What is a business associate? “counterparty”: a person or organization that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered company or that provide services to a covered business; An insured company staff member is not a business partner. A covered health care provider, health plan or health care clearinghouse may be a counterpart to another insured company. The data protection rule lists some of the functions or activities and related services that make an individual or organization a business partner when the activity or service involves the use or disclosure of protected health information. The types of functions or activities that can make an individual or organization a counterpart include payment or health transactions, as well as other functions or activities governed by administrative simplification rules. Trade association agreements consist of information on the authorized and unauthorized use of PHI between two HIPAA organizations. The contract should require the consideration to implement appropriate administrative, technical and physical security measures, in accordance with the security rule, to ensure the confidentiality, integrity and availability of ePHI. Contracts can also be formatted to describe in detail the relationship between a covered company and a business partner, as well as the relationships between two business partners. (OCR Frequently Asked Questions (“FAQ”), available at www.hhs.gov/ocr/privacy/hipaa/faq/index.html). Similarly, “the simple sale or provision of software to a registered business does not result in a business relationship if the seller does not have access to the [PHI] of the registered business.” (Id.) Companies wishing to avoid counterparty obligations may wish to include in their service contracts a provision confirming that phi is not required to perform its functions and that their customers, who are registered companies or counterparties, do not make available to the company POs (or, as explained below, unencrypted POs) without the prior approval of the entity. As a general rule, the BAA also defines the services provided by the counterparty, the nature of the data with which it interacts and deals with the areas relating to injury notifications (for example.
B calendars) and sanctions. Not all doctors need a BAA. The easiest way to say is if you are a so-called “covered” entity and if you are subject to HIPAA rules. Ask yourself these two questions: Therefore, whenever an insured company or counterparty enters into a contract with another party to provide services involving the exchange of PHI, the parties should carefully analyze the agreement to determine whether a counterparty agreement is required.