There are specific requirements mandated by the HIPAA Privacy Rule for business associates entering into contracts with covered entities. According to the U.S. Department of Health and Human Services, a covered entity's contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e) (Privacy) and 45 CFR 164.314(a)(2)(i) (Security).
Furthermore, under the HIPAA Privacy Rule, if a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, the covered entity should terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Summary of the HIPAA Privacy Rule: Business Associates - Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2003). This site provides a summary of the HIPAA Privacy Rule.
Sample Business Associate Contract Provisions - Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2006). This site provides sample provisions and sample language of a business associate contract.
E-mail the HealthIT e-mail box: firstname.lastname@example.org