HIPAA requires insured entities to cooperate only with trading partners that guarantee full protection of the PHI. These insurances must take the form of a contract or other agreement between the insured company and the BA.1 Yes. If you mandate another organization covered by HIPAA to create, maintain, receive or transfer POs on behalf of your organization, then it is your business partner. You need a BAA with them. (78 FR 5572, highlighted). Note that the predicted analysis applies to data storage companies that have “access” to the PHI. Unless we receive conflicting instructions from HHS, there is a fairly strong argument that business partner requirements do not apply and should not apply to entities that manage encrypted PIs if the entity does not have the encryption key. The HHS rule for reporting violations assumes that encrypted data is secure. (See OCR`s guide to www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html). Therefore, it would be logical to think that the maintenance of encrypted data without the key should not trigger counterparty obligations. 1. Explain the commitment limits of the counterparties discussed above. I hope that the covered entity will recognize that a counterparty agreement is not necessary and that it is prepared to renounce the agreement.
Business Associate Agreements (BAAs) is an essential part of any effective HIPAA compliance program. But understanding what a good BAA should and shouldn`t contain is not as intuitive as understanding that you need it. 7. Entities that are only “tubes” for PHI. Companies that transfer POs to a covered company are not business partners when they are not required to regularly access the PHI, i.e. they are only “lines” of the PHI (for example. B Internet service providers, telephone companies, etc.). (45 CFR 160.103; 78 FR 5571; 65 FR 82476).
General provision. The data protection rule requires that a covered entity receive satisfactory assurances from its counterparty that the counterparty adequately protects the protected health information it receives or creates on behalf of the entity concerned. Satisfactory assurances must be made in writing, either in the form of a contract or other agreement between the covered entity and the counterparty. The purpose of a matching agreement is to outline your BA`s responsibility to keep your PHI private and secure.