Business associates are responsible for performing specific functions and activities involving the use and disclosure of PHI on behalf of a covered entity. They are also responsible for providing services to a covered entity.
According to HIPAA law, the business partner of a covered entity and the covered entity that come in contact with electronic PHI must sign a business associate agreement (BAA). The agreement outlines duties and responsibilities for the organization to protect the PHI of an individual.
In the BAA, business associates should agree to implement all three safeguards of the HIPAA Security Rule. The agreement will also determine the kind of PHI the business associate will be accessing and how it will be protected.
Employees of the business associate should undergo HIPAA training, which will help them understand their responsibilities in protecting the PHI of an individual.
In case of a breach of PHI, the business associate must inform the concerned parties within 15 days of the breach’s discovery. The HHS should be notified about the breach within 60 days.
If a violation of the Security Rule occurs, the covered entities are allowed to terminate the business associate’s agreement.
Moreover, once the services of the covered entity with business associates have been completed, the business associates must agree to either destroy or hand over all of the PHI.