Business Associate Agreement Between Two Business Associates
A software company that hosts software that contains information on its own server or accesses patient information when the software function is bypassed is a business partner of a covered entity. In these examples, a covered company would be required to enter into a counterparty agreement before the software company had access to [PHI]. However, when an employee of a contractor, such as a software or IT service provider, has his primary service with an on-site covered company, the covered entity may treat the creditor`s employee as a member of the insured company`s staff and not as a business partner. (a) counterparties. „counterparty“ generally has the same meaning as the term „counterpart“ for 45 CFR 160.103 and means, with respect to the party in this agreement, the party to the agreement [insert the name of the consideration]. In particular, when they provide services or technologies to a covered company (for example. B a hospital) or another business partner as a subcontractor (. B for example, a PaaS provider such as Datica), counterparties process, process, transfer or interact in some way with protected electronic health information (ePHI) of these companies. With this PHI access, all business partners must sign a Business Associate Agreement (BAA). The BAA is a legal contract that describes how the business partner joins HIPAA, as well as the responsibilities and risks it assumes. [The agreement could also provide that the counterparty could, at the time of termination, pass on the protected health information to another counterparty of the insured company and/or add conditions relating to a counterparty`s obligations to receive or insure protected health information produced, received or managed by subcontractors.] (78 FR 5572, highlighted).
Note that the predicted analysis applies to data storage companies that have „access“ to the PHI. Unless we receive conflicting instructions from HHS, there is a fairly strong argument that business partner requirements do not apply and should not apply to entities that manage encrypted PIs if the entity does not have the encryption key. The HHS rule for reporting violations assumes that encrypted data is secure. (See OCR`s guide to www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html). Therefore, it would be logical to think that the maintenance of encrypted data without the key should not trigger counterparty obligations. A matching contract is not required with persons or entities whose functions, activities or services do not involve the use or disclosure of [PHI] and for whom access to [PHI] by these individuals would be incidental, if at all. [For example], the services that clean the offices or facilities of an insured company are not business partners, as the work they do for covered businesses does not involve the use or disclosure of [PHI] and any disclosure of [PHI] to janitorial staff in the performance of their duties (as can occur when emptying garbage cans) is limited in nature, presents itself as a by-product of their services.