If you answered “yes” to these two questions, you are a “secure unit” and you must receive a BAA from all the third parties you use for your firm when they process mit PHI. A matching contract is not required with persons or entities whose functions, activities or services do not involve the use or disclosure of [PHI] and for whom access to [PHI] by these individuals would be incidental, if at all. [For example], the services that clean the offices or facilities of an insured company are not business partners, as the work they do for covered businesses does not involve the use or disclosure of [PHI] and any disclosure of [PHI] to janitorial staff in the performance of their duties (as can occur when emptying garbage cans) is limited in nature, presents itself as a by-product of their services. What is a business associate? “counterparty”: a person or organization that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered company or that provide services to a covered business; An insured company staff member is not a business partner. A covered health care provider, health plan or health care clearinghouse may be a counterpart to another insured company. The data protection rule lists some of the functions or activities and related services that make an individual or organization a business partner when the activity or service involves the use or disclosure of protected health information. The types of functions or activities that can make an individual or organization a counterpart include payment or health transactions, as well as other functions or activities governed by administrative simplification rules. 2. Staff members of a company. A company`s staff members are not business partners of the company, including “employees, volunteers, interns and others whose conduct while performing work for an insured company or counterparty is under the direct control of that unit or consideration, whether or not they are paid by the insured unit or by a consideration.” CFR 160.103). In order to avoid counterparties` obligations, contractors may attempt to be classified as staff members of the covered company. The OCR stated: (OCR Business Associate Guidance, available under www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html). This exemption applies only to the extent that the health care provider uses the PPH for treatment purposes; it would not apply if the health care provider uses the information to perform other functions on behalf of the company concerned.
“For example, a hospital may benefit from the services of another health care provider to assist in the training of medical students in the hospital. In this case, a matching contract would be required before the hospital could allow the health care provider access to [PHI]. (OCR FAQ). But even in this example, the hospital and the doctor would not need a business agreement if they were members of an OHCA. General provision. The data protection rule requires that a covered entity receive satisfactory assurances from its counterparty that the counterparty adequately protects the protected health information it receives or creates on behalf of the entity concerned. Satisfactory assurances must be made in writing, either in the form of a contract or other agreement between the covered entity and the counterparty. Exceptions to the Business Associate Standard. The data protection rule contains the following exceptions to the Business Associate standard.