Skip Navigation

 

Search

Font Size Reduce Text SizeEnlarge Text Size     Print Send this page to printer     Download Reader  Download PDF readerHHS Home|About HHS|Contact Us

HIPAA Frequent Questions > Providers and Other Covered Entities > Business Associates

HIPAA Frequent Questions

About the Privacy Rule

Administrative Requirements

Authorization Use & Disclosure

Compliance Dates

Limited Use and Disclosure

Notice and Other Individual Rights

Permitted Use and Disclosure

Personal Representatives and Minors

Providers and Other Covered Entities

Business Associates

Group Health Plans

Smaller Providers & Small Businesses

Treatment & Payment & Health Care Operations

Covered Entities

State Law

What are a covered entity's obligations under the HIPAA Privacy Rule with respect to protected health information held by a business associate during the contract transition period?

Answer:

During the contract transition period, covered entities must observe the following responsibilities with respect to protected health information held by their business associates:
  • Make information available to the Secretary, including information held by a business associate, as necessary for the Secretary to determine compliance by the covered entity.
  • Fulfill an individual’s rights to access and amend his or her protected health information contained in a designated record set, including information held by a business associate, if appropriate, and receive an accounting of disclosures by a business associate.
  • Mitigate, to the extent practicable, any harmful effect that is known to the covered entity of an impermissible use or disclosure of protected health information by its business associate.
Covered entities are required to ensure, in whatever reasonable manner deemed effective by the covered entity, the appropriate cooperation by their business associates in meeting these requirements during the transition period.

However, a covered entity is not required to obtain the satisfactory assurances required by the Privacy Rule from a business associate to which the transition period applies.

Of course, even during the transition period, covered entities still may only disclose protected health information to a business associate for a purpose permitted under the Rule and must apply the minimum necessary standard, as appropriate, to such disclosures.

Date Created: 12/19/2002
Last Updated: 03/14/2006


horizontal line

HHS Home | HHS Frequent Questions Home | Contacting HHS | Accessibility | Freedom of Information Act | Disclaimers | Helping America's Youth

U.S. Department of Health & Human Services · 200 Independence Avenue, S.W. · Washington, D.C. 20201