When Is A Hipaa Business Associate Agreement Required

The counterparty agreement is a contract that defines the types of protected health information (PHI) made available to the counterparty, the authorized uses and disclosures of PHI, the measures to be implemented to protect this information (for example. B encryption at rest and during transfer) and the measures the BA must take in the event of a security breach, the PHI. www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlsearchsecurity.techtarget.com/definition/business-associatewww.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html However, if the covered entity has performed its due diligence prior to the conclusion of an agreement, these situations are rare. Assuming that the covered company is diligent, it is unlikely that the covered business will be guilty if a supplier violates the BAA and in any way violates HIPAA. If the creditor signs the document, he assumes responsibility for safeguarding the PHI. A BAA is a signed document that confirms the willingness of a third-party supplier to take responsibility for the safety of your customers`PHI, to comply with appropriate security measures and to meet hipaa requirements when dealing with PHI on your behalf. It`s like a chain that follows the PHI from the first link in the chain, which is the covered entity. The following link would be the trading partner and all their subcontractors (including trading partners) would be the following links. Think of subcontractors as business partners. The BAA follows the direct path of the chain. A covered company is therefore not required to sign an BAA with the subcontractors of its trading partners, but it is the business partner that is.

(OCR Business Associate Guidance, available on www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html). This exemption applies only to the extent that the health care provider uses the PPH for treatment purposes; it would not apply if the health care provider uses the information to perform other functions on behalf of the company concerned. “For example, a hospital may benefit from the services of another health care provider to assist in the training of medical students in the hospital. In this case, a matching contract would be required before the hospital could allow the health care provider access to [PHI]. (OCR FAQ). But even in this example, the hospital and the doctor would not need a business agreement if they were members of an OHCA. If you hire a subcontractor and the contractor comes into contact with a PHI, you must execute a BAA between the two of you. The data protection rule stipulates that all counterparty contractors must consent to restrictions identical to those of the original counterparty. The HIPAA data protection rule expressly excludes information from an insured company for the purpose of processing counterparty requirements. See 45 CFR 164.502 (e) (1). Therefore, any health care provider (or other covered business) [PHI] may participate in a health care provider without a matching contract for treatment. 7.

Entities that are only “tubes” for PHI. Companies that transfer POs to a covered company are not business partners when they are not required to regularly access the PHI, i.e. they are only “lines” of the PHI (for example. B Internet service providers, telephone companies, etc.).