HIPAA Business Associates Agreements and Outsourcing Issues.

HIPAA’s requirements with respect to business associates are directly relevant to companies and vendors who enter into an outsourcing relationship. HIPAA mandates numerous precautions, restrictions, and obligations of which the vendor as a business associate must be aware. The vendors must agree to comply with the same stringent confidentiality or security requirements and transfer restrictions as those that the HIPAA Rules impose on their clients that are covered entities. For example, being able to respond, within the regulatory time frames, to a patient’s request for an accounting of the disclosures of the patient’s information in the vendor’s custody would require having in place the technology, structure, and personnel necessary to handle the request.

A vendor that offers services to HIPAA-covered entities should take into account the requirements, restrictions, and obligations set forth in the HIPAA Privacy Rule and Security Rule before preparing a proposal for outsourcing services. However, the customer should ensure that the vendor will be able to assist in the compliance, respond to the requests, and ensure the required confidentiality and the like. During the relationship, the customer should continue monitoring the activities of the vendor to ensure continued compliance with the requirements. If the vendor defaults in its obligations, the customer should ensure prompt correction or terminate the contract as required under the HIPAA regulations.