Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their PHI or an accounting of disclosures, or an opportunity to amend PHI?
The Privacy Rule regulates covered entities, not business associates. The Rule requires covered entities to include specific provisions in agreements with business associates to safeguard PHI, and addresses how covered entities may share this information with business associates. Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting. With limited exceptions, a covered entity is required to provide an individual access to his or her PHI in a designated record set. Therefore, the Rule requires covered entities to specify in the BA contract that the BA must make such PHI available if and when needed by the CE to provide an individual with access to the information. Under 45 CFR 164.526, a covered entity must amend PHI about an individual in a designated record set, including any designated record sets held by a BA. Under 45 CFR 164.528, the Privacy Rule requires a CE to provide
Related Questions
- Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their PHI or an accounting of disclosures, or an opportunity to amend PHI?
- Would a business associate contract in electronic form, with an electronic signature, satisfy the HIPAA Privacy Rule’s business associate contract requirements?
- Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?
