Who Is a Hipaa Business Associate

Business partners of HIPAA companies include third-party service providers, billing companies, transcribers, cloud service providers, data storage companies – electronic and physical records, EHR providers, consultants, attorneys, CPA firms, pharmaceutical service managers, claims processors, debt collection agencies, and medical device manufacturers. What is a “business partner”? A “Business Partner” is a natural or legal person who performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a Covered Company or the provision of services to that Company. A member of the workforce of the registered company is not a business partner. A covered healthcare provider, healthcare plan, or healthcare exchange house can be a business partner of another covered business. The Privacy Policy lists some of the features or activities, as well as the respective services that make a natural or legal person a business partner if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a natural or legal person a business partner include payment or health activities, as well as other functions or activities regulated by the Administrative Simplification Regulation. HIPAA requires a covered company and its business partners who come into contact with PHI as part of their services to sign a Business Partnership Agreement (BAA), which is a contract between a covered company and an organization or person that sets out that organization`s obligations and responsibilities with respect to the protection of protected health information, which are exchanged between the two parties. All business partnership agreements must include the following: Question: I have an answering machine company and we never hear medical information, only a patient`s name and number for a recall. Doesn`t this mean that we do not receive protected health information and therefore we are not a business partner, but only a regular supplier? Answer: Offshore business partners are allowed under HIPAA and the law applies to them in the same way as those located in the United States.

As a covered company, you want your business partnership agreement to require it to consent to the jurisdiction of the U.S. courts. Question: If we use a business partner abroad, does they have to follow HIPAA? Are we even allowed to use someone in another country? Question: Our doctor`s office uses data backup via Google Cloud Storage [or Amazon Web Service]. They say they are HIPAA compliant. Do we still need a business partnership agreement with Google [or AWS]? Catholic Health Care Services (CHCS) at the Archdiocese of Philadelphia has agreed to resolve possible violations of the hipaa safety rule after the theft of a CHCS mobile device put the PSRs of hundreds of nursing home residents at risk. CHCS provided management and IT services as a business partner to six qualified care facilities. The total number of people affected by the combined offences was 412. The settlement includes a cash payment of $650,000 and a corrective action plan. Upon termination of this Agreement for any reason, the Business Partner will return to the Covered Entity [or, if the Covered Entity has agreed], any Protected Health Information obtained from the Covered Entity or created, maintained or received by a Business Partner on behalf of the Covered Entity [or, if the Covered Entity agrees], that the Business Partner always keeps in any form whatsoever.

Business partners do not keep copies of protected health information. By law, the HIPAA privacy rule only applies to covered companies – health plans, health care clearing houses, and certain health care providers. However, most health care providers and health care plans do not perform all of their health activities and functions themselves. Instead, they often use the services of a variety of other people or companies. The confidentiality rule allows covered health care providers and plans to share protected health information with these “business partners” if the providers or plans receive satisfactory assurances that the business partner will only use the information for the purposes for which it was engaged by the covered entity, protect the information from misuse, and help the covered entity comply with some of the obligations of the covered entity under the To comply with the data protection rule. Registered entities may disclose protected health information to an entity in its role as a business partner only to assist the captured entity in performing its health functions, and not for the business partner`s own use or purposes, unless this is necessary for the proper administration and administration of the business partner. (e) [Optional] Business Partners may use protected health information for the proper administration and administration of the Business Partner or to fulfill the Business Partner`s legal responsibilities….