Business Associates

Everyday we work with individuals/entities outside the Loma Linda University Health (LLUH) Organized Health Care Arrangement (OHCA) who perform work on our behalf. If individuals/entities are not considered a member of our workforce and they perform activities involving the use or disclosure of individually identifiable health information on our behalf (e.g., for payment and health care operations), then they are our business associates. Other covered entities may also be considered business associates. We can release individually identifiable health information to our business associates only if we obtain satisfactory assurance that they will appropriately safeguard the information. We document satisfactory assurance through a written contract or other written agreement that meets the requirements of the Privacy Rule.

A business associate, other than in the capacity of a member of the workforce, may provide to or for the OHCA services such as legal, actuarial, accounting, consulting, management, administrative, accreditation (e.g., TJC), or financial services. Business associate agreements do not apply to a health care provider concerning the treatment of an individual.

To determine if a particular individual or entity is considered a "business associate" refer to the tool Contract / Business Associate Agreement (BAA) Review.

Business Associate Contract Specifications

A contract between the covered entity and a business associate must establish the permitted and required uses and disclosures of such information by the business associate.

The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that:

• The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate.
• The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.

Provided that the business associate will:

• Not use or further disclose the information other than as permitted or required by the contract or as required by law;
• Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
• Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;
• Ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information;
• Make available PHI to patients upon request;
• Make available PHI for amendment and incorporate any amendments to PHI;
• Make available the information required to provide an accounting of disclosures
• Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance;
• At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and
• Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

Previous | TOC | Next