top of page

Nonprofit Healthcare Compliance 

An ongoing series of informational entries

Nonprofit Health Care Required Business Associate Agreements

Lenora Williams: Posted on Wednesday, September 07, 2011 1:57 AM

What is a Business Associate?

As stated on the HHS website, "Business Associate Defined - In general, a business associate is a person or organization,other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.

Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting,data aggregation, management, administrative, accreditation, or financial services.However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information,and where any access to protected health information by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity.

What is a Business Associate Contract or Agreement?

Again as stated on the HHS website, "Business Associate Contract - When a covered entity uses a contractor or other non-workforce member to perform "business associate" services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections). In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule.Covered entities that have an existing written contract or agreement with business associates prior to October 15, 2002, which is not renewed or modified prior to April 14, 2003, are permitted to continue to operate under that contract until they renew the contract or April 14, 2004, whichever is first.

Sample Business Associate Agreement from different websites:

Found on the HHS website -- Sample business associate contract language is available on the OCR website at:

Found on the HIPAA Survival Guide website --

Found on NCHICA website --

Rural Health Clinics (RHCs) Laws & Regulations

HHS & CMS: Posted on Sunday, November 27, 2011 11:51 PM

Health & Human Services (HHS) and Center for Medicare & Medicaid Services (CMS)

Rural Health Clinics (RHCs)

Guidance for Laws and Regulations

"The CMS Regional Office (RO) uses the Social Security Act, Federally Qualified Health Center regulations (see certification and compliance for FQHCs below), and the appropriate sections of the Interpretive Guidelines for RHCs (Appendix G below) in making determinations whether Medicare requirements are met.

When the RO refers a complaint to another agency, Indian Health Service (IHS) or Health Resources Services Administration (HRSA), for investigation action, the RO must request a written report on the results of the investigation. Regardless of who conducts the investigation, the RO has the responsibility to assess compliance with Federal conditions or requirements. The time frames for investigations are not altered by the referral to another agency." (go to for specifics)

ttp:// (go to for specifics)


State Operations Manual

Appendix G - Guidance to Surveyors: Rural Health Clinics (RHCs)

- (Rev. 1, 05-21-04)

INDEX (go to the above links for section detail)

§491.4 Condition of Coverage: Compliance With Federal, State, and Local Laws

§491.5 Condition of Coverage: Location of Clinic

§491.6 Condition of Coverage: Physical Plant and Environment

§491.7 Condition of Coverage: Organizational Structure

§491.8 Condition of Coverage: Staffing and Staff Responsibilities

§491.9 Condition of Coverage: Provision of Services

§491.10 Condition of Coverage: Patient Health Records

§491.11 Condition of Coverage: Program Evaluation

Table A - Publications of the Bureau of the Census - Maps Displaying Urbanized Areas

Table B - Contacts in the Bureau of the Census Regional Offices

Table C - Cities With Boundaries Extending to Rural Populations

Nonprofit Health Care Compliance: Must Know! ARRA -HITECH Act - HIPPA

Lenora Williams: Posted on Wednesday, September 07, 2011 1:38 AM

What is ARRA?

The American Recovery and Reinvestment Act of 2009 (ARRA).ARRA created incentives related to healthcare information technology in general and is a part of a national health care infrastructure overhaul. ARRA contains incentives to accelerate the adoption of electronic health records (EH R) systems among providers.

What is The HITECH ACT?

The health information Technology for Economic and Clinical Health Act (HITECH Act) is apart of the American Recovery and Reinvestment Act of 2009 (ARRA).

Under HITECH, mandatory penalties will be imposed for "willful neglect." Obviously what "willful neglect" means will be determined on a case-by-case basis

Civil penalties for willful neglect are increased under the HITECH Act. These penalties can extend up to $250,000,with repeat/uncorrected violations extending up to $1.5 million.

The HITECH Act does not allow an individual to bring a cause of action against a provider. However, it does allow a state attorney general to bring an action on behalf of his or her residents. Finally, the office of Health and Human Services (HHS) is now required to conduct periodic audits of covered entities and business associates.

Under the HITECH Act unsecured protected health information" essentially means "unencrypted protected health information."

The HITECH Act requires that patients be notified of any unsecured breach. If a breach impacts 500 patients or more then HHS must also be notified. Notification will trigger posting the breaching entity's name on HHS' website. Under certain conditions local media will also need to be notified. Furthermore, notification is triggered whether the unsecured breach occurred externally or internally. The notification provision is yet another example of the weight privacy and security concerns are given under the Act.

What is HIPPA?

In general, the HIPPA Privacy Rule applies to providers and their usage and disclosure of protected health information. The effective compliance date of the Privacy Rule was April 14, 2003. Therefore, providers have been "living" with the Privacy Rule for about 6 years.

HHS summary definition of the privacy rule, “establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected healthinformation” by organizations subject to the Privacy Rule — called

“covered entities,” (covered entities can be considered providers) as well as standards for individuals' (individuals can be considered patients) privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.” To view the entire Rule, and for other additional helpful information about how it applies, see the OCR website:

bottom of page