Under HIPAA, which statement is NOT a typical element required by a Business Associate Agreement (BAA) with a covered entity?

• A. The contract must specify minimum necessary use and disclosure of PHI.
• B. The contract must require the business associate to implement safeguards, breach notification, and subcontractor compliance.
• C. The contract must include patient consent forms authorizing all data sharing.
• D. The contract must require security and privacy measures and breach notification.

Answer: (C)

Under HIPAA, a Business Associate Agreement sets how PHI is protected when a covered entity works with a business associate. The agreement typically requires the business associate to implement appropriate safeguards, follow the minimum necessary standard for uses and disclosures, ensure subcontractor compliance, and provide breach notification. It also requires security and privacy measures to protect PHI and to address breaches promptly.

Requests for patient consent forms authorizing all data sharing are not a typical component of a BAA. BAAs are about ensuring that PHI is used and disclosed only for the permitted purposes and that the business associate—and any subcontractors—keep PHI secure and respond to breaches. Blanket patient authorization for all data sharing goes beyond what a BAA normally requires; patient consents are handled separately and, in many cases, disclosures can occur under HIPAA without a blanket authorization if they fall within the permitted uses/disclosures defined in the Privacy Rule and the BAA.