The short answer is “Yes“.
The HIPAA Omnibus (and HITECH) rules states that a chain of Business Associate Agreements is required from the Covered Entity though each business partner in the chain of companies that have potential access to the ePHI of that covered entity.
In the case of LuxSci HIPAA resellers, the chain of companies is:
- LuxSci Reseller
- Resellers’ Customers (be they Covered Entities or Business Associates)
So, LuxSci would have a business associate agreement with the Reseller and the Reseller would have separate business associate agreements with each of his/her customers. This is because the LuxSci HIPAA reseller is acting as a VAR (value added reseller) of LuxSci, administering his customers accounts. As such, the HIPAA Reseller provides basic support to his customers, can do password resets, can technically access their ePHI via password reset and support processes, etc.
Read the rest of this post »