Home : Academic/Research : Health Sciences

Health care components may disclose PHI to business associates and allow business associates to create or receive PHI to perform covered functions for them or on their behalf provided that the health care component obtains and documents reasonable assurances that the business associates will appropriately safeguard the PHI. The reasonable assurance must be documented in the form of a business associate agreement, including business associate provisions in the service contract or in a business associate addendum to an existing service contract.

Other arrangements are allowed in limited circumstances where the business associate is a governmental entity, the business associate is required by law to perform the business associate function on behalf of the covered entity, or there are statutory obligations to continue a business associate function despite violations of the agreement. Questions about whether a service fits one of these narrow provisions for alternative arrangements and the requirements for the alternative arrangements should be directed to the Privacy Officer.

In situations where the University is a business associate of another covered entity, the University unit receiving the information must comply with all provisions of the business associate agreement.

IDENTIFICATION AND TRACKING
Business Associates of health care components should be identified using the current version of the HIPAA Business Associate Identification Survey. All identified business associates should be reported to the Privacy Coordinator of the appropriate health care component for tracking.

HANDLING BREACHES BY BUSINESS ASSOCIATES
If the health care component knows of a pattern of activity or practice of a business associate that constitutes a material breach or violation of the obligations in the business associate agreement, the health care component must take reasonable steps to cure the breach or end the violation.

If the steps taken to cure the breach or end the violation are not successful, the contract with the business associate should be terminated. If termination is not feasible, the breach must be reported to the Privacy Officer so that the breach or violation may by reported to the Secretary.

BUSINESS ASSOCIATE AGREEMENT REQUIREMENTS
Business associate agreements must meet the following requirements:

1. Establish the permitted and required uses and disclosures of PHI by the business associate and may not authorize the business associate to use or further disclose the PHI in a manner that would violate HIPAA if done by the health care component;

2. Provide that the business associate:
   1. will not use of further disclose the information other than as permitted in the contract or required by law;
   2. will use appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of the information and reasonably and appropriately protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).
   3. will report to the health care component any use or disclosure of the information not provided for in the contract. Any security incident of which it becomes aware to the University Privacy & Security Office at 612.624.7447 or privacy@umn.edu. For purposes of this agreement, a security "incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations. This does not include trivial incidents that occur on a daily basis, such as scans, "pings", or unsuccessful attempts to penetrate computer networks or servers maintained by Business Associates.
   4. ensure that any subcontractors or agents to whom it provides PHI agree to the same restrictions and conditions;
   5. make PHI available to the health care component as necessary to comply with requests for access by the individual;
   6. make PHI available to the health care component as necessary to comply with requests for amendment by the individual and incorporate amendments that have been agreed to by the health care component;
   7. make information available to the health care component as necessary to provide an accounting of disclosures to the individual;
   8. make available to the Secretary its internal practices, books, and records relating to the use and disclosure of PHI received from, or created on behalf of the health care component;
   9. at termination of the contract, return or destroy, if feasible, all PHI received from or created by or on behalf of the health care component that the business associate maintains in any form. The business associate may not keep copies. If it is not feasible to return or destroy all PHI, the business associate must continue to protect the PHI and limit use and disclosure to the reasons that make returning or destroying the information infeasible;

3. Authorize the health care component to terminate the service contract and the business associate contract if the business associate materially violates the terms of the business associate contract;

4. May permit business associates to use information if necessary for proper management and administration of the business associate or to carry out the legal responsibilities of the business associate. The business associate may only disclose information for these purposes if the disclosure is required by law or the business associate obtains reasonable assurances from the person to whom the information is disclosed that the information will be held confidentially and will not be used or further disclosed except to the extent required by law or for the purpose for which it was disclosed to that person, and the recipient notifies the business associate of any breaches of which it becomes aware;

5. May permit the business associate to perform data aggregation services on behalf of the health care component for the purpose of health care operations.

ACCOUNTING FOR BUSINESS ASSOCIATE DISCLOSURES
Health care components must account for disclosures to business associates using Administrative Procedure: Recording and Providing an Accounting of Disclosures procedure and must require business associates to keep an accounting of subsequent disclosures of the PHI made by the business associate to the extent such disclosures are subject to the accounting requirement.