Yes, yes. If you mandate another organization covered by HIPAA to create, maintain, receive or transfer POs on behalf of your organization, then it is your business partner. You need a BAA with them. Here are seven quick facts about HIPAA Business Association (BAAs) agreements. Business contracts are not optional! HIPAA requires you to sign the BAA with your business partner before sharing PHI with them. This will help you avoid a data breach, as well as penalties for not having a BAA on site. The direct staff of this organization are not required to sign an BAA because they are part of your organization and are not considered a business partner. Yet they are still covered by HIPAA laws. As an employer, you have a responsibility to train your staff in how to preserve the integrity and disqualification of protected health information. 5. Institutions acting on their behalf or on behalf of the patient.
The counterparty requirements apply only to companies performing a PHI function on behalf of a covered entity or its counterparty. The entities that process POs for their own purposes are not trading partners. For example, “[a] provider who presents a right to a health plan and health plan that assesses and pays the debt acts in its own name as a secure entity and not as a “business partner” of the other.” (OCR Business Associate Guidance). Similarly, a bank or financial institution is not a counterparty to an insured business when it “processes financial transactions managed by consumers by debit, credit or other payment card, when it conducts checks, initiates or processes electronic money transfers, or performs other activities that facilitate or directly transfer funds for the payment of health or health premiums”; In such cases, “the financial institution provides its clients with its banking or other ordinary financial transaction services; it does not perform any function or activity for or on behalf of the insured company” and is not a consideration. (Id.; 78 FR 5575; 65 FR 82476). Researchers are not business partners of covered companies, even if the researcher is tasked by the covered unit to carry out research. (78 FR 5575). “When a physician or other claimant has the privilege of the staff of an institution, neither party is a consideration based exclusively on human resource privileges, as neither party demonstrates duties or activities on behalf of the other person.” (65 en 82476). Covered companies that provide phi for the health activities of another insured company are not trading partners of the other. (65 en 82476). Finally, a company that provides services on behalf of the patient is not on behalf of the health care provider, is not a business partner (for example.
B a lawyer who requests health information to represent the patient or a company that collects and interprets data on behalf of a patient). A matching contract is not required with persons or entities whose functions, activities or services do not involve the use or disclosure of [PHI] and for whom access to [PHI] by these individuals would be incidental, if at all.