Under HIPAA, a valid business associate contract must include the following privacy requirements:
(a) It must generally describe the types of uses and disclosures of protected health information that may be made by the business associate.
(b) It must allow the healthcare organization to terminate the contract if the business associate violates a material term of the contract's privacy requirements.
(c) It must require that the business associate will:
- Not use or further disclor required by the contract or as required by law;
- Use appropriate safeguarinformation other than as provided for by the contract;
- Report to the healthcareinformation not providedaware;
- Require its agents and sagree to the same restrictions and conditions that apply to the
business associate with respect to such information; - Make the information avapatient, upon request by the healthcare organization; - Make the informaamendments, upon request by the healthcare organization; - Make the information avawith an accounting of diorganization; - At termination of the contract, if feasible, return or destroy all - Make its internal practiand disclosure of protecSecretary of
thesary to determine the covered entity's compliance with HIPAA; and
protected health information that the business associate still maintains in any form and retain no copies of such information.
Copyright c 2001 Thomson Financial. All Rights Reserved.
