Under the HITECH Act and HIPAA omnibus rule, business associates of covered entities must comply with most of the privacy and security rules applicable to covered entities.
In order to ensure patient privacy and compliance with the rules, HHS provides the necessary components of a contract between a covered entity and a business associate. According to HHS, the contract must:
1. Establish the permitted and required uses and disclosures of protected health information by the business associate.
2. Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.
3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of HIPAA with regard to electronic PHI.
4. Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI.
5. Require the business associate to disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their PHI, as well as make available PHI for amendments.
6. To the extent the business associate is to carry out a covered entity's obligation under HIPPA, require the business associate to comply with the requirements applicable to the obligation.
7. Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity's HIPAA compliance
8. At termination of the contract, if feasible, require the business associate to return or destroy all PHI received from, or created or received by the business associate on behalf of, the covered entity
9. Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the business associate with respect to such information
10. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.
More Articles on HIPAA:
Newly Discovered Memory Bug Allows Encrypted Data to be Stolen
Healthcare Scores Present Growing Privacy Risks, Study Finds
5 Tips to Reduce Third-Party HIPAA Risk