business associate (HIPAA)
defines a business associate as an individual or corporate
- is not
a member of the covered entity's workforce.
of "function or activity" is all encompassing: legal,
actuarial, accounting, consulting, data processing, management,
administrative, accreditation, financial services and anything
else for which a covered entity might contract out are included,
if access to PHI is involved.
requirements do not apply to disclosures by a covered entity
to a health care provider for treatment
purposes -- for example, PHI exchanged between a hospital
and physicians with admitting privileges. However, a covered
entity may be a business associate of another covered entity
for non-treatment functions and activities, and will be bound
by the contractual assurances it gave as part of that relationship.
The business associate
requirements also do not apply to:
to the plan sponsor by a group health plan, or a health
insurance issuer or HMO with respect to a group health plan
(if other requirements are met); nor to
- the collection
and sharing of PHI by a health plan that is a public benefits
program and an agency other than the agency administering
the health plan, in order to determine eligibility or enrollment.
A covered entity
may disclose protected health information to a business associate
and may allow a business associate to create or receive PHI
on its behalf only if the covered entity executes a satisfactory
contract or other written agreement (such as a memorandum
of understanding) that details permitted activities.
must also provide that the business associate will:
- not use or further
disclose the PHI other than as permitted by the contract
or as required by law;
- report to the
covered entity any unauthorized use or disclosure of which
it becomes aware;
- ensure that
any agents, including subcontractors, to whom it provides
PHI agree to the same restrictions and conditions that apply
to the business associate; and
- on termination
of the contract, return or destroy all PHI in its possession,
or, where that is not possible, extend the protections of
the contract for as long as the information is retained.
must cooperate with the covered entity to provide access
to PHI for the subjects of that information, allow for
amendment or correction,
and assist in accounting
for PHI disclosures.
must also be prepared to make their internal practices, books,
and records relating to the use and disclosure of PHI available
to DHHS for purposes of determining compliance.
DHHS has taken
the position that covered entities are not liable for the
privacy violations of business associates. However, if a covered
entity becomes aware of a pattern of activity or practice
by a business associate that constitutes a material breach,
- take reasonable
steps to remedy the situation;
- if such steps
are not successful, terminate the contract or arrangement;
- if termination
is not feasible, report the problem to DHHS.
these provisions, failure to execute a business associate
contract with "satisfactory assurances," or to take
these corrective actions when the assurances are not met,
could result in liability.