Business Associate Agreement Needed

While it is almost always necessary for a counterparty to sign an agreement with an insured company when an ePHI counterparty creates, receives, maintains or transmits on behalf of the insured company, if it does not offer covered service to the covered company (i.e. a landscaper), the business is not a consideration and no agreement is required. Conclusion and caution. I hope that companies that are not HIPAA`s “business partners” will avoid the status of a trading partner and the commitments associated with it. On the other hand, if a company is truly a “counterpart” under the regulations, it cannot evade regulatory liability by avoiding a counterparty agreement. “[A person or entity] is a consideration when the person or entity meets the definition of “consideration,” even if a company or insured counterparty is not outside the required counterparty contract with the person or entity.” (78 FR 5574). [t]he closure by a business partner … for its own management and administration or legal responsibilities do not create any business relationship with the beneficiary of the [PHI], because such information is provided outside the role of the company as a business partner…. On the other hand, the information provided by the counterparty [PHI] to a person who assists the counterparty in the performance of a function, activity or service for a company or other counterparty may establish a business relationship depending on the circumstances.

6. Companies that perform administrative or administrative functions for business partners. Covered companies may authorize counterparties to use PHI for their own management and management or legal responsibilities of the counterparty. (45 CFR 164.504 (e) (4)). If it`s the arrival (OCR Business Associate Guidance, available on This exemption applies only to the extent that the health care provider uses the PPH for treatment purposes; it would not apply if the health care provider uses the information to perform other functions on behalf of the company concerned. “For example, a hospital may benefit from the services of another health care provider to assist in the training of medical students in the hospital. In this case, a matching contract would be required before the hospital could allow the health care provider access to [PHI]. (OCR FAQ). But even in this example, the hospital and the doctor would not need a business agreement if they were members of an OHCA. Once companies, business partners and covered business partners have identified their relationship, it is important to ensure that third parties protect the POs they receive. A signed agreement proves that the BA knows that they must manage THE PHI.

The contract must describe the authorized and necessary use of health information protected by the counterparty; provide that the counterparty will not continue to use or disclose protected health information unless the contract is authorized or required or required by law; require the counterparty to adopt appropriate safeguards to prevent the misuse or disclosure of protected health information that is not provided for by contract.

This entry was posted on Thursday, April 8th, 2021 and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

Comments are closed.