms of the contract.
- Report any use or disclosure of the information not provided for by the contract of which it becomes aware.
- Ensure that any subcontractors or agents to whom the Business Associate provides ePHI agree to the same restrictions and conditions that apply to the Business Associate with respect to such information.
- Make the Business Associate’s internal practices, books, and records relating to the use and disclosure of Protected Health Information available for purposes of determining compliance with privacy regulations.
- After termination of the contract, return or destroy all Protected Health Information that the Business Associate still maintains in any form and retain no copies of such information.
- Incorporate any amendments or corrections to Protected Health Information when notified by Security or Privacy Officer in accordance with the Privacy Rules.
- Include in the Business Associate agreement language stating that:
- Contract may be terminated if a determination is made that the Business Associate has violated a material term of the contract required by the Privacy Rules.
- Business Associate shall indemnify Covered Entity from any loss resulting from an improper use or disclosure of Protected Health Information by the Business Associate.
- In the event of a Business Associate’s breach, Business Associate shall retrieve improperly disclosed information and adopt new practices to assure Protected Health Information is appropriately handled.
- Business Associate shall submit reports, as needed, to demonstrate compliance with HIPAA policies and procedures.
