• Government
• Profession
• Business
• Opinion
• Health

• Health reform
• H1N1
• P4P
• EMRs
• Medicare
• Liability
• AMA House
• » More

• Book Excerpt
• Business Pitch
• Meetings
• » More

• Contract Language
• Ethics Forum
• In the Courts
• Practice Management
• Technically Speaking
• » More

• Issue dates
• Regions
• Health plans
• Sections
• News briefs
• Columns
• Editorials
• Letters
• Writers
• Other years

• Search tips
• E-mail alert
• Radio
• RSS
• Mobile
• Subscribe
• Institutions
• Staff directory
• Advertising
• Permissions
• Reprints
• News media
• Site guide
• Useful links
• About
• Premium
• Contact

Privacy duty extends to business associates

Contract Language. By Steven M. Harris, amednews contributor. May 6, 2002.

• PRINT|
• E-MAIL|
• RESPOND|
• REPRINTS|
• SHARE

CONTRACT LANGUAGE

A column examining the ins and outs of contract issues

SEE ARCHIVES

My last column addressed HIPAA considerations within the context of managed care contracts. This column will discuss HIPAA compliance requirements for your business associate contracts.

HIPAA requires that you and your practice have a written agreement with vendors who are business associates. A "business associate" is a person or entity who performs a function or activity involving the use or disclosure of protected health information on behalf of your practice." That includes claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.

Business associates who access and use protected health information may include: technology vendors, third-party plan administrators, billing companies, collection agencies, lawyers and accountants.

A business associate does not include a member of the work force such as employees, volunteers, trainees, and other persons whose conduct in the performance of work for your practice is under your direct control, whether or not they are paid.

You may not disclose protected information to a business associate without satisfactory assurance that it will be appropriately safeguarded.

Pursuant to the HIPAA regulations, you must enter into a written contract with each of your business associates, and the contract must extend your privacy obligations to the business associate.

The written agreement must:

• Establish the permitted and required uses and disclosures of health information that the business associate may make.