AUGUST 2003

HIPAA Business Associate Agreements

Before you sign, look out for provisions that obligate you beyond the legal requirements

Steven M. Goldstein  

Steve Goldstein

  
   

You may be familiar with the Health Insurance Portability and Accountability Act (HIPAA), and the privacy regulations issued under that Act. Those privacy regulations took effect on April 14, 2003.

One important regulation requires “covered entities” – health care providers, health plans, and health care clearinghouses – to enter into agreements with their “business associates,” i.e., third party administrators, legal counsel, accountants, consultants and other plan providers who may have access to protected health information.

If you work with a health care provider, health plan or health care clearinghouse, you may be asked to sign a "Business Associate Agreement." These agreements take many forms, from a simple paragraph addendum to an existing agreement to a brand- new, lengthy agreement. You should carefully review such a document before you sign it, as it can impose significant responsibilities on you. Here are the main points to consider:

  • Your obligations described in the agreement should be limited only to those required in the federal regulation (see “Required Obligations” below).

  • The provisions requiring you to provide patients with access to records in your possession, as well as the opportunity for patients to amend records in your possession, should apply to you only if the records in your possession are a “Designated Record Set.” (Most business associates will not have records bearing that designation.)

  • If the agreement requires you to mitigate any damages, make sure that requirement is limited “to the extent practicable.”

  • The agreement should allow you to use the protected health information for your own management and administration and to carry out your own legal responsibilities.

  • The agreement should require the return or destruction of information in your possession upon termination of the agreement “only if such return or destruction is feasible.”

  • You are not required to indemnify the other party to the agreement. If the agreement contains an indemnity provision, remove it.

  • You should add a provision to any business associate agreement stating that “no person or entity is to be considered a third-party beneficiary under the agreement, nor shall any third party have any rights as a result of the agreement.” This will limit an individual patient’s ability to use the agreement as a basis to make a claim against you.

  • Avoid unnecessary boilerplate in the agreement. If there are additional provisions that are unnecessary or unusual, do not agree to them.

Required Obligations

According to 45 CFR Section 164.504(e)(2)(ii), a contract between the covered entity and a business associate must provide that the business associate will:

  • not use or further disclose the information other than as permitted or required by the contract or as required by law;

  • use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;

  • report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;

  • ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information;

  • make available protected health information in accordance with §164.524;

  • make available protected health information for amendment and incorporate any amendments to protected health information in accordance with §164.526;

  • make available the information required to provide an accounting of disclosures in accordance with §164.528;

  • make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance with this subpart; and

  • at termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

These materials are designed to provide general information prepared by professionals in regard to the subject matter covered. It is provided with the understanding that the author is not engaged in rendering legal, accounting, or other professional service. Although prepared by professionals, these materials should not be utilized as a substitute for professional service in specific situations. If legal advice or other expert assistance is required, the service of a professional should be sought.
 
 

Attorneys  |  Legal Services  |  Articles  | Opportunities  |  Contact Us  |  Home  | Notices and Disclaimer | Sitemap

© 2000-2012. Sacks Tierney P.A. 4250 N. Drinkwater Blvd., Fourth Floor Scottsdale, AZ 85251 480.425.2600

The act of visiting or communicating with Sacks Tierney P.A. via this website or by email does not constitute an attorney-client relationship. Communications from non-clients via this website are not subject to client confidentiality or attorney-client privilege. Further, the articles, discussion, commentary, forms and sample documentation contained in this website are offered as general guidance only and are not to be relied upon as specific legal advice. For legal advice on a specific matter, please consult with an attorney who is knowledgeable and experienced in that area.