BOX 4-1 Business Associate Agreements

A covered entity must obtain assurances in writing that the business associate will: (1) use the information only for the purposes for which it was engaged by the covered entity; (2) safeguard the information from misuses; and (3) help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Business associate agreements must include:

  • A description of the permitted and required uses of the PHI by the business associate.
  • A statement that the business associate will not use or disclose the PHI other than as permitted or required by the contract, or as required by law.
  • A statement that the business associate will use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for by the contract.

SOURCE: 45 C.F.R. § 160.103 (2006).

From: 4, HIPAA, the Privacy Rule, and Its Application to Health Research

Cover of Beyond the HIPAA Privacy Rule
Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.
Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors.
Washington (DC): National Academies Press (US); 2009.
Copyright © 2009, National Academy of Sciences.

NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.