It may be time for health care providers and their vendor partners to review and refresh their business associate agreements (BA) to ensure compliance with the recent HIPAA omnibus rule and HITECH Act. According to the U.S. Department of Health and Human Services (HHS), BA agreements must include provisions that:
• Establish the permitted/required uses and disclosures of protected health information (PHI) by the BA
• Provide that the BA will not use or further disclose the information, other than as permitted or required by the contract or by law
• Require the BA to implement appropriate safeguards to prevent unauthorized use or disclosure of PHI, including implementing requirements of HIPAA’s Security Rule with regard to electronic PHI
• Require the BA to report to the covered entity (CE) any use/ disclosure of information not provided for by its contract, including incidents that constitute breaches of unsecured PHI
• Require the BA to disclose PHI as specified in its contract to satisfy a CE’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments and accountings
• To the extent the BA is to carry out a CE’s obligation under the Privacy Rule, require the BA to comply with the requirements applicable to the obligation
• Require the BA to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of, the CE for purposes of HHS determining the CE’s compliance with HIPAA’s Privacy Rule
• At termination of the contract, if feasible, require the BA to return or destroy all PHI received from, or created or received by the BA on behalf of, the CE
• Require the BA to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the BA with respect to such information
• Authorize termination of the contract by the CE if the BA violates a material term of the contract
BA agreements must comply with the new rules by Sept. 23, 2013; however, those that were in place as of Jan. 25, 2013 (and are not renewed or amended thereafter) are granted grandfathered status and deemed in compliance until Sept. 23, 2014.
HHS has also released a new sample BA agreement that reflects the changes made by the HITECH Act and omnibus rule, available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.