“[A] a person or corporation that is not a member of the staff of a covered company, performs functions or activities on behalf of a covered company, or provides certain services that include consideration of protected health information. A [BA] is also a subcontractor that creates, receives, manages or transmits protected health information on behalf of another [BA].” But let`s be honest… It is difficult, if not impossible, to run a business without the help of third parties. Hiring outside help when you need extra hands or if you have special needs is often made sense by business. You will find two examples of HHS interpretations of what it means to treat PHI “on behalf” of an entity to determine if there is an associated relationship on page 5572 of the FINAL HIPAA omnibus rule and in the latest HHS guidelines on when developers of digital health applications can be business partners. Direct employees do not need to sign a BAA. This is because the people who work for you are part of your organization and are not considered business partners. Yet they are still covered by HIPAA laws. As agents, you are responsible for training them in data protection and security.
This applies not only to your regular full-time employees, but also to apprentices, temporary workers, volunteers and everyone else who is under your direct control. Many creditors do not receive a PHI to perform tasks on behalf of the covered entity, but the ePHI goes through their systems. Many software solutions affect ePHI, which means that the software provider is considered a business partner. There are exceptions for entities that act as lines through which ePHI simply passes (see channel exception), although most cloud software and service providers are not exempt from compliance with HIPAAs and BAAs. HIPAA requires insured entities to cooperate only with trading partners that guarantee full protection of the PHI. These assurances must be written in the form of a contract or other agreement between the insured company and BA.1 With many suppliers comes an increased complexity. For example, a hospital may have 100 software vendors with whom they have contracted by business partners. In return, these 100 software providers can individually have different software solutions and cloud providers with whom they sign BAAS. It is up to each interested party to ensure that they have appropriate agreements. A BAA is a critical document that protects listed companies and their trading partners in the same way. It also provides for liability and restrictions for both parties, so legal advice is always needed.
There are two types of trade relationships: once companies, trading partners and covered trading partners have identified their relationship, it is important to ensure that third parties protect the PHI they receive. A signed agreement proves that the BA knows that they must manage THE PHI. An “agent” in the legal sense is someone who acts like you. For the purpose of the injury notice, the discovery of an offence by an officer is served on you, as well as the legal consequences of his or her actions.