Skip to Main Content
Providers

Medica Administrative Manual  >  Provider Responsibilities > HIPAA Business Associate Requirements for Providers

HIPAA Business Associate Requirements for Providers

The Privacy Rule from the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”) requires that health plans as covered entities obtain satisfactory assurances from their Business Associates to make sure that Protected Health Information (“PHI”) is used only for its intended purposes and is adequately protected in accordance with law. 

In general, providers are considered “covered entities” under the HIPAA privacy rule. In some circumstances, participating providers may also be defined as Business Associates of health plans -- for example, when they perform certain additional delegated duties, such as credentialing. 

In cases where Medica delegates certain responsibilities to a provider and the provider would be construed as a Business Associate under HIPAA, the provider must comply with the HIPAA Business Associate Requirements, as noted in a provider agreement, or as noted below. If a provider is rendering health care services only and is not performing any activities that would make that provider a Business Associate under HIPAA, the Business Associate Requirements would not apply. 

The HIPAA Business Associate Requirements contain provisions that describe how PHI may be used and disclosed and the requirements for protecting it, including appropriate safeguards, security measures, and other required processes. The Business Associate Requirements as noted below are part of Medica’s Administrative Requirements.

Business Associate Requirements

To the extent a provider is a Business Associate of Medica as defined in the HIPAA privacy regulations, 45 CFR Part 160, through a provider participation agreement or any other agreement with Medica (“Agreement”), the provider is bound by the Business Associate Requirements (“Requirements”) set forth below and as required by 45 CFR Part 164. For those providers who have entered into an Agreement and an accompanying Business Associate Agreement with Medica, the Business Associate Agreement and the following Business Associate Requirements will be read consistently to the extent feasible. If there is a conflict between the two, the Business Associate Agreement will prevail to the extent it is in accordance with law.

1. Capitalized Terms

Capitalized terms used, but not otherwise defined, in these Requirements will have the same meaning as those terms in 45 C.F.R. Part 160 and Part 164, and 42 U.S.C. § 17921, as may be modified or amended from time to time.

2. Obligations and Activities of Business Associate

(a)  Business Associate agrees to restrict its use and disclosure of PHI solely for the purpose of performing Business Associate’s obligations under the Agreement and as otherwise permitted or required by these Requirements or as Required By Law..

(b)  Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as permitted by the Agreement and these Requirements.

(c)  Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of these Requirements.

(d)  Business Associate agrees to report to Medica any use or disclosure of PHI not provided for by these Requirements of which it becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410, within five (5) business days of the discovery of the use or disclosure.

(e)  Business Associate agrees, prior to disclosure of PHI to any Subcontractor, to require the Subcontractor to agree in writing to the same terms and restrictions that apply to Business Associate with respect to such PHI.

(f)  Business Associate agrees to provide access, at the request of Medica, and in the time and manner determined by Medica, to PHI in a Designated Record Set, to Medica, or as directed by Medica, to an Individual in order to meet the requirements under 45 C.F.R. § 164.524. In the event an Individual requests a copy of PHI maintained electronically in one or more Designated Record Sets, Business Associate agrees to provide access, at the request of Medica, and in the time and manner determined by Medica, to such PHI, to Medica, or as directed by Medica, to the Individual in the electronic form and format requested by the Individual if readily producible or, if not readily producible, in a readable electronic form and format as agreed to by the Individual.

(g)  Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set pursuant to 45 C.F.R. § 164.526 at the request of Medica, within ten (10) business days after request by Medica.

(h)  Business Associate agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI created, received, maintained, or transmitted by Business Associate on behalf of Medica, available to the Secretary, as designated by the Secretary, for purposes of the Secretary determining compliance with HIPAA. If requested by Medica, Business Associate agrees to make such information available to Medica within ten (10) business days after request by Medica.

(i)  Business Associate agrees to document disclosures of PHI and information related to such disclosures as would be required for Medica to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. 

(j)  Business Associate shall promptly notify Medica upon receipt of a request by an Individual for an accounting of disclosures of PHI. Business Associate shall, within ten (10) business days and as directed by Medica, either provide an accounting of disclosures to an Individual requesting an accounting, or provide Medica with information documented in accordance with Section 2(i) of these Requirements to permit Medica to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. § 164.528. Business Associate shall provide an accounting of disclosures in accordance with this section and as required by 42 U.S.C. § 17935 if PHI is contained in an Electronic Health Record.

(k)  Business Associate agrees to make its internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created, received, maintained, or transmitted by Business Associate on behalf of Medica, available to Medica, for auditing purposes within ten (10) business days of receipt of written notice from Medica.

(l)  Business Associate will, to the extent Business Associate is to carry out a Medica obligation under the privacy regulations, comply with any and all privacy regulations that apply to Medica in the performance of such obligation.

(m)  Business Associate will, following the discovery of a Breach of Unsecured Protected Health Information, notify Medica of the existence of the Breach within five (5) business days. Business Associate shall without unreasonable delay, but in no event more than thirty (30) calendar days after discovery of the Breach, provide Medica with the following documentation:

(i)  A brief description of the Breach, including the date of the Breach and date of discovery of the Breach;

(ii)  A description of the types of Unsecured Protected Health Information that were involved;

(iii)  A description of what Business Associate is doing to investigate the Breach, to mitigate losses and to protect against further Breaches; and

(iv)  To the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired, used, or disclosed during the Breach.

(n)  Business Associate shall limit its requests for, and its uses and disclosures of, PHI to the “minimum necessary” amount of PHI consistent with Medica’s minimum necessary policies and procedures. 

3. Prohibit Remuneration.

(a)  Business Associate shall not directly or indirectly receive remuneration in exchange for any PHI except as provided in 42 U.S.C. § 17935(d).

(b)  Business Associate shall not directly or indirectly receive remuneration in exchange for a marketing communication, as defined in 45 C.F.R. § 164.501 except as permitted under 42 U.S.C. § 17936(a).

4. Permitted Uses and Disclosures by Business Associate; General Use and Disclosure Provision.

Except as otherwise limited in these Requirements, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, Medica as specified in the Agreement, provided that such use or disclosure would not violate HIPAA if done by Medica and is in compliance with each applicable requirement of 45 C.F.R. § 164.504(e) and the privacy requirements referenced in HIPAA.

5. Specific Use and Disclosure Provisions

(a)  Except as otherwise limited in these Requirements, Business Associate may use PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate.

(b)  Except as otherwise limited in these Requirements, Business Associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of Business Associate, provided that such disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the PHI is disclosed that such PHI will remain confidential and be used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the PHI has been breached.

(c)  Except as otherwise limited in these Requirements, Business Associate may use PHI to provide Data Aggregation services to Medica as permitted by 45 C.F.R. § 164.504(e)(2)(i)(B).

(d)  Business Associate may use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. § 164.502(j)(1).

6. Security Regulations

6.1 Applicability.  This Section 6 applies only if, and to the extent that, PHI is created, received, maintained, or transmitted by Business Associate in electronic format (“e-PHI”). This Section 6 will govern the terms and conditions under which e-PHI is created, received, maintained, and transmitted. 

6.2 Security Requirements - Security Implementation by Business Associate.  Business Associate agrees to comply with the security regulations and to:

(a)  Implement administrative, physical, and technical safeguards as set forth in 45 C.F.R. §§ 164.308, 164.310 and 164.312 that reasonably and appropriately protect the confidentiality, integrity and availability of the e-PHI that Business Associate creates, receives, maintains, or transmits on behalf of Medica;

(b)  Implement reasonable and appropriate policies and procedures as required by 45 C.F.R. § 164.316;

(c)  Prior to disclosing e-PHI to any Subcontractor, ensure that any Subcontractor to whom Business Associate provides e-PHI agrees in writing to implement reasonable and appropriate safeguards to protect it;

(d)  Report to Medica, within five (5) business days after discovery, any Security Incident of which Business Associate becomes aware; and

(e)  Authorize termination of the Agreement if Medica determines that Business Associate has violated a material term of these Requirements.

7. Obligations of Medica

(a)  Medica shall make available on its web site the notice of privacy practices that Medica produces in accordance with 45 C.F.R. § 164.520, as well as any material changes to the notice.

(b)  Medica shall provide Business Associate with any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate’s permitted or required uses and disclosures.

(c)  Medica shall notify Business Associate of any restriction to the use or disclosure of PHI that Medica has agreed to in accordance with 45 C.F.R. § 164.522, to the extent that such restriction may affect Business Associate’s use or disclosure of PHI. 

8. Permissible Requests by Medica

Medica shall not request Business Associate to use or disclose PHI in any manner that would not be permissible under HIPAA if done by Medica. An exception shall be if Business Associate will use or disclose PHI for Data Aggregation or management and administrative activities of Business Associate.

9. Termination

(a)  Application of these Requirements will terminate when all PHI created, received, maintained or transmitted by Business Associate is destroyed or returned to Medica.

(b)  Upon Medica’s knowledge of a material breach of these Requirements by Business Associate, Medica may immediately terminate the Agreement. Medica, in its sole discretion, may provide Business Associate an opportunity to cure the breach within the time specified by Medica. This provision shall be in addition to and shall not limit any rights of termination set forth in the Agreement.

(c)  Effect of Termination.

(1)  Except as provided in Section 9(c)(2) of these Requirements, upon termination of the Agreement, for any reason, and expiration of these Requirements as they pertain to Business Associate as a result of the Agreement, Business Associate shall return or destroy, at Medica’s direction, all PHI received from Medica, or created, received, maintained, or transmitted by Business Associate on behalf of Medica. This section shall apply to PHI that is in the possession of Subcontractors of Business Associate. Neither Business Associate, nor its Subcontractors, shall retain any copies of the PHI.

(2)  In the event that Business Associate determines that returning or destroying PHI is infeasible, Business Associate shall provide to Medica notification of the conditions that make return or destruction infeasible. Upon the reasonable judgment of Medica and Business Associate that return or destruction of PHI is infeasible, Business Associate shall extend the protections of these Requirements to such PHI and, notwithstanding other permitted uses and disclosures set forth in these Requirements, Business Associate will limit further uses and disclosures of such PHI solely for those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

10. Miscellaneous

(a)  A reference in these Requirements to a section in HIPAA means the section as in effect or as amended.

(b)  These Requirements will be amended from time to time as is necessary for Medica to comply with the requirements of HIPAA and other applicable laws relating to the security or confidentiality of PHI.

(c)  The respective rights and obligations of Medica and Business Associate under Section 9(c) of these Requirements will survive expiration of these Requirements and termination of the Agreement.

(d)  Any ambiguity in these Requirements will be resolved to permit Medica to comply with HIPAA and other applicable laws.

 



REV 5/2022

Date: 1/28/2023 4:49:57 PM Version: 4.0.30319.42000 Machine Name: PWIM4-CDWEB01