HIPAA and Business Associate Agreements
Sheila M Press
Description
Collection
Title:
HIPAA and Business Associate Agreements
Creator:
Sheila M Press
Date:
3/18/2003
Text:
FYI to List Serve members. Recently, I posted information on this site
regarding under what circumstances business associate agreements are
appropriate per the HIPAA privacy regulations. I had attended a class on
the HIPAA Privacy Rule where the presenters were high-level officials from
DHHS. Since my posting, there has been some misinformation distributed on
this subject. According to the most up-to-date interpretation, it is NOT
necessary to have a business associate agreement with an entity that
performs central fabrication services; thus, where personal health
information (PHI) is shared with an entity that fabricates an item or device
for the use only of that particular patient, this is considered to be part
of “treatment.” On the other hand, however, where you order a device that
is already manufactured for the use of a particular patient and you share
the patient’s name, measurements, and/or sex, you DO NEED a business
associate agreement. Furthermore, if you order a component for a particular
patient and that component requires a warranty card, you NEED to have a
business associate agreement with the manufacturer of that component because
the manufacturer has obtained personal health information for your patient.
Confidentiality agreements do NOT take the place of business associate
agreements.
Sheila Press, Esq., MBA
Healthcare Compliance Solutions, Inc.
13653 East Aster Drive
Scottsdale, AZ 85259
Tel: 480-767-9477
Fax: 480-614-8782
E-mail: <Email Address Redacted>
Web: <URL Redacted>
regarding under what circumstances business associate agreements are
appropriate per the HIPAA privacy regulations. I had attended a class on
the HIPAA Privacy Rule where the presenters were high-level officials from
DHHS. Since my posting, there has been some misinformation distributed on
this subject. According to the most up-to-date interpretation, it is NOT
necessary to have a business associate agreement with an entity that
performs central fabrication services; thus, where personal health
information (PHI) is shared with an entity that fabricates an item or device
for the use only of that particular patient, this is considered to be part
of “treatment.” On the other hand, however, where you order a device that
is already manufactured for the use of a particular patient and you share
the patient’s name, measurements, and/or sex, you DO NEED a business
associate agreement. Furthermore, if you order a component for a particular
patient and that component requires a warranty card, you NEED to have a
business associate agreement with the manufacturer of that component because
the manufacturer has obtained personal health information for your patient.
Confidentiality agreements do NOT take the place of business associate
agreements.
Sheila Press, Esq., MBA
Healthcare Compliance Solutions, Inc.
13653 East Aster Drive
Scottsdale, AZ 85259
Tel: 480-767-9477
Fax: 480-614-8782
E-mail: <Email Address Redacted>
Web: <URL Redacted>
Citation
Sheila M Press, “HIPAA and Business Associate Agreements,” Digital Resource Foundation for Orthotics and Prosthetics, accessed November 6, 2024, https://library.drfop.org/items/show/220813.
