Ask CCRM: Business Associate Agreements
August 27, 2014 | Aging Services Risk, Quality, & Safety Guidance
The HIPAA privacy rule requires a written business associate agreement between a covered entity and a business associate that contains "satisfactory assurances" that the business associate will use and disclose protected health information (PHI) provided by the covered entity only as permitted under the terms of the agreement and in a manner that would not violate the HIPAA privacy and security rules if done by a covered entity (45 CFR § 164.504e). A covered entity is not required to obtain "satisfactory assurances" from a subcontractor or enter into a business associate agreement with a subcontractor; rather, business associates must obtain satisfactory assurances from their subcontractors or enter into business associate agreements with them.
The HIPAA omnibus rule dictates the privacy and security provisions that must be included in business associate agreements. To help covered entities and business associates implement the new business associate agreement requirements, the U.S. Department of Health and Human Services (HHS) has published an updated sample business associate agreement that includes new regulatory provisions. However, HHS does not require use of its sample...