Business Associate Agreement Means

Counterparties are any entity or person that creates, transfers, receives or maintains PHI on behalf of a covered entity or on behalf of the counterparty of a covered entity. For example, a covered entity, such as a healthcare provider, health plan, or healthcare clearing house, may also be a counterparty to another covered entity. You can find two examples of HHS that interpret what it means to treat PHI “on behalf of” a company to determine if there is a business relationship, on page 5572 of the HIPAA Omnibus Final Rule and in HHS` latest guidelines on when developers of digital health applications can become business partners. BAAs must be signed by all covered entities when their counterparty processes PHI that first pass through the covered entity. Below is a list of entities covered. For more information, see on HIPAA Coverage Cities. At Aptible, we receive many questions about HIPAA or “BAAs” counterparty agreements. This article introduces some of the essential concepts that cloud-hosted software development organizations should be aware of through BAAs. The above BAA PDF format was designed as an agreement between a single covered company and a single business partner. In other words, it can be modified to be used with a business partner and its subcontractor. A BAA is a critical document that protects both covered companies and their business partners. It also defines the liability and restrictions applicable to both parties, so the advice of a lawyer is always necessary.

Exceptions to the Business Associate Standard. The confidentiality rule contains the following exceptions to the counterparty standard. See 45 CFR 164.502(s). In such situations, the entity concerned shall not be required to enter into a counterparty contract or any other written agreement before the protected health information can be transmitted to the natural or legal person. The BAA template provided here (add the tk link to pdf) is generalized. Any real use of such an agreement requires adaptation to the specific needs of the organization. Here are some additional thoughts that a company can take into account when drawing up its own specific contract. Adhesion has both width and depth.

Width or perimeter refers to the types of damage for which you may be responsible. Generally speaking, you should only assume certain types of responsibility. Unlimited liability means that in addition to possible compensation in the event of a breach, your customers can also sue you for loss of business, loss of reputation and other consequential damages. It is customary to exclude these types of liability. Direct employees do not need to sign a BAA. This is because the people who work for you are part of your organization and are not considered business partners. This means that they are still covered by HIPAA laws. As agents, you are responsible for their training in data protection and security. This applies not only to your regular full-time recruitments, but also to apprentices, temporary workers, volunteers and all others who are under your direct control. Relevant companies and counterparties can be sanctioned if they do not enter into a counterparty agreement if necessary, and penalties can be severe. For example, a group of doctors in Florida paid a $500,000 fine for failing to enter into a business agreement with its billing company.

After the PHI billing entity illegally published on its website, the U.S. Department of Health`s Office for Civil Rights (OCR) sanctioned the group for failing to take appropriate steps to guarantee PHI, including failing to enter into a counterparty agreement with the billing entity. . . .

Comments are closed.