The wound? North Memorial has entrusted a lender to conduct various transactions involving a customer database. North Memorial failed to sign a HIPAA BAA with the seller. What is a business associate? “counterparty”: a person or organization that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered company or that provide services to a covered business; An insured company staff member is not a business partner. A covered health care provider, health plan or health care clearinghouse may be a counterpart to another insured company. The data protection rule lists some of the functions or activities and related services that make an individual or organization a business partner when the activity or service involves the use or disclosure of protected health information. The types of functions or activities that can make an individual or organization a counterpart include payment or health transactions, as well as other functions or activities governed by administrative simplification rules. The Department of Health and Human Services for Civil Rights (HHS/OCR) can impose hefty fines and remedial measures if you do not have a BAA with your AADs. In addition, if HHS/OCR monitors your organization, you must be able to provide your matching agreements and prove that you have performed due diligence with your AAS. Sometimes a business partner has its own BAA.
Which one should you use your or theirs? HIPAA is silent about this. Nevertheless, it is typical of the recruitment organization to dictate the terms of an agreement. You`d be z.B. Use your BAA with your business partner, and the business partner will use its BAA with its subcontractors. However, you never enter a BAA with your BA subcontractors! However, as a hipaa organization, you know that most of your suppliers are also BAs. So we turn to your BA contract: the counterparty contract. By law, the hipaa privacy rule only applies to covered institutions – health plans, health care compensation rooms and some health care providers. However, most health care providers and health plans do not perform all of their health activities and functions themselves.
Instead, they often use the services of many other individuals or businesses. The data protection rule allows providers and covered health plans to transmit protected health information to these “counterparties” when providers or plans receive satisfactory assurances that the counterparty uses the information only for the purposes for which it was mandated by the covered entity, which protects the information from abuse and helps the added entity fulfill some of the obligations of the entity covered under the data protection rule. Covered companies may disclose protected health information to a company in its role as a business partner only to assist the insured company in fulfilling its health missions – not for independent use or for the purposes of counterparty, unless it is necessary for the proper management and management of the counterparty. [HIPAA] requires, for [all] information that is not required by law, that the consideration receive reasonable assurances from the person to whom the [PHI] is disclosed, that it is confidential and that it is only used or disseminated at that time, in accordance with the law or for the purposes for which it was disclosed to the person, and that the person informs the consideration of the cases of which he or she is aware of the information. See point 164.504 (e) (4) (ii) (B). Exceptions to the Business Associate Standard. The data protection rule contains the following exceptions to the Business Associate standard. See 45 CFR 164.502 (e).
In these cases, an insured company is not required to enter into a counterparty contract or other written agreement until protected health information can be disclosed to the individual or legal person.