Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

POLICY # 28 ADMINISTRATIVE MANUAL APPROVED BY:

BUSINESS ASSOCIATE CONTRACTS AND
OTHER ARRANGEMENTS
POLICY # 28
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“A covered entity may permit a business associate to create, receive,
maintain, or transmit electronic protected health information on the
covered entity’s behalf only if the covered entity obtains satisfactory
assurances that that the business associate will appropriately safeguard
the information.”
Policy Summary:
Sindecuse Health Center (SHC) may permit a business associate to
create, receive, maintain, or transmit EPHI on its behalf only if there is a
written agreement between the covered entity and the business associate
that provides assurances that the business associate will appropriately
safeguard the information.
Purpose:
This policy reflects SHC’s commitment to only permit a business
associate to create, receive, maintain, or transmit EPHI on its behalf if
there is a written agreement between the two parties which provides
assurances that the business associate will appropriately safeguard the
information.
Policy:
1. When another entity is acting as a business associate of SHC, the
business associate must appropriately and reasonably protect the EPHI
that it creates, receives, maintains or transmits on SHC's behalf.
2. SHC will permit a business associate to create, receive, maintain, or
transmit EPHI on its behalf only if there is a written agreement between
the two parties which ensures that the business associate will
appropriately and reasonably safeguard the information.
3. When required by law, SHC may permit a business associate to
receive, create, maintain, or transmit EPHI on its behalf to the extent
necessary to comply with the legal mandate without meeting the
requirements of the business associate contract. SHC must make a good
Page 1 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENTS
faith attempt to obtain satisfactory assurances that the business associate
will safeguard the SHC’s EPHI, as required by the business associate
contract, and to document the attempt and the reasons that these
assurances cannot be obtained.
4. The transmission of EPHI by SHC to a health care provider
concerning the treatment of an individual does not require a business
associate agreement.
5. All business associate agreements must be documented and must
follow the standard business associate agreement language of SHC.
6. New contracts with existing business associates do not have to be
obtained specifically for this purpose, if existing written contracts
adequately address the applicable requirements or can be amended to do
so.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
Standard plus REQUIRED Implementation Specification for Business
Associate Contracts Standard
Regulatory
Reference:
45 CFR 164.308(b)(1); 45 CFR 164.308(b)(2)
NOTE: This policy combines both the Standard and its Implementation
Specification
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
Page 2 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENTS
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Business associate means a person or organization that performs a
function or activity involving the use or disclosure of protected health
information, on behalf of the covered entity. A person or organization
who only assists in the performance of the function or activity is also a
business associate. This includes a person or organization that receives
PHI from the covered entity, and one who obtains PHI for the covered
entity. This includes, for example: data analysis, processing or
administration; web site hosting; utilization review; quality assurance;
billing; collections; benefit management; practice management; legal
services; actuarial services; accounting and auditing; consulting;
management and administrative services; accreditation; financial
services; or any other service in which the person or organization obtains
PHI from or for the covered entity. Members of the workforce are not
considered business associates. The exchange of protected health
information between providers of health care, for purposes of providing
treatment to a patient, does not create a business associate relationship.
Responsible
Department:
Department Heads; Business Services
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure #(TBD).
Related Policies:
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 3 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
Request an Event Event Name: Event Type:
Request an Event Event Name: Event Type:
ITEM XXX-XXX-XXXXX Associate of Science in Energy Technology THAT
ITEM XXX-XXX-XXXXX Associate of Science in Energy Technology THAT
Chabot College AA/AS Degree Philosophy Statements
Chabot College AA/AS Degree Philosophy Statements
TAX ASSOCIATE
TAX ASSOCIATE
Download