HIPAA Business Associates Agreement

Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The purpose of this law is to protect private individual health information from being disclosed to anyone without the consent of the individual. Except under unusual circumstances, the consent needs to be in writing.

Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting, as provided for by 45 CFR 164.524, 164.526, and 164.528. Covered entities must ensure that all records, regardless of format, are managed as part of their official records management programs. All records (paper, micrographic, electronic or other must be included as part of a comprehensive records management program. If a third party, is engaged as the records management provider, then the Covered Entity is required to enter into a business associate's agreement with such third-party provider.

The Rule requires covered entities to include specific provisions in agreements with business associates to safeguard protected health information, and addresses how covered entities may share this information with business associates. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must make such protected health information available if and when needed by the covered entity to provide an individual with access to the information.