Corporate Compliance

Business associate misusing PHI

Compliance Monitor, September 22, 2006

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

Q: What should we do if a business associate (BA) misuses our PHI?

A: If you know the BA has violated its contract, you must take reasonable steps to mitigate the breach or end the violation. If such steps are unsuccessful, you must terminate the contract. If you cannot terminate the contract, you must report the problem to HHS.

The HHS commentary notes that "knowing" that a BA has violated its contract means you have substantial and credible evidence of a violation. HHS also notes that although this standard relieves you of the need to actively monitor BAs, you must nonetheless investigate complaints or other evidence of violations by a BA.

For more information see Section 164.504(e) Business Associate Contracts and Section 164.530(f) Mitigation of the privacy rule.

Editor's note: Attorneys from Bricker & Eckler, LLP, answered this question. This is not legal advice. Consult with your attorney for legal matters. This question and answer originally ran in HIPAA Weekly Advisor.

 



Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

    Strategies for Health Care Compliance

  • Strategies for Health Care Compliance

    News and real-life examples to increase the effectiveness of your compliance program. Strategies for Health Care Compliance...

  • Compliance Monitor

    This HTML e-mail newsletter delivers news on Medicare and Medicaid fraud and abuse, as well as recent documents and targets...

  • Medicare Weekly Update

    Each issue of Medicare Weekly Update includes the latest CMS proposed and final rules, CMS manual revisions, and...

  • Medicare Update for Physician Services

    Medicare Update for Physician Services is a free, monthly e-zine that delivers news and information to help physician...

Most Popular

Related Articles