Who Needs A Baa Agreement

The HIPAA Privacy Rule describes the types of entities covered by HIPAA and entities that must comply with HIPAA data security and protection rules. The main categories are clearing houses, covered companies (CEs) and counterparties. The more the subcontractor receives from the covered unit, the more confusion there is as to who is actually a business partner and who must sign a matching contract. The above BAA PDF was designed as an agreement between a single insured company and a single business partner. This means that it can be modified for use with a business partner and its subcontractor. 5. If the counterparty uses subcontractors or other entities to provide services to the registered business in which PHI is involved, you enter into matching agreements with the subcontractors. (45 CFR 164.314 (a) and 164,504 (e)). 2.

Explain the liability limits of the insured company. Some companies or registered counterparties insist that matching agreements be entered into because they mistakenly believe that they are held responsible for hipaa offences committed by the contractor. HIPAA specifies that covered companies or counterparties are only responsible for the activities of their counterparties or subcontractors if the counterparty or subcontractor acts as the representative of the covered entity, i.e. the covered entity has the right to control the activities of the counterparty or subcontractor. (45 CFR 160.402 (c); 78 FR 5581). The parties can avoid liability by nature by ensuring that any contract between them clearly identifies the counterparty or subcontractor as an independent contractor and not as a representative and that the company concerned does not control the activities or activities of the counterparty or contractor. (78 FR 5581). To this end, an excessively restrictive counterparty agreement may effectively work against the covered entity, since it may suggest an agency relationship or give the covered entity greater control over the contractor`s activities. Each party in the chain is legally and contractually obligated to protect the PHI and manage it to the same extent as the obligations of the company covered at the top of the chain.

consequently. B, if a covered company is a hospital and that hospital has a 24-hour injury report, each link (or business partner) of that chain must also report the injury report 24 hours a day in its BAAs. You will find a detailed list of the information you need to include in your trade agreements in the Department of Health and Human Services. Finally, the inability of a partner/subcontractor to meet the requirements of an agreement could have a significant impact: as an organization covered by HIPAA, you know that most of your suppliers are also BAs. So we turn to your BA contract: the counterparty contract. Exceptions to the Business Associate Standard. The data protection rule contains the following exceptions to the Business Associate standard. See 45 CFR 164.502 (e). In these cases, an insured company is not required to enter into a counterparty contract or other written agreement until protected health information can be disclosed to the individual or legal person. A software company that hosts software that contains information on its own server or accesses patient information when the software function is bypassed is a business partner of a covered entity.