HIPAA covered entities form partnerships with third parties to safeguard their data assets effectively. Business associate agreements (BAAs) formalize these relationships and, importantly, describe the HIPAA-related risks and responsibilities that business associates (BAs) will take on.
The written contract between the covered entity and business associate must meet the following requirements:
- State the permitted and required uses and disclosure of PHI by the BA.
- Assure that the BA will not use or share information other than as required or permitted by the contract or by law.
- Require the BA to implement suitable safeguards to prevent the unauthorized use of information, including deploying the requirements of the HIPAA Security Rule as it relates to protected health information.
- Report to the covered entity any use or disclosure of information not provided for by the contract.
- Agree to disclose PHI to meet the covered entity’s obligation to provide individuals a copy of their PHI, and also either provide PHI for amendments or incorporate amendments.
- Adhere to the requirements of the Privacy Rule to the extent required.
- Provide to the Department of Health and Human Services records, practices and books related to the use and disclosure of PHI.
- At the termination of the contract, destroy or return all PHI created or received by the BA on behalf of the covered entity.
- Ensure that any subcontractors the BA engages must comply with substantially the same conditions and restrictions that apply to the BA.
- Authorize termination of the contract by the covered entity if the BA violates a material term of the contract.