When Is A Business Associate Agreement (Baa) Required

In other words, the business partner becomes separately responsible for HIPAA compliance when your customers` RPS is in their custody. It`s like a chain that follows the IHP from the first link in the chain, the entity covered. The following link would be the business partner and all its subcontractors (including business partners) would be links that follow. Think of subcontractors as business partners of business partners. The BAA follows the direct path of the chain. Thus, a covered entity is not required to sign a BAA with the subcontractors of its business partners, but the business partner is. Contracts with business partners. The contract or other written agreement of a covered entity with its counterparty must contain the elements referred to in 45 CFR 164.504(e). For example, the contract must: describe the authorized and required use of the health information protected by the business partner; provide that the business partner does not use or disclose protected health information other than to the extent permitted or contractually prescribed or required by law; and request the business partner to take appropriate security precautions to prevent protected health information from being processed or otherwise contracted. If a Covered Entity becomes aware of a material breach or breach of the Agreement or Agreement by the Business Partner, the Covered Entity is required to take reasonable steps to remedy the breach or terminate the breach, and if such steps fail, to terminate the Agreement or Agreement. If termination of the contract or agreement is not possible, a covered entity must report the issue to the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS).

Please see our model contract for business partners. The HIPAA Privacy Policy describes the types of entities covered by HIPAA and the entities that must follow HIPAA security and privacy policies. The main categories are clearing houses, covered entities (EC) and counterparties. The further away the subcontractor is from the covered entity, the more confusion there is as to who is really a business partner and who should sign a business partnership agreement. The BAA places the responsibility to protect PSRs directly on the shoulders of the service provider when the information is in their hands. From award-winning HIPAA training to contracts and agreements, we can meet your needs to help protect your business. Each part of the chain is required by regulations and contracts to protect the IHP and manage it in accordance with the obligations of the company covered at the top of the chain. So, for example, if a covered company is a hospital and that hospital has a 24-hour breach notification, each link (or business partner) in that chain must also provide 24-hour notification of violations in its BAAs. .