Q&A: Terminating business associate agreements

Q. If we terminate a contract with a business associate (BA), are we required to obtain assurance that it has completely destroyed all of our protected health information (PHI) stored on its servers and other devices? If the PHI was not completely destroyed and was breached after we terminated the contract, who is responsible for reporting the breach?

A. It is advisable to obtain written certification that the BA has completely destroyed the PHI unless the BA has documented that certain PHI can’t be destroyed at this time because of the BA’s legal obligations. All of this should be clearly spelled out in the BA agreement (BAA), including noting that, if the BA can’t fully destroy all of the PHI stored on its servers, the provisions of the BAA remain in force until such time as the PHI can be completely destroyed.

If proper language is included in the BAA, and the covered entity (CE) can demonstrate the BA destroyed all of the CE’s PHI or the CE has documentation indicating the reason why the PHI can’t be destroyed, the CE is covered from a regulatory perspective. If a breach of unsecure PHI does occur, however, the BA is required to notify the CE. The CE is responsible for notifying affected individuals and OCR if the CE believes there is more than a low risk of compromise to the individuals whose PHI was breached.

Editor's note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon.This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.