Business Associate Contract
for Third Party Administrators of Self-Funded Health Care Plans
Department of Health & Human Services Summary:
This final rule adopts Standards for the Security of Electronic Protected Health
Information (PHI) to be implemented by health plans, health care clearinghouses, and
certain health care providers. The use of the Security Standards will improve the
Medicare and Medicaid programs, other Federal health programs and private health
programs, and the effectiveness and efficiency of the health care industry in general by
establishing a level of protection for certain electronic health information. This final rule
implements some of the requirements of the Administrative Simplification subtitle of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Statutory Reference:
Standards for the Security of Electronic Protected Health Information, Final Rule, Office
of the Secretary, Department of Health & Human Services, 45 CFR Parts 160, 162, and
164. Published in the Federal Register of February 20, 2003.
Regulation Effective Date: April 21, 2003
Compliance Date: April 20, 2005 for most covered entities (April 20, 2006 for small
health plans) per § 164.318(a)(1) of the regulation text
Purpose of Amendment
This Amendment supplements the Sample Business Associate Contract and is intended to
provide additional sample contract language for the purpose of addressing the
requirements of the Security Standards for the Protection of Electronic Protected Health
Information (PHI) under HIPAA.
The Security Standards are intended in general to provide protection to PHI in addition to
the protection required under the Privacy rule by establishing Security Standards for PHI
that is transmitted or maintained in an electronic format. In addition to requiring
safeguards to protect the privacy of electronic PHI, the Security Standards require
safeguards to protect the integrity of electronic PHI from data loss or corruption, and to
maintain availability of the information in disaster or emergency situations.
Among other things, the Security Standards require all Covered Entities to obtain
assurances from their Business Associates that they will implement reasonable and
appropriate security measures to safeguard the privacy, integrity and availability of
electronic PHI that is created, received, maintained or transmitted by the Business
Associate. The Business Associate must also agree to require its agents and
subcontractors to implement these safeguards, and to report any security incidents that
occur.
1
11/08/04
Sample Business Associate Contract between Plan and TPA:
Electronic Security Standards Amendment
[Note: The following is intended as an amendment to the Business Associate
Contract sample language for the purpose of addressing the requirements of the
HIPAA Electronic Security Standards. Consult with legal counsel before including
this language in any legal document.]
1.
Intent.
The purpose of this Amendment is to amend the Business Associate Contract between the
parties, dated _______________ (the “Agreement”), by setting out the rights and
responsibilities of the Security Standards for the Protection of Electronic Protected
Health Information under the Health Insurance Portability and Accountability Act (the
“Security Standards”). The terms of this Amendment shall be interpreted and applied
consistent with this intent and with the Security Standards.
As used in this Amendment, Electronic Protected Health Information shall mean
Protected Health Information that is transmitted by or maintained in electronic media.
All other terms shall have the meaning set out in the Agreement and the Security
Standards.
2. Unauthorized Uses and Disclosures.
In the event the Claims Administrator becomes aware of a security incident involving
Electronic Protected Health Information, by itself or any of its agents or subcontractors,
the Claims Administrator shall promptly notify the Plan, in writing, of such security
incident. The Plan and the Claims Administrator agree to act together in good faith to
take reasonable steps to investigate and mitigate any harm caused by such unauthorized
use or security incident. For these purposes, a “security incident” shall have the meaning
set out in the Security Standards; generally, a security incident means any attempted or
successful unauthorized access, use, disclosure, modification or destruction of
information or systems operations in an electronic information system.
2
11/08/04
3.
Appropriate Safeguards.
The Claims Administrator agrees that it shall implement administrative, physical and
technical safeguards that reasonably and appropriately protect the confidentiality,
integrity and availability of Electronic Protected Health Information that it creates,
receives, maintains or transmits on behalf of the Plan.
4.
Agents and Subcontractors.
The Claims Administrator shall require each of its agents and subcontractors to which it
discloses Protected Health Information to agree, in writing, to comply with the same
restrictions and conditions that apply to Claims Administrator under this Amendment.
5.
Termination.
Notwithstanding any other conditions on termination of the Agreement, upon notice to
the Claims Administrator, the Plan may terminate the Agreement if the Claims
Administrator has engaged in a pattern of activity or practice that constitutes a material
breach of its obligations under this Amendment or under the section of the Agreement
titled “Compliance with Privacy Standards,” and Claims Administrator fails to cure such
breach within __ days of the Plan’s notice. If the Plan determines that termination of the
Agreement is not feasible, it may notify the Secretary of Health and Human Services with
respect to such breach.
6.
Effect on Agreement.
Except as specifically set forth herein, the Agreement shall remain in full force and
effect.
3
11/08/04