In general, the HIPAA Privacy Rule requires that the contract between a covered entity and its business associate establish the permitted and required uses and disclosures of protected health information (PHI) by the business associate, but provides that the contract may not authorize the business associate to use or disclose PHI in a manner that would violate the Privacy Rule. In addition, the contract must require the business associate to appropriately safeguard PHI. See 45 CFR § 164.504(e). See also the relevant business associate requirements of the HIPAA Security Rule at 45 CFR § 164.314(a). Given these required elements of a business associate agreement, covered entities participating in a networked environment with a HIO can use the business associate agreement as a tool to help shape the specific terms and conditions of the information exchange the HIO will manage, as well as the safeguards that will be in place to ensure information is protected and only shared appropriately.
While a business associate contract technically can authorize the business associate to make any number of uses and disclosures permitted under the Privacy Rule, the parties can, and likely would want to, further restrict in the contract what the HIO can and will do with PHI. Defining the permitted uses and disclosures by the HIO may depend on a number of factors, including the purposes of the information exchange through the network (e.g., for treatment purposes), how individual preferences and choice will be honored, as applicable, and any other legal obligations on covered entities and/or HIOs with respect to the PHI in the network. For instance, if the HIO will primarily manage the exchange of PHI among participating entities for treatment purposes, then the parties should, in the business associate agreement, define the HIO’s permitted uses and disclosures of PHI with those limited purposes in mind.