Do You Need a Business Associate Agreement between Two Covered Entities

If you did not answer “yes”, you can still be a “covered entity”. Or you may want to claim that you must comply with your profession`s code of ethics. The most comprehensive source of information about HIPAA is the HHS website. However, since HHS cannot cover all possible relationships between a captured company and a business partner, some information can be difficult to track and open to interpretation. For specific advice regarding specific circumstances, we recommend that you seek the help of a HIPAA compliance professional. Some covered companies have taken a “prevention is better than cure” approach to solving their definition problems and have entered into agreements with all the entities they do business with – whether they are necessary or not. Recent research funded by the California Healthcare Foundation found that many companies unnecessarily enter into agreements with other covered companies and also enter into agreements with providers who did not have access to PHI and would probably never do so. In one case, an affected company asked its landscaper to sign a HIPAA business partnership agreement. There are many HIPAA models for trade partnership agreements, but caution should be exercised before using them. Before using such a template, it is important to check for whom this template was designed to make sure it is relevant. It must also be customized to include all the requirements of the covered entity.

HHS can audit BAs and contractors for HIPAA compliance, not just covered companies. This means that organizations must have a Business Partnership Agreement (BAA) for all three tiers in order to meet HIPAA requirements. It is in your mutual interest to reach an agreement, as all three classifications are responsible for the protection of PSR. It`s like a chain that follows the IHP from the very first link in the chain which is the covered entity. The following link would be the business partner and all its subcontractors (including business partners) would be links that follow. Think of subcontractors as business partners of business partners. The BAA follows the direct path of the chain. Thus, a covered entity is not required to sign a BAA with the subcontractors of its business partners, but the business partner is.

[d]ad closed by a trading partner . because its own administration and its own administrative or legal responsibilities do not establish a business partner relationship with the recipient of the [PHI], since this information is made outside the role of the company as a business partner. On the other hand, information provided by [PHI] by the business partner to a person who assists the business partner in performing a function, activity or service for an affected company or other business partner may establish a business partner relationship, depending on the circumstances. (OCR FAQ). While the employee qualification would help contractors evade the obligations of business partners, the companies involved may refuse to classify the contractors as members of their workforce, as this may indicate that the contractor is acting as a representative of the covered entity, thereby exposing the covered entity to the vicarious agent`s liability for the contractor`s actions. (See 45 CFR 160.402(c); 78 FR 5581). The contract must provide that the BA (or subcontractor) must put in place appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI and to comply with the requirements of the HIPAA security rule. Some of these measures may be provided for in the BAA or may be left to the discretion of the BA. The BAA should also include permitted uses and disclosures of PSRs to meet the requirements of the HIPAA Privacy Rule.

In the event that persons who are not authorized to consult the information access the RPS, by . B an internal breach or cyberattack, the business partner is required to inform the relevant entity of the breach and possibly send notifications to persons whose PSR has been compromised. The timing and responsibilities for notifications should be set out in detail in the agreement. A BAA is a signed document that confirms a third-party vendor`s willingness to take responsibility for the safety of your customers` PHI, take appropriate security precautions, and comply with HIPAA requirements when managing PHI on your behalf. BAAs are required if you are a covered entity. Be sure to go through the BAA signing process and drop it off in a safe and accessible place. If your firm is under review or affected by a data breach, you should quickly find the document to demonstrate the steps you`ve taken to protect your clients` PHI and your HIPAA compliance. Compliancy Group`s web-based compliance solution, The Guard, is equipped with everything you and your organization need to manage your HIPAA business partners. BAAs are mandated by the HIPAA security rule. Business Partnership Agreements consist of information about permitted and prohibited uses of PSR between two HIPAA-related organizations. This can include relationships between a CE and a BA, as well as relationships between two BAs.

While it is almost always necessary for a business partner to sign an agreement with a covered company when a business partner creates, receives, maintains or transfers ePHI on behalf of the covered company, the company is not a business partner and no agreement is required if the company does not provide a covered service to the covered company (i.e. a landscaper). Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act and its inclusion in HIPAA in 2013 through the HIPAA Omnibus Final Rule, subcontractors used by business partners are also required to comply with hipAA. A business partner must also obtain a HIPAA Business Partnership Agreement signed from its subcontractors before having access to PHI or ePHI. If subcontractors use suppliers who need access to PHI or ePHI, they must also enter into business partnership agreements with their subcontractors. Here are seven quick facts about HIPAA Trade Partnership Agreements (BAAs). First, keep in mind that if you are a covered entity and you do not have a BAA for your subcontractors who manage PHI, you will not be HIPAA compliant. It`s as simple as that. 4. Condition the contract of the business partner. Finally, if the covered entity still insists on a business partner agreement, the business partner or subcontractor can minimize its risk by subordinating a business partnership agreement to the company`s status as a business partner, i.e., the company assumes responsibilities if and to the extent that it is a business partner within the meaning of HIPAA.

While this is an imperfect solution, it could at least allow the company to avoid regulatory penalties if it really isn`t a business partner. During the course of the investigation, CHF found that many of the companies involved had neglected their due diligence obligations and had not received “satisfactory assurances” that the BA with which they shared phi was HIPAA compliant. Instead, they limited their investigative efforts to “high-risk” IT providers, only ensuring they had mechanisms in place to protect PSRs stored and transmitted electronically. Even fewer have audited their BA to ensure HIPAA compliance. Only a small minority asked to see evidence for risk assessments and policies and procedures that cover the actions that must be taken in the event of a PSR violation. These omissions could result in a fine for the company concerned for violating HIPAA. 5. Entities acting in their own name or on behalf of the patient. The requirements for business partners only apply to companies that perform a function with PHI on behalf of a registered company or its business partner. Companies that manage PSR for their own purposes are not business partners. For example, “[a] provider who submits a claim to a health care plan and a health care plan that assesses and pays for the claim each acts on its own behalf as a covered entity and not as a `business partner` of the other.” (OCR Business Associate Guidance).

Similarly, a bank or financial institution is not a business partner of a covered entity if it “processes financial transactions made by consumers by debit, credit or other payment card, enters into cheques, initiates or processes electronic money transfers, or engages in any other activity that directly facilitates or affects the transfer of funds for the payment of health insurance or health insurance premiums”; in this case, “the financial institution provides its normal banking services or other financial transactions to its customers; it does not perform any function or activity for or on behalf of the undertaking concerned` and is not a business partner […].