HIPAA - Health Insurance Portability and Accountability Act Business Associate Agreements Questions and Answers

Question 1

A covered entity hires a third-party data analytics firm to process patient data for a quality improvement study. The analytics firm then hires a cloud storage provider to host the data. According to HIPAA, what is the minimum requirement for Business Associate Agreements (BAAs) in this scenario?

Accepted Answer

The covered entity must have a BAA with the analytics firm, and the analytics firm must have a separate BAA with the cloud provider.

Answer

HIPAA requires a 'chain of custody' for Protected Health Information (PHI). The covered entity must have a BAA with its direct business associate (the analytics firm). That business associate must then have its own BAA with its subcontractor (the cloud provider) that will handle the PHI. This ensures that HIPAA protections and liability flow down the entire chain of vendors handling the PHI.

Question 2

Which of the following is a direct liability for a Business Associate under the HIPAA Omnibus Rule?

Accepted Answer

Failure to comply with the HIPAA Security Rule.

Answer

The HIPAA Omnibus Rule and HITECH Act made Business Associates directly liable for compliance with the HIPAA Security Rule. This includes implementing administrative, physical, and technical safeguards. Other duties, like providing a Notice of Privacy Practices or liability for charging unreasonable fees for records access, generally remain the direct responsibility of the Covered Entity.

Question 3

A Business Associate Agreement (BAA) must include a provision that addresses the termination of the agreement. Which of the following is a required element of this termination provision?

Accepted Answer

A mandate for the business associate to return or destroy all PHI at the end of the contract.

Answer

A standard and required component of a BAA is a clause specifying that upon termination of the contract, the business associate must, if feasible, return or destroy all PHI received from, or created or received by the business associate on behalf of, the covered entity. If this is not feasible, protections must be extended to the information, and limits must be placed on further uses and disclosures.

Question 4

In which of the following situations is a Business Associate Agreement (BAA) NOT required?

Accepted Answer

A physician's office uses a courier service, like the US Postal Service, to mail patient records to another provider for treatment purposes.

Answer

HIPAA does not require a BAA with entities that act as a mere conduit for PHI, such as the US Postal Service or other couriers, where access to PHI is transient and not persistent. The other scenarios involve services where the vendor creates, receives, maintains, or transmits PHI on behalf of the covered entity, which explicitly defines them as business associates requiring a BAA.

Question 5

A covered entity learns that its business associate has a pattern of non-compliance that constitutes a material breach of the Business Associate Agreement (BAA). If the business associate fails to cure the breach, what is the covered entity's primary obligation under HIPAA?

Accepted Answer

Terminate the BAA with the business associate, if feasible.

Answer

If a covered entity knows of a material breach or violation by the business associate, it must take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, the covered entity is required to terminate the contract or arrangement, if doing so is feasible.

HIPAA - Health Insurance Portability and Accountability Act Practice Test

HIPAA - Health Insurance Portability and Accountability Act Practice Test

HIPAA - Health Insurance Portability and Accountability Act Business Associate Agreements Questions and Answers