UTMB HANDBOOK OF OPERATING PROCEDURES

Section 6 Compliance Policies Subject 6.2 Privacy Related Policy 6.2.35 Business Associates With Access to PHI

04/11/2003-Originated 10/08/07 -Reviewed w changes -Reviewed w/o changes Compliance Office -Author

Business Associates with Access to PHI

Definition	Business Associate is a person or entity who provides certain functions, activities, or services for or to UTMB, involving the use and/or disclosure of Protected Health Information (PHI). • A business associate is not a UTMB employee. • A business associate may include one of the additional components of the University of Texas system, other medical schools or other health care providers.
Policy	UTMB, in an effort to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), maintains that patient information must be kept private and confidential. UTMB is required to investigate and take corrective action if it becomes aware of a practice or pattern that constitutes a material breach of this policy. Under the HIPAA Privacy Regulations, UTMB is not required to actively monitor or oversee the means by which its business associates carry out safeguards, or the extent to which the business associates abide by the requirements of the contract. As a result, it is important to anyone with knowledge of a business associate who has violated the HIPAA Privacy Regulations to contact the Office of Institutional Compliance Violation of this policy may result in disciplinary action up to and including termination for employees; a termination of employment relationship in the case of contractors or consultants; or suspension or expulsion in the case of a student. Additionally, individuals may be subject to loss of access privileges and civil and/or criminal prosecution.
Business Associate Requirements	All personnel must strictly observe the following standards relating to business associates: • UTMB must enter into contracts with business associates that contain specific language. Legal Affairs will provide the language for contracts. • The contract must include language that provides that the business associate will: o Not use or further disclose the information other than as

Business Associate Requirements, continued

permitted or required by the contract or as required by law; o Will use appropriate safeguards to prevent the use or disclosure of Protected Information for any reason other than as provided by this Agreement. Contractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains or transmits on behalf of UTMB; o Promptly notify UTMB of any use or disclosure of PHI not provided for in this Agreement of which it becomes aware. Contactor shall report to UTMB any instances, including security incidents, of which it is aware in which PHI is used or disclosed for a purpose that is not otherwise provided for in this Agreement or for a purpose not expressly permitted by the HIPAA Rules; o Require any agents or subcontractors who receive PHI to be bound by the same restrictions and conditions outlined in this Agreement. Additionally, Contractor shall ensure that any agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards to protect the confidentiality, integrity and availability of electronic PHI that Contractor creates, receives, maintains, or transmits on behalf of UTMB; o Make available PHI in accordance with the UTMB policy on Patient Access to PHI. o Make available PHI for amendment and incorporate any amendments to PHI in accordance with the UTMB policy on Patient’s Right to Amend or Correct PHI; o Make available the information required to provide an accounting of disclosures in accordance with the UTMB policy on Accounting of PHI Disclosures; o Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created by, or on behalf of, UTMB, available to U. S. Department of Health & Human Services (HHS) for purposes of determining UTMB’s compliance; and o At termination of the contract, if feasible, return or destroy

Business Associate Requirements, continued

all PHI received from, or created by or on behalf of, UTMB that the business associate still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. In the event UTMB becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate's obligations under its contract, UTMB must take reasonable steps to cure the breach or to end the violation, as applicable. In the event that the business associate can not or will not remedy the practice or pattern, UTMB must terminate the contract if feasible. Where termination is not feasible, contact the UTMB Privacy Office for reporting to HHS, as required.

References

45 C.F.R. §164.502(e)(1) 45 C.F.R. §160.103 Texas Health & Safety Code §181.001(b)(1)(A)