Enter to open, tab to navigate, enter to select
Model Business Associate Agreement Provisions Reflect Final HIPAA Regulations
Practical Law Legal Update 6-523-8089 (Approx. 4 pages)
Model Business Associate Agreement Provisions Reflect Final HIPAA Regulations
by PLC Employee Benefits & Executive Compensation
| Published on 29 Jan 2013 • USA (National/Federal) |
The Department of Health and Human Services (HHS) has issued model business associate agreement provisions reflecting final privacy, security, breach notification and enforcement rules under the Health Insurance Portability and Accountability Act (HIPAA).
On January 25, 2013, HHS issued model business associate agreement provisions to assist covered entities (which include health plans) and business associates in complying with HIPAA's business associate contract requirements. The model provisions address requirements under HIPAA's privacy, security, breach notification and enforcement rules, which HHS recently finalized (see Legal Update, Final HIPAA Regulations Change Breach Notification Rules). For more information, see HIPAA Privacy, Security, and Breach Notification Toolkit. The model provisions:
- Are intended to offer sample language and are not required for compliance with HIPAA.
- Can also be adapted for agreements between business associates and subcontractors.
- May not be adequate alone to result in a binding contract under state law.
Several terms used in the model business associate provisions (for example, "minimum necessary" and "subcontractor") are defined by cross-reference to definitions under the HIPAA final regulations.
Business Associate Requirements and Activities
The model agreement reflects various obligations to be performed by business associates under a business associate agreement, for example:
- Using appropriate safeguards regarding electronic protected health information (PHI).
- Ensuring that subcontractors that create, receive, maintain or transmit PHI on a business associate's behalf agree to the same restrictions and conditions regarding the PHI as apply to the business associate.
- Maintaining and making available information required to provide an accounting of disclosures.
- Reporting to the covered entity uses or disclosures of PHI that violate the business associate agreement, including security incidents and breaches of unsecured PHI.
Regarding a business associate's breach notification duties, HHS notes that greater specificity may be included in the business associate agreement, including:
- Stricter requirements governing a business associate's reporting of potential breaches to the covered entity.
- Whether the business associate will provide breach notifications on the covered entity's behalf to individuals, HHS and, potentially, the media.
Permitted Uses and Disclosures by Business Associates
The model agreement lists the situations in which a business associate can use or disclose PHI. For example, the uses or disclosures can be those necessary for the business associate to perform its duties under a services agreement.
Other Agreement Provisions
The model agreement also addresses other provisions, including:
- Situations in which covered entities must inform business associates of changes in, or revocations of, an individual's permission to use or disclose the individual's PHI.
- When a covered entity must inform a business associate of limits in the covered entity's notice of privacy practices affecting the business associate's use or disclosure of PHI.
Practical Impact
Although the model business associate provisions offer a useful starting point for defining the covered entity/business associate relationship, many of the provisions may require tailoring to reflect the parties' particular business arrangement (or the business associate/subcontractor relationship, if the agreement is used for this purpose).
Regarding the provision on accounting for certain disclosures of PHI to carry out treatment, payment and health care operations, it should be noted that although HHS issued proposed regulations on that topic in May 2011, those regulations were not finalized as part of the final HIPAA omnibus regulations. As a result, additional changes to business associate agreements may be required when the accounting for disclosure regulations are finalized.