DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The HIPAA Security Rule, like the HIPAA Privacy Rule, imposes a business associate agreement requirement. This requirement is one of two Security Rule “organizational” requirements (the other being security requirements imposed on group health plans to ensure plan sponsors safeguard ePHI created, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan). Both “organizational requirements” contain rules for how one entity may share ePHI with another such entity.
What are the “Organization Requirements” Regarding Business Associate Agreements?
Business associates must enter business associate agreements with covered entities before the business associate may access the ePHI of the covered entity. The business associate agreement must comply with the Security Rule.
Business associate agreements must require the business associate agreement to report, to the covered entity, any security incident that the business associate becomes aware of, including breaches of unsecured PHI.
Business associates must also ensure that any business associate subcontractors that create, receive, maintain, or transmit ePHI on behalf of the business associate, agree to comply with the applicable requirements of the Security Rule by themselves (the subcontractors) entering into a business associate agreement with the business associate who seeks to hire them to perform a PHI-related function.
What are the “Organization Requirements” for Group Health Plans?
In general, a group health plan is a health plan offered by an employer or employee organization that provides health coverage to employees and their families. Under the HIPAA Security Rule “organization requirement” for group health plans, a group health plan must ensure that its plan documents (that is, those documents that inform plan participants as to what plan benefits they are entitled to, and those documents that provide guidelines to be used by the plan administrator in decision-making with respect to plan operations) require the plan sponsor to reasonably and appropriately safeguard the following ePHI: ePHI that is created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group plan.
The plan sponsor is the entity that ultimately pays for the health insurance coverage or benefits. Sponsors can be employers, insurance agencies, unions, employers, or government agencies.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article