The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. De-Identified Health Information.
Do subcontractors need to comply with HIPAA?
HIPAA requires Covered Entities to only work with Business Associates who assure complete protection of PHI. These assurances have to be in writing in the form of a contract or other agreement between the Covered Entity and the BA. HHS can audit BAs and Subcontractors for HIPAA compliance, not just Covered Entities.
What are the exceptions to the HIPAA Privacy Rule?
Exceptions to the Privacy Rule- Examples public health, and in emergencies affecting the life or safety. research. judicial and administrative proceedings. law enforcement.
What is a subcontractor under HIPAA?
Subcontractor means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.
What makes something HIPAA compliant?
HIPAA compliance is adherence to the physical, administrative, and technical safeguards outlined in HIPAA, which covered entities and business associates must uphold to protect the integrity of Protected Health Information (PHI).
What are the rules for business associate agreements?
In fact, the latest rules state that covered entities MUST ensure they obtain satisfactory assurances from their business associates, and they must do the same with their subcontractors, and so on, no matter how far “down the chain” the information flows.
Can a business associate be a subcontractor?
Think of subcontractors as business associates of business associates. The BAA follows the direct path of the chain. So, a covered entity is not required to sign a BAA with their business associates’ subcontractors, but the business associate is.
Do you have to sign a BAA with a business associate?
So, a covered entity is not required to sign a BAA with their business associates’ subcontractors, but the business associate is. Each party in the chain is required by regulation and by contract to protect the PHI and administer it consistently with the obligations of the covered entity at the top of the chain.
What are the different types of business associates?
The main categories are clearinghouses, covered entities (CEs), and business associates. The further down the line the subcontractor gets from the covered entity, the more confusion there is about who really is a business associate and who needs to sign a business associate agreement.
