Specifically, when it provides services or technologies to a covered company (for example. B a hospital) or to any other subcontracting counterparty (e.g. B a PaaS provider such as Datica), counterparties process, process, transmit or otherwise interact with electronic protected health information (ePHI) by such covered companies. With this PHI access, all counterparties must sign what is known as a Business Association Agreement (BAA). The BAA is a legal contract describing how the counterparty sticks to HIPAA, as well as the liabilities and risks it assumes. www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlsearchsecurity.techtarget.com/definition/business-associatewww.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html exceptions to the Business Associate Standard. The confidentiality rule contains the following exceptions to the counterparty standard. See 45 CFR 164.502(s). In such situations, the entity concerned shall not be required to enter into a counterparty contract or any other written agreement before the protected health information can be transmitted to the natural or legal person. HHS can verify the compliance of BAs and subcontractors, not just covered entities. .
Business Associate Agreement Between Two Business Associates