Business Associates

Op10.03-22 Business Associates

Complies with the Administrative Requirements of the Health Insurance Portability and Accountability Act of 1996. 45 CFR Section 164.504(e)

Policy

The Employee Benefit Plan's Business Associates are required to provide satisfactory assurances that they will maintain the confidentiality of the Protected Health Information ("PHI") of the Employee Benefit Plan's participants and only use and disclose PHI for the purposes for which it was provided.

Procedure

  • Existing and new relationships with the Employee Benefit Plan's service providers are reviewed to determine if the relationship requires the use and/or disclosure of PHI and thus, whether the entity is a Business Associate.
  • Business associates are required to sign a written contract that provides satisfactory assurances that they will adhere to the Employee Benefit Plan's privacy practices.
  • The Employee Benefit Plan requires its Business Associates to determine the minimum necessary type and amount of PHI required to perform the services under the Agreement and to represent to the Employee Benefit Plan that it has requested the minimum necessary PHI for the stated purpose.
  • The Privacy Official monitors the return or destruction of PHI used, created or obtained by the Business Associate upon termination of the contract (or the extension of protection if not returned or destroyed).
  • The Privacy Official ensures that any complaints regarding privacy violations by Business Associates are reviewed. If the Privacy Official is aware of a pattern or practice that is a material violation of the Business Associate's duties with regard to privacy, the Privacy Official takes reasonable steps to end the violation. If such steps are unsuccessful, the Privacy Official determines, in consultation with the Employee Benefit Plan Administrator, whether termination of the agreement is feasible. If not, the Privacy Official reports the violation to DHHS.

Effective Date: April 14, 2003