HITECH Business Associate Rule Tool Section 5: Compliance as a Business Associate
Business Associates are directly responsible under the regulations for:
- Implementing Business Associate Contracts with any downstream Business Associates;
- Compliance with the Security Rule;
- Using and disclosing PHI only as permitted by their Business Associate Contract;
- Compliance with the Minimum Necessary rule;
- Notifying their upstream Business Associate or Covered Entity (as applicable) in case of a security breach;
- Providing access to a copy of the electronic PHI in their possession to either the Covered Entity, the individual, or the individual’s designee, as specified in their Business Associate Contract;
- Providing access to their records, including PHI, to DHHS for purposes of investigation of the Business Associate’s compliance with its regulatory obligations; and
- Providing the information needed for an accounting of disclosures.
Compliance with these regulatory requirements will be mandatory as of September 23, 2013.
Business Associates will be responsible under their Business Associate Contracts for:
- Implementing Business Associate Contracts with any downstream Business Associates;
- Compliance with the Security Rule;
- Reporting security incidents and breaches to their upstream Business Associate or Covered Entity, as applicable;
- Using and disclosing PHI only as permitted by their Business Associate Contract;
- Providing access to a copy of the PHI in their possession to either the Covered Entity, the individual, or the individual’s designee, as provided in the Business Associate Contract;
- Amending the PHI in their possession in accordance with the Business Associate Contract;
- Providing access to their records, including PHI, to DHHS for purposes of investigation of the upstream Business Associate’s or Covered Entity’s compliance with its regulatory obligations (as applicable; and
- Providing the information needed for an accounting of disclosures.
These Business Associate Contracts overlap and are in many cases redundant to Business Associate direct regulatory obligations, but not entirely. Business Associate Contract provisions should not be inconsistent with the regulatory provisions they overlap.
First Tier Business Associates should already be subject to Business Associate Contracts which meet pre-HITECH HIPAA requirements. Such Business Associate Contracts must be amended to be HITECH-compliant as provided in Determining the HITECH-Compliant Business Associate Contract Date.
Lower Tier Business Associates will be required to be subject to HITECH-Compliant Business Associate Contracts as of September 13, 2013..
© 2013 John R. Christiansen