Overview:
(i) The contract between a covered entity and a business associate must provide that the business associate will do the following:
(A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart;
(B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;
(C) Report to the covered entity any security incident of which it becomes aware;
(D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.
(ii) Other arrangements
(A) When a covered entity and its business associate are both governmental entities, the covered entity is in compliance with paragraph (a)(1) of this section, if any of the following are met:
(1) It enters into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (a)(2)(i) of this section; or
(2) Other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (a)(2)(i) of this section.
(B) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate as specified in § 160.103 of this subchapter to a covered entity, the covered entity may permit the business associate to create, receive, maintain, or transmit electronic protected health information on its behalf to the extent necessary to comply with the legal mandate without meeting the requirements of paragraph (a)(2)(i) of this section, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (a)(2)(ii)(A) of this section, and documents the attempt and the reasons that these assurances cannot be obtained.
(C) The covered entity may omit from its other arrangements authorization of the termination of the contract by the covered entity, as required by paragraph (a)(2)(i)(D) of this section if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate.
(iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.
Action Items:
1) Obtain and review business associate contracts. Evaluate and determine if the business associate contracts provide that the entity's business associates shall implement appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to ePHI to prevent the use or disclosure of PHI other than as provided for by the business associate contract.
2) Obtain and review business associate contracts. Evaluate and determine if the business associate contracts require that business associate's subcontractors comply with the applicable parts of Subpart C of 45 CFR Part 164 by entering into a business associate contract or other arrangement that complies with 45 CFR § 164.314(a).
3) Obtain and review business associate contracts. Evaluate and determine if the business associate contracts require that business associates report any security incident of which it becomes aware, including breaches of unsecured PHI, as required by 45 CFR § 164.410.
4) Obtain and review documentation demonstrating that the entity's business associates have reported security incidents of which it was aware, including breaches of unsecured PHI, as required by 45 CFR § 164.410.
5) Obtain and review documentation of the entity's other arrangements with business associates. Evaluate and determine if the other arrangements meet the requirements of 45 CFR § 164.504(e)(3).
6) Obtain and review business associate contracts entered into with subcontractors. Evaluate and determine if the business associate contracts require that the requirements of 45 CFR § 164.314(a)(2)(i)-(ii) would apply to the business associate and its subcontractor in the same manner as such requirements apply to a covered entity and its business associates.
Related Documents:
1) Business associate contracts
2) Documentation demonstrating that the entity's business associates have reported security incidents of which it was aware, including breaches of unsecured PHI, as required by 45 CFR § 164.410.
3) Documentation of the entity's other arrangements with business associates.
4) Documentation of business associate contracts entered into with subcontractors.
Additional Guidance:
Covered entities may already have business associate contracts in place in order to comply with the Privacy Rule. If the business associate creates, receives, maintains, or transmits EPHI, these existing contracts should be reviewed and modified in order to meet the Security Rule Business Associate Contracts requirements. Alternatively, covered entities could have two separate contracts to address the requirements of the Privacy and Security Rules respectively.
Article ID: 488
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-business-associate-contracts-164-314-a-2-488.html