" business associate agreement Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more

Posts Tagged ‘business associate agreement’

Is Amazon Simple Email Service (SES) HIPAA Compliant?

Thursday, March 19th, 2020

Amazon SES

 

Because Amazon Web Services (AWS) is very inexpensive, very well known, and offers “HIPAA-compliant” solutions to some degree, we are often asked if, and to what degree, Amazon Simple Email Service (SES) is HIPAA compliant. AWS is a big player offering countless services on which companies can build and/or host applications and infrastructures. One of the myriad of services provided by Amazon is their “Simple Email Service” (AWS SES for short).  Organizations are very interested in determining if the services offered are appropriate for their use cases and if use of specific Amazon services will leave them non-compliant or at risk.  Indeed, the larger the organization, the more concern we encounter.

 

Read the rest of this post »

Business Associate Agreements: Fact vs Fiction

Tuesday, August 28th, 2018

HIPAA covered entities form partnerships with third parties to safeguard their data assets effectively. Business associate agreements (BAAs) formalize these relationships and, importantly, describe the HIPAA-related risks and responsibilities that business associates (BAs) will take on.

The written contract between the covered entity and business associate must meet the following requirements:

business associate agreement

  1. State the permitted and required uses and disclosure of PHI by the BA.
  2. Assure that the BA will not use or share information other than as required or permitted by the contract or by law.
  3. Require the BA to implement suitable safeguards to prevent the unauthorized use of information, including deploying the requirements of the HIPAA Security Rule as it relates to protected health information.
  4. Report to the covered entity any use or disclosure of information not provided for by the contract.
  5. Agree to disclose PHI to meet the covered entity’s obligation to provide individuals a copy of their PHI, and also either provide PHI for amendments or incorporate amendments.
  6. Adhere to the requirements of the Privacy Rule to the extent required.
  7. Provide to the Department of Health and Human Services records, practices and books related to the use and disclosure of PHI.
  8. At the termination of the contract, destroy or return all PHI created or received by the BA on behalf of the covered entity.
  9. Ensure that any subcontractors the BA engages must comply with substantially the same conditions and restrictions that apply to the BA.
  10. Authorize termination of the contract by the covered entity if the BA violates a material term of the contract.

Read the rest of this post »

HIPAA Business Associate Agreement: Do I Need One?

Thursday, July 12th, 2018

A business associate (BA) is an individual or an entity who could come in contact with protected health information (PHI) by providing services to or performing activities on behalf of covered entities. Your employee is not a business associate, but your web host, email encryption service, billing company and lawyers could be, and these are just four examples. BAs of BAs (BA’s contracting with your vendors) further extend the chain.

Not all entities that access PHI must be business associates. For instance, the cleaning company that disposes trash from your office does not qualify as a business associate even though there is a possibility of the cleaning crew coming in contact with identifying patient information in dustbins or laying on FAX machines or desks (though if they do, then your employees did not manage the PHI properly). However, it is important to have a clear reporting mechanism in place where cleaning company workers can alert a point person in your office when they come across PHI.

Business associate agreement do I need one?

The Omnibus Rule provides multiple categories of business associates, including health information organizations (HIOs), anyone offering personal health records to individuals on behalf of covered entities, and covers a variety of service categories such as data aggregation, accreditation, actuarial and administrative services dispensed to a covered entity provided such services involve the disclosure of patient health information. Use this link for more information on business associates.

Read the rest of this post »

Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price

Wednesday, October 8th, 2014

There has been a lot of hype about Google offering a Business Associate Agreement to paid Google Apps customers who must abide by HIPAA regulations.  Those who are familiar with Google may be under the incorrect assumption that simply signing up for Google Apps will solve all their HIPAA compliance challenges.  This seems to be increasingly less likely as of October, 2014.

Myths and hidden costs pervade this equation. If a HIPAA-aspiring entity isn’t fully educated about the finer details of the compliance process, they could end up paying very large amounts of money for Google services and still be non-compliant. Here we discuss some misconceptions about Google services as they apply to HIPAA to help you avoid the pitfalls of non-compliance.

Read the rest of this post »

Do HIPAA Resellers Need Business Associate Agreements with their Clients?

Thursday, March 27th, 2014

HIPAAThe short answer is “Yes“.

The HIPAA Omnibus (and HITECH) rules states that a chain of Business Associate Agreements is required from the Covered Entity though each business partner in the chain of companies that have potential access to the ePHI of that covered entity.

In the case of LuxSci HIPAA resellers, the chain of companies is:

  1. LuxSci
  2. LuxSci Reseller
  3. Resellers’ Customers (be they Covered Entities or Business Associates)

So, LuxSci would have a business associate agreement with the Reseller and the Reseller would have separate business associate agreements with each of his/her customers.  This is because the LuxSci HIPAA reseller is acting as a VAR (value added reseller) of LuxSci, administering his customers accounts.  As such, the HIPAA Reseller provides basic support to his customers, can do password resets, can technically access their ePHI via password reset and support processes, etc.

Read the rest of this post »

LUXSCI