Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule?
No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements at 45 CFR 164.504(e). Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entitys business associate as the minimum necessary? A covered entitys contract with a business associate may not authorize the business associate to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. See 45 CFR 164.504(e)(2)(i). Thus, a business associate contract must limit the business associates uses and disclosures of, as well as requests for, protected health information to be consistent with the covered entitys minimum necessary policies and procedures. Given that a business associate contract must limit a business associates requests for protected health information on behalf of a cove
