What were the major modifications to the HIPAA Privacy Rule that the Department of Health and Human Services (HHS) adopted in August 2002?
Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?
May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?
If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?
Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?
Which CSPs offer HIPAA-compliant cloud services?
What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?
If a CSP experiences a security incident involving a HIPAA covered entity’s or business associate’s ePHI, must it report the incident to the covered entity or business associate?
Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?
Do the HIPAA Rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?
Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?
Do the HIPAA Rules require CSPs that are business associates to provide documentation, or allow auditing, of their security practices by their customers who are covered entities or business associates?
If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a business associate?
Has the Secretary exceeded the HIPAA statutory authority by requiring “satisfactory assurances” for disclosures to business associates?
Were there Privacy Rule compliance deadlines in 2004?
Responsibilities of Covered Entities
Is a covered entity liable for, or required to monitor, the actions of its business associates?
May a covered entity share protected health information directly with another covered entity’s business associate?
When may a covered health care provider disclose protected health information, without an authorization or business associate agreement, to a medical device company representative?
Must a covered health care provider obtain an individual’s authorization to use or disclose protected health information to an interpreter?
Can health care providers invite or arrange for members of the media, including film crews, to enter treatment areas of their facilities without prior written authorization?
Business Associate Contracts
Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule?
Is a business associate contract required for a covered entity to disclose protected health information to a researcher?
Are covered entities that engage in joint activities under an organized health care arrangement (OHCA) required to have business associate contracts with each other?
Is a business associate contract required with organizations or persons where inadvertent contact with protected health information may result – such as in the case of janitorial services?
Is a physician required to have business associate contracts with technicians such as plumbers, electricians or photocopy machine repairmen who provide repair services in a physician’s office?
Would business associate contracts in electronic form, with an electronic signature, satisfy the HIPAA Privacy Rule’s business associate contract requirements?
Do physicians with hospital privileges have to enter into business associate contracts with the hospital?
Who are Business Associates
Are accreditation organizations business associates of the covered entities they accredit?
When is a health care provider a business associate of another health care provider?
Are the following entities considered “business associates” under the HIPAA Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?
If the only protected health information a business associate receives is a limited data set, does the HIPAA Privacy Rule require the covered entity to enter into both a business associate agreement and data use agreement with the business associate?
Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity’s business associate as the minimum necessary?
Is a physician or other provider considered to be a business associate of a health plan or other payer?
Is a health insurance issuer or HMO who provides health insurance or health coverage to a group health plan a business associate of the group health plan?
Is a reinsurer a business associate of a health plan?
Is a software vendor a business associate of a covered entity?
When a covered entity, such as a doctor, uses a certified Telecommunications Relay Service to contact patients with hearing or speech impairments, is the Relay Service a business associate of the doctor?
In providing legal services to a covered entity, must a lawyer who is a business associate require that those persons to whom it discloses protected health information agree to abide by the privacy restrictions and conditions that apply to the lawyer?
Requirements for Business Associates
Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information?
May a business associate of a HIPAA covered entity block or terminate access by the covered entity to the protected health information (PHI) maintained by the business associate for or on behalf of the covered entity?
Limited Data Set Usage
Under the HIPAA Privacy Rule, may a covered entity contract with a business associate to create a limited data set the same way it can use a business associate to create de-identified data?
I want to hire the intended recipient of a limited data set to also create the limited data set as my business associate. Can I combine the data and use agreement and business associate contract?
May a covered entity hire a business associate to create a limited data set, and may the public health authority be a business associate for that purpose, even if the public health authority is also the intended recipient of the limited data set?
Back to Top