§ 164.504 Uses and disclosures: Organizational requirements
Introductory Comment: The actual text of this section runs for several pages. The most critical sub-section with respect to a provider is: (e) Standard: Business associate contracts. Of particular interest is (e)(1) and (e)(2) because these subparts deal with the obligations of the Covered Entity and what must, and/or may, be contained in the contract between the Covered Entity and the Business Associate.
(e) Standard: Business associate contracts.
(1) The contract between the Covered Entity and Business Associate must meet the other requirements of this standard. Also, if the Covered Entity becomes aware of a material breach or violation of the contract then the Covered Entity is required to take steps to cure the breach or end the violation. If the latter is unsuccessful the Covered Entity must terminate the contract, or if termination is not feasible, report the problem to HHS. If the Covered Entity does not take the necessary affirmative steps then they are not in compliance with the Privacy Rule.
HIPAA Survival Guide Note
In short, a Covered Entity cannot simply ignore the activities of its business associates simply because a contract exists between the parties. Given the Internet and its ability to inform, it is plausible to infer that the "awareness" requirement might be construed broadly.
(2) Implementation specifications: Business associate contracts. A contract between a Covered Entity and Business Associate must contain these required elements.
HIPAA Survival Guide Note
Note: To understand the detailed requirements of elements mandatory in a Business Associate contract, you will need to refer to the specifications under (2). The required elements mandate specific contract language. Providers are encouraged to seek advice of counsel regarding business associate contracts.
Commentary Regarding Business Associate Contracts:
The bottom line is that if you are doing business with a Business Associate you must have a contract. Furthermore, that contract must contain language that meets the requirements of this standard. One critical question is who qualifies as a Business Associate (refer back to the definition in §160). The definition is broad and includes many potential "partners" with whom a CE, as part of their operations, has a business need to share individually identifiable health information with.
Whether or not you have the necessary Business Associate contracts in place is clearly an HHS auditable point. Each practice should have, at a minimum, a standard Business Associate contract executed by all its business associates. You certainly will not be able to make a compelling argument regarding "good faith" compliance if you are utilizing Business Associate services without a contract.
For example, a provider's use of an Internet hosted practice management/EHR application clearly implies the need for a Business Associate contract. Furthermore, even a non-hosted application may require a Business Associate contract if the vendor is given access to the system in order to provide technical support. In short, the increased use of technology on the part of providers mandates that additional attention be paid to business associate relationships.
Again, our recommendation is that you seek advice of counsel regarding Business Associate contract issues. The HITECH Act's requirements regarding business associates provide yet another reason for doing so.
Check Out the Free Online Data Backup Checklist.