|
business
associate security contracts (HIPAA)
A covered entity
may permit a business
associate to "create, receive, maintain or transmit"
electronic
protected health information
(PHI) on its behalf. But it may do so only if there are
"satisfactory assurances" that the business associate
will appropriately safeguard the PHI. Written contracts or
other arrangements documenting such assurances are one of
the administrative
safeguards required by the Security
Rule. (The requirement here replaces the "chain of
trust partner agreements" that were proposed in earlier
versions.)
The contract (or
other arrangement) must provide that the business associate
will:
- "implement
administrative, physical and technical safeguards that reasonably
and appropriately protect the confidentiality, integrity
and availability" of the electronic PHI that the business
associate "creates, receives, maintains, or transmits
on behalf of the covered entity";
- "[e]nsure
that any agent, including a subcontractor, to whom [the
business associate] provides such information agrees to
implement reasonable and appropriate safeguards to protect
it";
- "report
to the covered entity any security incident of which it
becomes aware"; and
- authorize termination
of the contract (or other arrangement) "if the covered
entity determines that the business associate has violated
a material [provision]."
When a covered
entity and its business associate are both government entities,
an "other arrangement" like a memorandum of understanding
is sufficient, providing it has the provisions outlined above.
The termination
provisions may be omitted if that is inconsistent with the
statutory obligations of the parties.
(In such circumstances,
if a business associate is required by law to perform a function,
activity or service on behalf of a covered entity that involves
PHI, that may continue even in the absence of a contract or
other arrangement as necessary to comply with the legal mandate.
The covered entity is still obligated to make good faith attempts
to obtain "satisfactory assurances" of compliance
with the safety provisions that would otherwise obtain in
a business associate contract.)
As under the Privacy
Rule provisions for business associates, a covered entity
that becomes aware of "a pattern of ... activity or practice
of the business associate that constitute[s] a material breach
or violation" of its contract or other arrangement must:
- take reasonable
steps to halt the breach or end the violation;
- if such steps
are unsuccessful, terminate the contract or arrangement;
- if termination
is not feasible, report the problem to DHHS.
In its interpretations
of the Privacy Rule, DHHS has indicated that the covered entity
does not have an obligation to engage in microscopic scrutiny
of the activities of its business associates. It can make
reasonable assumptions about the good faith of those with
whom/which it enters into contractual arrangements. Presumably
that stance also obtains for the Security Rule.
Note also that
the intent is not to impose, by contractual or other arrangements,
a requirement for the "same level" of security as
obtains at the covered entity. Rather, security must be "reasonable
and appropriate" -- those two adjectives, yet again --
at each location and stage of operations. The Rule seets this
as a baseline. As with their own internal arrangments, covered
entities are free to mandate more stringent levels of security
at business partners. "This would be a business decision...."
(Final Rule, p.161)
Covered entities
are not required to enter into new contractual or other arrangements
to meet the Rule's requirements if existing written specifications
already fulfull the Rule's minimum standards or can be amended
to do so. (Final Rule, p.162)
See also:
Last modified:
10-May-2005
[RC]
|
