Health Insurance Portability and Accountability Act (HIPPA) Practice Exam

Which statement is true regarding a Business Associate Contract?

• A. It is optional if PHI is shared
• B. It exclusively benefits covered entities
• C. It must specify permissible uses of PHI
• D. It is only needed for verbal agreements

The correct answer is: It must specify permissible uses of PHI

A Business Associate Contract is a crucial component of HIPAA compliance as it governs the relationship between covered entities and their business associates—entities that perform certain functions or activities on behalf of the covered entity that involves the use or disclosure of Protected Health Information (PHI). The requirement for this contract is detailed in the HIPAA Privacy Rule, which mandates that any business associate handling PHI must have a written agreement in place. The stipulation that the contract must specify permissible uses of PHI is key to ensuring that the business associate understands its obligations regarding the data. This includes what PHI can be used for, how it should be protected, and the limitations placed on its use. This clarity helps prevent unauthorized use or disclosure of PHI and holds the business associate accountable for complying with HIPAA regulations. This requirement further enhances the protection of patient information and is a foundational element in mitigating risks associated with sharing sensitive data with external parties. It also provides a legal framework for recourse if a business associate fails to comply with the terms of the contract. While options related to the optional nature of contracts, benefits, and verbal agreements touch on important aspects of HIPAA, they do not capture the core requirement of specificity in the usage of PHI, which is essential