Data use contracts between health care covered entitties and business associates including outsourcers
October 9, 2009 by Bierce & Kenerson, P.C.
Overview.
The final Privacy Rule adopted in August 2002 sets forth specific requirements for contracts between “covered entities” and “business associates” (outsourcers). For further details, please contact one of our attorneys.
Minimum Provisions.
For the minimum terms of such a contract, the final HIPAA Privacy Rule provides:
A covered entity may use or disclose a limited data set under paragraph (e)(1) of this section only if the covered entity obtains satisfactory assurance, in the form of a data use agreement that meets the requirements of this section, that the limited data set recipient will only use or disclose the protected health information for limited purposes. (ii) Contents. A data use agreement between the covered entity and the limited data set recipient must:
(A) Establish the permitted uses and disclosures of such information by the limited data set recipient, consistent with paragraph (e)(3) of this section [45 CFR Section 164.514]. The data use agreement may not authorize the limited data set recipient to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity;
(B) Establish who is permitted to use or receive the limited data set; and
(C) Provide that the limited data set recipient will:
(1) Not use or further disclose the information other than as permitted by the data use agreement or as otherwise required by law;
(2) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the data use agreement;
(3) Report to the covered entity any use or disclosure of the information not provided for by its data use agreement of which it becomes aware;
(4) Ensure that any agents, including a subcontractor, to whom it provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and
(5) Not identify the information or contact the individuals.