A business partner includes settlement companies, audit specialists, COMPUTER scientists and possibly law firms and accountants. Under HIPAA, “business partners” are essentially companies that create POs on behalf of, access, care for or pass on a health care provider. (45 CFR no. 160.103, definition of “counterparty”). HIPAA requires health care providers to perform a BAA before disclosing protected health information (“PHI”) to their business partner. (45 CFR 164.502). In addition, counterparties must perform an BAA with their subcontractors who process PSOs on behalf of the counterparty. (Id.) The BAA must contain certain requirements. As recent comparisons confirm, health care providers who do not perform a BAA are subject to HIPAA penalties and may be held responsible for the misbehaviour of their business partner. What exactly is a BAA and when do you use it? The government defines a counterparty as “a person or corporation that is not a member of the staff of a covered company, performs functions or activities on behalf of a covered entity, or provides certain services involving the counterparty`s access to protected health information.” Simply put, whenever you and your practice need to continue your firm`s business to allow someone to have access to protected health information (PHI) in your possession, you may need a BAA. Some functions are exempt, e.B, licensing cards, peer review and insurance audits. What for? Think of it as a kind of “security clearance.” You have reliable information.
A business partner is another link in the chain of trust. As a general rule, counterparties are not counterparties and therefore there is no need for BAA; However, suppliers may enter into confidentiality agreements with them if the person mistakenly accesses, uses or discloses to PHI: 1. Explain the limitations of the counterparty commitments described above. I hope that the covered entity will recognize that a counterparty agreement is not necessary and that it is prepared to renounce the agreement. 7. Entities that are only “tubes” for PHI. Companies that transfer POs to a covered company are not business partners when they are not required to regularly access the PHI, i.e. they are only “lines” of the PHI (for example.
B Internet service providers, telephone companies, etc.). (45 CFR 160.103; 78 FR 5571; 65 FR 82476).