" business associate agreement Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘business associate agreement’

Business Associate Agreements: Fact vs Fiction

Tuesday, August 28th, 2018

HIPAA covered entities form partnerships with third parties to safeguard their data assets effectively. Business associate agreements (BAAs) formalize these relationships and, importantly, describe the HIPAA-related risks and responsibilities that business associates (BAs) will take on.

The written contract between the covered entity and business associate must meet the following requirements:

business associate agreement

  1. State the permitted and required uses and disclosure of PHI by the BA.
  2. Assure that the BA will not use or share information other than as required or permitted by the contract or by law.
  3. Require the BA to implement suitable safeguards to prevent the unauthorized use of information, including deploying the requirements of the HIPAA Security Rule as it relates to protected health information.
  4. Report to the covered entity any use or disclosure of information not provided for by the contract.
  5. Agree to disclose PHI to meet the covered entity’s obligation to provide individuals a copy of their PHI, and also either provide PHI for amendments or incorporate amendments.
  6. Adhere to the requirements of the Privacy Rule to the extent required.
  7. Provide to the Department of Health and Human Services records, practices and books related to the use and disclosure of PHI.
  8. At the termination of the contract, destroy or return all PHI created or received by the BA on behalf of the covered entity.
  9. Ensure that any subcontractors the BA engages must comply with substantially the same conditions and restrictions that apply to the BA.
  10. Authorize termination of the contract by the covered entity if the BA violates a material term of the contract.

Read the rest of this post »

HIPAA Business Associate Agreement: Do I Need One?

Thursday, July 12th, 2018

A business associate (BA) is an individual or an entity who could come in contact with protected health information (PHI) by providing services to or performing activities on behalf of covered entities. Your employee is not a business associate, but your web host, email encryption service, billing company and lawyers could be, and these are just four examples. BAs of BAs (BA’s contracting with your vendors) further extend the chain.

Not all entities that access PHI must be business associates. For instance, the cleaning company that disposes trash from your office does not qualify as a business associate even though there is a possibility of the cleaning crew coming in contact with identifying patient information in dustbins or laying on FAX machines or desks (though if they do, then your employees did not manage the PHI properly). However, it is important to have a clear reporting mechanism in place where cleaning company workers can alert a point person in your office when they come across PHI.

Business associate agreement do I need one?

The Omnibus Rule provides multiple categories of business associates, including health information organizations (HIOs), anyone offering personal health records to individuals on behalf of covered entities, and covers a variety of service categories such as data aggregation, accreditation, actuarial and administrative services dispensed to a covered entity provided such services involve the disclosure of patient health information. Use this link for more information on business associates.

Read the rest of this post »

Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price

Wednesday, October 8th, 2014

There has been a lot of hype about Google offering a Business Associate Agreement to paid Google Apps customers who must abide by HIPAA regulations.  Those who are familiar with Google may be under the incorrect assumption that simply signing up for Google Apps will solve all their HIPAA compliance challenges.  This seems to be increasingly less likely as of October, 2014.

Myths and hidden costs pervade this equation. If a HIPAA-aspiring entity isn’t fully educated about the finer details of the compliance process, they could end up paying very large amounts of money for Google services and still be non-compliant. Here we discuss some misconceptions about Google services as they apply to HIPAA to help you avoid the pitfalls of non-compliance.

Read the rest of this post »

Do HIPAA Resellers Need Business Associate Agreements with their Clients?

Thursday, March 27th, 2014

HIPAAThe short answer is “Yes“.

The HIPAA Omnibus (and HITECH) rules states that a chain of Business Associate Agreements is required from the Covered Entity though each business partner in the chain of companies that have potential access to the ePHI of that covered entity.

In the case of LuxSci HIPAA resellers, the chain of companies is:

  1. LuxSci
  2. LuxSci Reseller
  3. Resellers’ Customers (be they Covered Entities or Business Associates)

So, LuxSci would have a business associate agreement with the Reseller and the Reseller would have separate business associate agreements with each of his/her customers.  This is because the LuxSci HIPAA reseller is acting as a VAR (value added reseller) of LuxSci, administering his customers accounts.  As such, the HIPAA Reseller provides basic support to his customers, can do password resets, can technically access their ePHI via password reset and support processes, etc.

Read the rest of this post »

HIPAA Resellers Make LuxSci Services Their Own

Monday, March 17th, 2014

HIPAASmall web or IT shops specializing in services for the medical segment often subscribe to LuxSci to provide HIPAA-complaint email and/or web services to their customers.  We take care of providing the services, support, and compliance.  They take care of getting the customers setup, providing direct support, integrating with customers’ other services, etc.  These businesses effectively resell LuxSci security services, charging their customers for our services plus the value add that they provide.

Aggressive resellers like to present LuxSci’s email and web security services as their own product offering, to a large extent.  This is easily accomplished with LuxSci’s Private Labeling service.

Read the rest of this post »

LUXSCI