By law, the hipaa privacy rule only applies to covered institutions – health plans, health care compensation rooms and some health care providers. However, most health care providers and health plans do not perform all of their health activities and functions themselves. Instead, they often use the services of many other individuals or businesses. The data protection rule allows providers and covered health plans to transmit protected health information to these “counterparties” when providers or plans receive satisfactory assurances that the counterparty uses the information only for the purposes for which it was mandated by the covered entity, which protects the information from abuse and helps the added entity fulfill some of the obligations of the entity covered under the data protection rule. Covered companies may disclose protected health information to a company in its role as a business partner only to assist the insured company in fulfilling its health missions – not for independent use or for the purposes of counterparty, unless it is necessary for the proper management and management of the counterparty. A software company that hosts software that contains information on its own server or accesses patient information when the software function is bypassed is a business partner of a covered entity. In these examples, a covered company would be required to enter into a counterparty agreement before the software company had access to [PHI]. However, when an employee of a contractor, such as a software or IT service provider, has his primary service with an on-site covered company, the covered entity may treat the creditor`s employee as a member of the insured company`s staff and not as a business partner. In other words, the business partner will be responsible separately and will be responsible for HIPAA compliance when your customers` PHI is under their responsibility. In the simplest case, a Business Associate Agreement (BAA) is a legal contract between a health care provider and a person or organization that, as part of its services, has access, transmits or stores protected health information (PHI) for the provider. Whether you prefer to call it business associate agreement or, like HIPAA, business Associate Contract, they are both ways an important part of an organization`s efforts to be HIPAA compatible.
Below, we`ve put together the basic components and definitions of a HIPAA business association agreement model that you can browse. Keep in mind that ACCORDS are legally binding agreements, so it`s best to have a designated security officer, lawyer or HIPAA compliance solution that will help you navigate these contracts. The best thing you can do is consult your lawyer to find out exactly what your responsibility is when it comes to HIPAA.