Do you know your business associates? As the April 14 privacy standards compliance deadline approaches, covered entities should make sure their business associate contracts reflect HIPAA's requirements

Healthcare Financial Management, Jan, 2003 by Gerald M. Hinkley, Rachel Glitz, W. Reece Hirsch

Because many healthcare organizations will need to modify a large number of contracts, early action will help covered entities satisfy the requirements by that date. Although covered entities are not required to police their business associates, they must be prepared to respond to a business associate's breaches under the contract and try to mitigate any resulting harms.

Meeting deadlines. The required business associate provisions should be included in new contracts, particularly those that run through April 14, 2003. If a covered entity enters into a business associate contract addendum today, the addendum probably should not become effective until the privacy standards compliance date. Many business associates will object if a covered entity seeks to require compliance with potentially burdensome business associate requirements before compliance is required, such as the ability to track uses and disclosures of PHI as required by the HIPAA patient rights provisions.

In some instances, a covered entity may need to renew or enter into a contract with a business associate immediately without finalizing the provisions of the business associate addendum. In such instances, the parties could include a provision that does not bind the business associate to HIPAA requirements, but does bind both parties to negotiate a HIPAA business associate addendum satisfactory to the covered entity prior to the privacy standard compliance date. Such a provision must include an option to terminate in the event that the business associate fails to promptly enter into negotiations or ultimately sign the business associate contract addendum requested by the covered entity This approach is not recommended because it simply defers the inevitable negotiation of the terms of the business associate addendum, but in some situations it may be necessary.

Record-keeping. HIPAA gives patients the right to receive an accounting of the disclosures that a covered entity has made for the past six years. Certain disclosures do not need to be reported to the patient, such as disclosures for treatment. However, disclosures to business associates must be included in every requested accounting, which must state the date of the disclosure, identify the recipient and the recipient's location, briefly describe the PHI disclosed, and briefly state the purpose of the disclosure. Accordingly, a covered entity must ensure that it has a system in place to monitor its disclosures to business associates.

Oversight. Even if their business associate contracts comply with all of the requirements of the privacy standards, covered entities cannot rely on the contract provisions alone to shield them from government sanctions or criminal penalties. Adequate performance of the contract is essential, and covered entities cannot ignore a business associate's failure to comply with the HIPAA requirements. While ensuring that a business associate has taken appropriate safeguards to prevent unauthorized use or disclosure of PHI does not require active monitoring, a covered entity cannot entirely disclaim responsibility for the actions of its business associates. HIPAA specifies that a covered entity must mitigate, to the extent practicable, any harmful effects that are known to the covered entity when such harm arises from a disclosure of PHI in violation of the covered entity's policies and procedures or HIPAA. This requirement applies whether the unauthorized use or disclosure is by the covered entity or its business as sociate.