(H) to the extent that the counterparty must meet the obligation of a business insured in accordance with this sub-party to meet the requirements of that party that apply to the entity covered in the performance of that obligation. If the intermediary has entered into an associate agreement with an insurer that is a hipAA-covered company, then hipAA rules for organized health care (OCHA) allow the intermediary to use the PHI and disclose it to the health plan, without the need to enter into an agreement with the health plan. As part of HIPAA, an OCHA includes a group health plan and its health insurer or HMO for POs established or received by the insurer or HMO that relate to individuals covered or covered by the group health plan. OHCA`s health care POS may be disclosed to OHCA`s PHIs for health care. In practice, the intermediary should not directly share PHI with the health plan sponsor unless the sponsor identifies the specific staff authorized to receive the PHI and certifies to health plan promoters that they comply with specific disclosure rules through group health plans. (2) Implementation specifications: counterparty contracts. The covered entity must receive satisfactory assurances (a counterparty agreement or « BAA ») that the counterparty will do so: the satisfactory assurances required in paragraph e) (1) of this section must be documented by a written contract or by another written agreement or agreement with the counterparty that meets the applicable requirements of .164.504 (e). Question: When does an employer have to enter into a HIPAA Business Association (BAA) agreement with an external service provider for the plan? In most cases, a broker is unlikely to be a health plan, a health service provider or a health-friendly clearing house. If a broker does not meet the definition of the health plan, health care provider or health clearing house, the broker would not be considered a covered business under HIPAA. Although the broker is not considered a covered business, the broker may continue to be responsible under HIPAA as a business partner (which is explained below). It should be noted that employers who sponsor group health plans are also not covered businesses, but the group health plan they sponsor is considered a covered business. As a result, employers are required to certify that they will not use the protected health information (PHI) they receive from the group health plan for employment measures.
By law, the hipaa privacy rule only applies to covered institutions – health plans, health care compensation rooms and some health care providers. However, most health care providers and health plans do not perform all of their health activities and functions themselves. Instead, they often use the services of many other individuals or businesses. The data protection rule allows providers and covered health plans to transmit protected health information to these « counterparties » when providers or plans receive satisfactory assurances that the counterparty uses the information only for the purposes for which it was mandated by the covered entity, which protects the information from abuse and helps the added entity fulfill some of the obligations of the entity covered under the data protection rule. Covered companies may disclose protected health information to a company in its role as a business partner only to assist the insured company in fulfilling its health missions – not for independent use or for the purposes of counterparty, unless it is necessary for the proper management and management of the counterparty.