|  | Healthcare Industry | Healthcare Management

Requirements for a Business Associate Agreement

With the creation of the Health Insurance Portability and Accountability Act, or HIPAA, the health care industry experienced changes in the way normal business transactions occurred. With new business rules to secure Protected Health Information, or PHI, health care administrators added a new type of contract with outside entities. That new contract is called a business associate agreement. The requirements of business associate agreements are specific to the needs of health care administrators and their legal duty to comply with HIPAA.

  1. Contract Parties

    • The covered entity is the health care organization seeking protection under the privacy rule. This could be a hospital, home health agency or nursing home. The business associate is the entity seeking access to the covered entity's PHI. Business associates include consultants, billers or any other group that accesses PHI as a part of the service provided. The beginning of the contract defines this relationship that is referred to throughout the business associate agreement.

    Federal Regulation

    • Any business associate agreement must clearly define the law that governs the need for an agreement of this kind. The Standards for Privacy of Individually Identifiable Health Information is the title of the code governing business associate agreements. It is found in the federal register as 45 CFR Part 160 and Part 164, Subparts A and E. Without outlining the regulation clearly, the business associate may have legal standing to argue intent.

    Covered PHI

    • All business associate agreements must detail the specifics of PHI. This means listing the policies and procedures and any other written materials and practices of the covered entity as protected under this contract. The business associate agreement must provide examples of possible infractions or violations of protected health information. For example, if a hospital selects an outside vendor to apply diagnostic codes to patient records, the outside company, or business associate, is notified that any employees of the business associate not involved with the hospital's coding should not have access to the hospital's patient information.

    Agreement Terms

    • The business associate agreement should state when the business associate will access PHI, how long these records are kept or even if the business associate is able to access PHI outside the presence of the covered entity. Some information is so highly confidential that terms are outlined to the letter. The terms also cover when the agreement ends and what happens with any PHI under the possession of the business associate at the time of the termination.

    Attorney Review

    • Business associate agreements are designed to secure PHI and any terms associated with PHI. Any contractual information outside of PHI should be reviewed by a licensed attorney. As a final check, business associate agreements also should be reviewed by an attorney for any amendments to the original form.

Healthcare Management - Related Articles