Under HIPAA, managed service providers (MSPs) are regarded as business associates under certain circumstances. MSPs that access PHI are business associates. MSP contracts are contracts that HIPAA obligates MSPs to enter into. MSP contracts, also known as business associate agreements, is discussed below.

What is the Name Given to MSP Business Contracts?

HIPAA refers to MSP contracts – agreements between covered entities and MSP business associates – as “business associate agreements.”

The business associate agreement that HIPAA requires an MSP business associate to enter into with the covered entity must:

• Establish the permitted and required uses and disclosures of protected health information by the MSP business associate; 
• Provide that the MSP business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; 
• Require the MSP business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
• Require the MSP business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information; 
• Require the MSP business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;
• To the extent the MSP business associate is to carry out a covered entity’s obligation under the HIPAA Privacy Rule, require the MSP business associate to comply with the requirements applicable to the specific obligation; 
• Require the MSP business associate to make available to the Department of Health and Human Services (HHS) its internal practices, books, and records relating to the use and disclosure of protected health information received from, created, or received by the MSP business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule; 
• At termination of the contract, if feasible, require the MSP business associate to return or destroy all protected health information received from, created, or received by the MSP business associate on behalf of, the covered entity; 
• Require the MSP business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information, agree to the same restrictions and conditions that apply to the business associate with respect to such information; and 
• Authorize termination of the contract by the covered entity if the MSP business associate violates a material term of the contract. 

Note that contracts between business associates and business associates that are subcontractors are subject to these same requirements.