§ 164.504 Uses and disclosures: Organizational requirements
Introductory Comment: The actual text of this section runs for several pages. The most critical sub-section with respect to a provider is: (e) Standard: Business associate contracts (aka Business Associate Agreements). Of particular interest is (e)(1) and (e)(2) because these subparts deal with the obligations of the Covered Entity and what must, and/or may, be contained in the contract between the Covered Entity and the Business Associate.
(e) Standard: Business associate contracts.
(1) The contract between the Covered Entity and Business Associate must meet the other requirements of this standard. Also, if the Covered Entity becomes aware of a material breach or violation of the contract then the Covered Entity is required to take steps to cure the breach or end the violation. If the latter is unsuccessful the Covered Entity must terminate the contract, or if termination is not feasible, report the problem to HHS. If the Covered Entity does not take the necessary affirmative steps then they are not in compliance with the HIPAA Privacy Rule.
HIPAA Survival Guide Note
In short, a Covered Entity cannot simply ignore the activities of its business associates simply because a Business Associate Agreement exists between the parties. Given the Internet and its ability to inform, it is plausible to infer that the "awareness" requirement might be construed broadly.
(2) Implementation specifications: Business associate contracts. A contract between a Covered Entity and Business Associate must contain these required elements.
HIPAA Survival Guide Note
Note: To understand the detailed requirements of elements mandatory in a Business Associate Agreement, you will need to refer to the specifications under (2). The required elements mandate specific contract language. Providers are encouraged to seek advice of counsel regarding business associate agreements.
Watch this video highlighting the HIPAA Survival Guide's
HITECH/Omnibus Rule Ready Business Associate Agreement.
Commentary Regarding Business Associate Agreements:
The bottom line is that if you are doing business with a Business Associate you must have a Business Associate Agreement (contract). Furthermore, the Business Associate Agreement must contain language that meets the requirements of this standard. One critical question is who qualifies as a Business Associate (refer back to the Business Associate definition in §160.103). The definition is broad and includes many potential "partners" with whom a Covered Entity, as part of their operations, has a business need to share individually identifiable health information with.
Whether or not you have the necessary Business Associate Agreements in place is clearly an HHS auditable point. Each practice should have, at a minimum, a standard Business Associate Agreement executed by all its business associates. You certainly will not be able to make a compelling argument regarding "good faith" compliance if you are utilizing Business Associate services without an agreement.
For example, a provider's use of an Internet hosted practice management/EHR application clearly implies the need for a Business Associate Agreement. Furthermore, even a non-hosted application may require a Business Associate Agreement if the software vendor is given access to the system in order to provide technical support. In short, the increased use of technology on the part of providers mandates that additional attention be paid to business associate relationships.
Again, our recommendation is that you seek advice of counsel regarding Business Associate Agreement issues. The HITECH Act's requirements regarding business associates provide yet another reason for doing so.