CHPC Business Associate Agreements and Third-Party Compliance

Question 1

Under HIPAA, which entity is required to sign a Business Associate Agreement (BAA) with a covered entity?

Accepted Answer

A vendor that creates, receives, maintains, or transmits PHI on behalf of the covered entity

Answer

Any vendor that provides services to the covered entity regardless of PHI access

Answer

Only vendors that handle electronic PHI

Answer

Only vendors that store PHI in the cloud

Question 2

Which of the following is NOT required to be included in a Business Associate Agreement?

Accepted Answer

The business associate's liability insurance coverage amount

Answer

Permitted uses and disclosures of PHI by the business associate

Answer

Requirements to report breaches to the covered entity

Answer

Obligation to return or destroy PHI upon termination

Question 3

A business associate hires a subcontractor who will have access to PHI. What must the business associate do?

Accepted Answer

Execute a BAA with the subcontractor that provides equivalent PHI protections

Answer

Obtain written approval from the covered entity before hiring the subcontractor

Answer

Simply notify the covered entity that a subcontractor will be used

Answer

Nothing, as subcontractors are not covered by HIPAA

Question 4

When a covered entity discovers that a business associate has materially breached the BAA and the violation has not been cured, what must the covered entity do?

Accepted Answer

Terminate the contract with the business associate if feasible

Answer

File an immediate complaint with HHS OCR

Answer

Notify the affected patients directly

Answer

Suspend the BAA for 60 days while investigating

Question 5

Which of the following entities is considered a business associate under HIPAA?

Accepted Answer

A cloud service provider that stores PHI for a covered entity

Answer

A covered entity's own workforce members

Answer

A healthcare clearinghouse transmitting claims on behalf of itself

Answer

An individual providing incidental services with no PHI access

Question 6

Under HITECH, business associates are directly liable for which of the following?

Accepted Answer

Compliance with the HIPAA Security Rule's required and addressable safeguards

Answer

Meeting state insurance commission standards

Answer

HIPAA Privacy Rule provisions only when acting outside the BAA scope

Answer

Only civil penalties assigned by the covered entity