Skip to content

Cognetti & Conaboy Family Practice

You are here: Home HIPAA Policies General HIPAA Policies Business Associates Policy
Business Associates Policy

POLICY: Business Associates


PURPOSE: To ensure that all contracts with business associates comply with HIPAA privacy standards and clearly reflect our desire to protect the security of patient health information,


POLICY: All business associates will sign our HIPAA Business Associates contract, and will be expected to maintain a high level of awareness of patient privacy and security of patient health information to which they may be exposed.


APPLIES TO: Business Associates


1.     All relationships with outside vendors and professionals will be reviewed before the
HIPAA compliance date, and periodically thereafter, to clearly identify all business

*        Determine whether the new "grandfather" clause applies.

*        Develop method to track contract renewal dates.

*        For renewals after HIPAA compliance date, develop procedure to evaluate any security breaches and remedies before renewal.

2.   All contracts will clearly delineate the conditions for disclosure of patient health
information, data rights of each party, procedures for retention/destruction of data,
and minimum levels of security that are to be maintained.

*      Develop conditions for disclosure of patient health information.

*     Develop procedures for maintenance and/or destruction of data, including at contract termination.

3.    Business associates will be asked to train their employees and sub-associates
regarding the privacy policies of this practice.

             *     Adherence to security policies will be required by business associates.

4.     Breaches of confidentiality will be reported, tracked and remedied according to the
agreed-upon timeframes.

*        Develop a procedure for reporting breaches of confidentiality, with required timeframes.

*        Develop a procedure for tracking breaches: Business associate must be able to provide incident log upon demand.

*        Ensure that business associate has remedied the source of the breach, so that it will not happen in the future.

*        Business associates who do not adhere to the privacy policies of this practice will have their contracts terminated.


VIOLATIONS: Violations of the business associates policy should be reported immediately to the Privacy Officer. Violations may constitute a breach of contract and may be subject to contract termination.