» you’re reading...

Business Associate Agreement Vs Data Use Agreement

7. Entities that are only “tubes” for PHI. Companies that transfer POs to a covered company are not business partners when they are not required to regularly access the PHI, i.e. they are only “lines” of the PHI (for example. B Internet service providers, telephone companies, etc.). (45 CFR 160.103; 78 FR 5571; 65 FR 82476). 4. Condition of the matching agreement. If the covered entity continues to insist on a counterparty agreement, the counterparty or subcontractor could minimize its commitment by conditioning a counterparty agreement on the entity`s counterparty status as consideration, i.e.

it assumes responsibility if and to the extent that it is a counterparty within the meaning of HIPAA. While this is an imperfect solution, it could at least allow the company to avoid regulatory sanctions if it is really not a trading partner. 3. the implementation and implementation of written counterparty contracts with registered companies that, for the most part, require the counterparty to respect PHI`s privacy; Limit the use or disclosure of PHI by the counterparty for purposes approved by the entity concerned; and help affected organizations respond to patient requests for their PHIs. (45 CFR 164.308 (b), 164.314 (a), 164,502 (e) and 164,504 (e)). For more information on partnership agreements, see the attached checklist for HIPAA Business Association Agreements. If the entity in question discloses to the counterparty only a “limited data set,” the parties may execute a data use agreement instead of a full counterparty agreement. CFR 164.514 ( e)).

A Data Use Agreement (AEA) is a specific type of agreement that is required and must be entered into in accordance with the HIPAA data protection rule before using a restricted dataset (defined below) from a medical dataset to an external institution or to one of three purposes: (1) Research, (2) Public Health or (3) Public Health Operations. A limited dataset remains Protected Health Information (PHI) and, for this reason, entities covered by HIPAA or covered hybrid entities, such as the University of Arizona (AU), must enter into an AEA with an institution, organization or organization, to which the AU devisions or transfers a limited data set. (OCR Business Associate Guidance, available on www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html). This exemption applies only to the extent that the health care provider uses the PPH for treatment purposes; it would not apply if the health care provider uses the information to perform other functions on behalf of the company concerned. “For example, a hospital may benefit from the services of another health care provider to assist in the training of medical students in the hospital. In this case, a matching contract would be required before the hospital could allow the health care provider access to [PHI]. (OCR FAQ). But even in this example, the hospital and the doctor would not need a business agreement if they were members of an OHCA. A counterparty agreement is a contract between the covered entity and the counterparty that keeps these commitments in writing. As part of a counterparty agreement, the parties must indicate the types of PPH and access to PPHs that a trading partner will have (and what types of access and access they might not have), as well as the safeguards that the counterparty will use to preserve the integrity and confidentiality of the PHI.


Comments are disallowed for this post.

Comments are closed.


  • No categories


April 2021
« Aug