The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality
Improvement

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

What needs to be included in a "business associate" contract?

There are specific requirements mandated by the HIPAA Privacy Rule for business associates entering into contracts with covered entities.  According to the U.S. Department of Health and Human Services, a covered entity's contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e) (Privacy) and 45 CFR 164.314(a)(2)(i) (Security).

Privacy provisions:

  • Describe the permitted and required uses of protected health information by the business associate;
  • Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law;
  • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract;

Security provisions:

  • Include that the business associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity;
  • Require the business associate ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards;
  • Provide that the business associate will report to the covered entity any security incident of which it becomes aware;
  • Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract."

Furthermore, under the HIPAA Privacy Rule, if a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation.  If such steps are unsuccessful, the covered entity should terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Resources:
Summary of the HIPAA Privacy Rule: Business Associates - Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2003).  This site provides a summary of the HIPAA Privacy Rule.

Sample Business Associate Contract Provisions - Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2006).  This site provides sample provisions and sample language of a business associate contract.

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
About
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed