When Do You Need A Business Associate Agreement

Avoid requests from business partners. Given the cost of compliance and penalties for non-compliance, companies may want to avoid becoming a “trading partner” or executing business partnership agreements where possible. The following people are not business partners and may rightly refuse to execute a business partnership agreement: If you are a doctor, you have probably heard of a commercial partnership agreement, also known as a BAA. It`s probably appeared in the hipaa compliance seminars you`ve attended. Or maybe you`ve considered two different providers – one offers a BAA (for a fee) and the other does not. How do you know if you need a BAA? Today`s post will answer this question. They identified themselves as a covered entity. Now let`s take a look at the services you hire to run your practice. If you run a busy practice, you probably don`t do everything yourself.

You can use services to clean your office, do your accounting, provide emails, and perform other tasks that are critical to the success of your business. Trade partnership agreements are not optional! HIPAA requires that you sign the BAA with your business partner before sharing a PHI with them. This will help you avoid a data breach as well as penalties for not having a BAA. The HIPAA Privacy Rule explicitly excludes disclosures by a covered company to a healthcare provider for the purpose of addressing business partner requirements. See 45 CFR 164.502(e)(1). Therefore, any covered healthcare provider (or other covered entity) may share [PHI] with a healthcare provider for treatment purposes without a commercial partnership agreement. By law, the HIPAA privacy rule only applies to covered companies – health plans, health care clearing houses, and certain health care providers. However, most health care providers and health care plans do not perform all of their health activities and functions themselves.

Instead, they often use the services of a variety of other people or companies. The confidentiality rule allows covered health care providers and plans to share protected health information with these “business partners” if the providers or plans receive satisfactory assurances that the business partner will only use the information for the purpose for which it was engaged by the covered entity, protect the information from misuse, and help the covered entity comply with some of the requirements. The entity referred to under the r Data Protection Rule. The companies concerned may disclose protected health information to a company in its role as a business partner only to help the company concerned perform its health functions – not for the use or purposes independent of the business partner, unless this is necessary for the proper administration and administration of the business partner. The contract must: describe the authorized and required use of the health information protected by the business partner; provide that the Business Partner shall not use or disclose protected Health Information other than to the extent permitted by contract or as prescribed or required by law; and request the business partner to take appropriate security measures to prevent the misuse or disclosure of protected health information that is not provided for in the contract. .

Posted in Uncategorized