What are some considerations in developing and implementing a business associate agreement with a health information organization (HIO)?
In general, the HIPAA Privacy Rule requires that the contract between a covered entity and its business associate establish the permitted and required uses and disclosures of protected health information (PHI) by the business associate, but provides that the contract may not authorize the business associate to use or disclose PHI in a manner that would violate the Privacy Rule. In addition, the contract must require the business associate to appropriately safeguard PHI. See 45 C.F.R. § 164.504(e). See also the relevant business associate requirements of the HIPAA Security Rule at 45 C.F.R. § 164.314(a). Given these required elements of a business associate agreement, covered entities participating in a networked environment with a HIO can use the business associate agreement as a tool to help shape the specific terms and conditions of the information exchange the HIO will manage, as well as the safeguards that will be in place to ensure information is protected and only shared appropri
Related Questions
- Will billing services be considered "business associates," and will we need a business associate agreement in order to share the health information that is presently provided at their written request?
- We occasionally need to courier protected health information (PHI) such as original x-rays to another location. Do we need a business associate agreement with each courier service?
- My company or organization is interested in developing a business relationship with The Humane Society of the United States. Whom do I contact?
