Q&A: Terminating a business associate contract
Q: If we end a contract with a business associate (BA), does the BA need to provide us with assurance that all protected health information (PHI) has been destroyed? Is this something that should be written into the initial contract? What are the steps to take if the BA does not respond to requests to confirm deletion of PHI?
A: It is a good idea to ask the BA for proof of return or destruction. This is not a lot different than requiring a certificate of destruction when you contract with a vendor to destroy media that was used to store PHI. Standard language needs to be included in the business associate agreement (BAA) that requires the return or destruction of PHI when the contract is terminated. It is also common to see what the expectations of the BA are if the BA is unable to return or destroy the PHI.
As far as what steps can be taken if the BA does not respond to requests to confirm deletion of PHI, there are a couple of options. If you have attempted to get the BA to respond several times with no luck, you can bring in counsel to demand a response and/or file a lawsuit against the BA, or you can file a complaint with the Office for Civil Rights (OCR). The OCR complaint would be around the BA not demonstrating adherence to the terms of your BAA and pointing out that the BA retaining PHI is a violation of the minimum necessary requirement.
Editor’s note: Chris Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.