This is how we get business partners. Hi Tom – Both examples would most likely qualify your company as a business partner. But neither example would tend to make your business a covered entity. SM 12-12-2016 2) Assess whether business partners comply with HIPAA A business partner is an organization or person that performs work or activities on behalf of a covered company that may involve the use or disclosure of protected health information. In other words, if a third-party organization could potentially access certain PSRs in the normal course of its delegated work, it is a business partner. A: Members of organized health care organizations. Covered entities participating in an Organized Health Agreement (« OHCA ») are not business partners of each other when performing functions on behalf of OHCA; « Therefore, they may use and disclose [PHI] for OHCA`s joint health activities without entering into a commercial partnership agreement. » (OCR FAQ; see 45 CFR 160.103). An OHCA is (1) « a clinically integrated care environment in which individuals typically receive health care from more than one health care provider » (e.g., B a hospital and its medical staff); (2) an organised health system involving more than one covered entity and in which the participating covered entities carry out a joint review of the use, quality improvement or payment activities (e.B. provider networks); or (3) certain agreements between group health insurance funds and other insurers. (45 CFR 160.103). The OHCA exemption applies only to covered businesses (p.B.
health care providers and health care plans) that perform functions for the OHCA; it does not apply to other entities that require IHP to perform tasks on behalf of OHCA. Question: Our doctor`s office uses data backup via Google Cloud Storage [or Amazon Web Service]. They say they are HIPAA compliant. Do we still need a business partnership agreement with Google [or AWS]? The data protection rule only applies to covered companies; It does not apply to all individuals or institutions that collect individually identifiable health information. However, this can affect other types of businesses that are not directly governed by the rule, for example, if they rely on covered businesses to provide PSR. It is important for researchers to know how the rule might affect them in the different types of organizations in which they work, and what they may need to do to continue their research or start new research efforts on or after the date of compliance with the confidentiality rule. Legally, the HIPAA privacy rule only applies to covered companies. A covered entity can be health care plans, health care clearinghouses, or health care providers that transmit any type of health information electronically.
Examples include your doctor, hospital, insurance company, and health insurance, whether it`s a private, salaried, state, or federal plan. Determining whether a researcher must comply with the privacy rule is an individualized and fact-sensitive determination. The answer to this question may depend on how the entity with which a researcher has a relationship is organized. Questions relating to the status of a researcher under the confidentiality rule should be referred to the relevant representatives within that organisation. Neither the federal government nor this brochure makes this decision or should be construed as such. HHS has developed a set of tools that allow a company to determine whether it is a health care plan, a health care clearinghouse, or a covered healthcare provider that is subject to the confidentiality rule. These tools are available at the following link: www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp. HIPAA defines associates as a person or entity that provides services to a covered entity that include disclosure of PSR. Companies that are considered business partners when working with covered companies are: Even offshore organizations can be considered business partners if any of the information they receive, transmit, or retain can potentially be used to identify a patient in the United States.
A business partner is a person or entity that is not a member of the workforce and that performs or supports for or on behalf of a registered company a function or activity governed by HIPAA administrative simplification rules, including the privacy rule, which involves the use or disclosure of individually identifiable health information, or that provides certain services to a registered company. involves the use or disclosure of individually identifiable health information […].