Most health care providers understand that a clearing house in the health sector is a trading partner, but not all of them get how broad the term is. Originally, the entities covered – such as laboratories . B who do tests – were not subject to BAAs, because they are responsible for their own HIPAA compliance standards, but the omnibus rule changed that. Now, just about everyone who processes, stores, transfers or accesses your PHI and is not part of your organization is business partners, including other covered entities. If a health care provider is not employed by you but works for you, they are subject to the HIPAA partner agreement. A HIPAA counterparty agreement is a contract between a company covered by HIPAA and a creditor used by that company. A company covered by HIPAA is usually a health care provider, health plan or clearing house in the health sector, which conducts transactions electronically. A supplier of a company covered by HIPAA, which must receive Protected Health Information (PHI) to perform tasks on behalf of the covered entity, is designated as a business partner (BA) under HIPAA. A provider is also classified as BA when, as part of the services provided, electronicPHI (ePHI) passes through their systems.
A signed HIPAA counterparty agreement must be obtained by the covered unit before a business partner can contact the PHI or ePHI. Portals can also undermine HIPAA business association agreements by encouraging your employees or your own employees to take shortcuts, send unsecured emails, keep copies of unencrypted files on the desktop for easy access, or take other unacceptable compliance risks in the hipaa cloud. It became much more disturbing when the hitech HIPAA Omnibus Rule expanded in 2013 the simple previous definition of the business partner to the so-called subcontractor. Subcontractors, such as a software developer or host, are typically service or technology organizations that provide additional services to partners that provide services to covered businesses. 5. Institutions acting on their behalf or on behalf of the patient. The counterparty requirements apply only to companies performing a PHI function on behalf of a covered entity or its counterparty. The entities that process POs for their own purposes are not trading partners. For example, “[a] provider who presents a right to a health plan and health plan that assesses and pays the debt acts in its own name as a secure entity and not as a “business partner” of the other.” (OCR Business Associate Guidance). Similarly, a bank or financial institution is not a counterparty to an insured business when it “processes financial transactions managed by consumers by debit, credit or other payment card, when it conducts checks, initiates or processes electronic money transfers, or performs other activities that facilitate or directly transfer funds for the payment of health or health premiums”; In such cases, “the financial institution provides its clients with its banking or other ordinary financial transaction services; it does not perform any function or activity for or on behalf of the insured company” and is not a consideration.