HIPAA Associate’s Agreement
There is a simple rule-of-thumb when it comes to an business associates agreement:
IF you have someone, who is NOT an employee of yours, that may have access to PHI, you should have a business associates agreement on file with them.
If you have had a business associates agreement with someone for years…it is out of date and must be updated.
Things have changed greatly.
As you see below, there are many references to a business associates agreement in the regulations.
It can be very complicated…but…as usual:
…We’ve made this easy for you.
If you don’t have a business associates agreement in place with the correct people, you are in a dangerous situation.
- IT Support Company
- EHR Vendor
- Visiting Physicians
- Temporary Office Staff or Nurses
- Billing Company
- Cleaning crew
- Photocopier Service Company
- Much, much more….
What You Get
Policy and Procedure for implementation of the business associates agreement.
PHI Brief – this briefing is for non-medical contractors.
This briefing gives the simple details a non-medical contractor
needs to understand about PHI, what PHI is and that they are not to talk about it.
What The Reg Says
CFR 164.502(A)(4) – Required uses and disclosures
CFR 164.502(A)(5) – Prohibited uses and disclosures
A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with §164.314(a), that the subcontractor will appropriately safeguard the information.
Business associate contracts. The contract must provide that the business associate will—
(A) Comply with the applicable requirements of this subpart;
(B) In accordance with §164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and
(C) Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by §164.410.