Is patient protected health information safe if a Covered Entity has a dispute with their Business Associate?

How do you ensure Electronic protected health information (ePHI) is safeguarded when a contract between a Covered Entity and a Business Associate ends? Especially when there is a dispute.BA

A Business Associate Agreement between a Covered Entity and their Business Associate must clearly spell out the following in order to safeguard ePHI:

– Will the ePHI be returned or destroyed?

– When will the Business Associate do so?

– In what form will the returned information be?

– Are there circumstances that can make return or destruction of the information unfeasible? E.g. technical issues or litigation

It is best to have frank discussions and potentially add specificity in this area in the contract. Not every business associate relationship is created equal, so covered entities may wish to prioritize negotiating these points in certain high-risk situations, such as where the business associate maintains the primary copy of the protected health information.

Covered entities should also consider these circumstances in their information security risk analysis and contingency planning, so that they are prepared if a problem with respect to a business associate returning or destroying protected health information arises.

There have been a number of dispute cases recently, such as the recent Texas/Xerox and Full Circle/CompuGroup battles involving patient data and it is catching the attention of government regulators. OCR seems to be particularly concerned about these issues, and may closely scrutinize incidents where a business associate refuses to return or destroy protected health information.OCR

Under the HIPAA Omnibus Rule, which went into effect last year, Business Associates and their subcontractors are now directly liable for HIPAA compliance.

FREE archived webinars on HIPAA/HITECH Compliance by EHR2.0:






The following two tabs change content below.
Our mission is to assist organizations in developing and implementing practices to secure data and comply with regulations. With several years of experience in the IT and health care industries, databrackets is poised to meet the needs of your organization via: - Consulting Services - Online, Do-it-yourself Toolkits for Security Risk Assessment - Education (Training, Webinar, and Workshops) For details on how databrackets can provide customized assistance for your organization, please contact us at