You cannot be 100 percent knowledgeable of what happens to your patients' PHI after you hand it off to a business associate. However, the business associate agreement is the perfect tool to shape and guide how BAs are allowed to use and disclose information.
Use the following list to add or amend the language in your BAAs so that they better reflect your policies on outsourced or offshored PHI. By establishing exact parameters for the use of your patients' health information, you may avoid a costly HIPAA privacy breach!
A contract between the covered entity and a business associate must:
(i) Establish the permitted and required uses and disclosures of such information by the business associate.
(ii) Provide that the business associate will:
(A) Not use or further disclose the information other than as permitted or required by the contract or as required by law;
(B) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
(C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;
(D) Ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information;
(E) Make available protected health information for access by the individual in accordance with the privacy rule;
(F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with the privacy rule;
(G) Make available the information required to provide an accounting of disclosures in accordance with the privacy rule;
(H) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available for purposes of determining the covered entity's compliance with the privacy rule; and
(I) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
(iii) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.
Reprinted from The Medical Privacy Rule -- A Guide for Employers & Health Care Providers with permission from William Hubbartt, president of Hubbartt & Associates in St. Charles, IL. For more information, go to www.medicalprivacy.com.