A Business Associate is a person or entity, other than a member of the workforce of a Covered Entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. System shall require any Business Associate of OEB other than a System Office within the Health Care Component to agree by written agreement to certain restrictions and duties with respect to PHI that the Business Associate creates, collects or holds on behalf of System in its capacity as a Covered Entity.
6.1(1) Identifying Business Associates
System shall review existing Self-funded Group Health Plan-related contracts that involve Use or Disclosure of PHI in order to determine whether such contracts need to be amended to include Business Associate agreement provisions. Contracts between Business Associates and Business Associates that are subcontractors are subject to these same requirements. Prior to entering into any new agreement with another entity concerning such services or activities, System shall determine whether the entity is a Business Associate as a result of such services or activities.
Business Associates include persons or entities who have periodic contact with PHI (e.g., outside auditors), or that have contact with PHI or (e.g., vendors providing software or hosting services) that require the vendor to persistently store PHI even if the vendor does not access the PHI.
6.1(2) Contracting with Business Associates
If a Business Associate creates, receives, Uses, or Discloses OEB PHI, System shall require the Business Associate to enter into a written contract or other written agreement with System that:
Notwithstanding the foregoing, if an entity is required by law to perform an activity or provide a service, and the entity qualifies as a Business Associate solely because of such legally required activities or services, System must require the entity to enter into a written agreement as described above.
In any case where the services are to be provided by another governmental entity, this section can be satisfied by a memorandum of understanding with the other government entity that contains terms that accomplish the objectives of the HIPAA Privacy Standards that relate to Business Associate Agreements.
6.1(3) Monitoring Business Associates
If System learns that a Business Associate has materially violated one or more of the written agreement’s provisions described in subsection 6.1(2) of this Section, System shall take reasonable steps to end the violation and mitigate the violation’s harmful effects in accordance with Section 8.4 of this Manual. If System’s steps to end the violation and mitigate its effects are unsuccessful, System shall terminate the contract or arrangement with the Business Associate or, if the Privacy Officer determines that such termination is not feasible, report the problem to the Secretary.
6.1(4) Documentation of Business Associates.
System shall retain any written agreement with a Business Associate, or any other set of written provisions intended to comply with this Section. Such documentation shall be retained in accordance with Section 9.2 of this Manual.
45 C.F.R. §§ 164.502(e), 164.504(e)