You need to be able to identify your employee classification before you know what HIPAA requires. Under the definition of the Health Information Portability and Accountability Act (HIPAA), a business partner is any organization or person that works in relation to a covered entity or provides services that generate, process or divid protected health information (PHI). This means that organizations must have a Trade Association Agreement (BAA) for all three levels in order to meet HIPAA requirements. It is in your best interest to have an agreement, as all three classifications are responsible for the protection of the PHI. Some covered companies have taken a „safer than sad“ approach to addressing their definitional problems, and have entered into agreements with all the companies with which they have business relationships, whether necessary or not. Recent studies funded by the California Healthcare Foundation have shown that many companies unnecessarily enter into agreements with other covered companies and also enter into agreements with suppliers who did not have access to the PHI and would probably never do so. In one case, a covered company asked its landscaper to sign a HIPAA business partnership agreement. If you hire a subcontractor and the contractor comes into contact with a PHI, you must execute a BAA between the two of you. The data protection rule stipulates that all counterparty contractors must consent to restrictions identical to those of the original counterparty.
BAAs must be signed by all covered entities when their trading partner processes PHI, which first passes through the covered entity. There is a list of the features covered below. More information can be found on the HHS.gov page on hipaa Covered Entities. As a general rule, the BAA also defines the services provided by the counterparty, the nature of the data with which it interacts and deals with the areas relating to injury notifications (for example. B calendars) and sanctions. A HIPAA business association agreement should not be a stand-alone contract. The language of an BAA can be summarized in data security agreements, master service agreements or terms of service. For many covered companies, it is not always clear who is subject to a HIPAA business partnership agreement. The Department of Health and Human Services defines a counterparty as „a person or organization that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered company or that provide services to a covered business.“ Business Associate Agreements (BAAs) is an essential part of any effective HIPAA compliance program. But understanding what a good BAA should and shouldn`t contain is not as intuitive as understanding that you need it.