Business Associates Policy

RosettaHealth recognizes its status as a Business Associate under the definitions contained in the HIPAA regulations and that it must comply with HIPAA and the HIPAA implementing regulations pertaining to Business Associates. Additionally, it is RosettaHealth’s intent to establish and maintain lawful working relationships with our own Business Associates that are in full compliance with all the requirements of the HIPAA Final “Omnibus” Rule

Applicable Standards

Applicable Standards from the HIPAA Security Rule

  • 164.308(b)(1)

  • 164.410

  • 164.502(e)

  • 164.504(e)

  • HITECH Act 13401

Polices concerning Business Associates Agreements

  1. In cooperation with RosettaHealth, sub-contractors who are Business Associates work with, use, transmit, and/or receive individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), which is afforded specific protections under HIPAA.

  2. RosettaHealth has joint responsibility in Business Associate relationships to ensure that individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), is properly protected and safeguarded.

  3. RosettaHealth will establish a BAA with all HealthBus customers before any exchange or transport of ePHI is allowed.

  4. The HIPAA (“Omnibus”) Final Rule specifically identifies the following types of entities as Business Associates:

    1. Subcontractors.

    2. Patient safety organizations.

    3. HIOs -- Health Information Organizations (and similar organizations). HHS declined to specifically define HIOs in the Omnibus Rule, but chose the term "HIO" because it includes both Health Information Exchanges (HIEs) and regional health information organizations.

    4. E-Prescribing gateways.

    5. PHRs -- Personal Health Record vendors that provide services on behalf of a covered entity. PHR vendors that do not offer PHRs on behalf of CEs are not BAs.

    6. Other firms or persons who “facilitate data transmission" that requires routine access to PHI.

  5. The “Minimum Necessary Standard” now applies directly to Business Associates. HIPAA now applies the Minimum Necessary standard directly to Business Associates and their subcontractors. When using, disclosing or requesting PHI, all these entities must make reasonable efforts to limit Protected Health Information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

  6. Subcontractors of Business Associates are now Business Associates themselves. A subcontractor is defined as a person or entity to whom a Business Associate delegates a function, activity, or service involving Protected Health Information, and who is not a member of the Business Associate’s own workforce.

  7. As a Business Associate itself, RosettaHealth is required to enter into a Business Associate contract with any subcontractor who is a Business Associate of ours.

  8. Responsibility for maintaining appropriate and lawful relationships with Business Associates shall reside with the designated HIPAA Official or HIPAA Officer who shall ensure that all aspects of our Business Associate relationships are appropriate and lawful, and who shall ensure that individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), is properly protected and safeguarded by our Business Associates.

  9. With regard to our own Business Associates (sub-contractors), the duties and responsibilities of the Security and Privacy Officer shall include, but are not limited to the following:

    1. Ensure that all Business Associate contracts meet all HIPAA requirements and standards, including those requirements and standards amended by the HITECH Act, the HIPAA “Omnibus” Final Rule, and any requirements of State laws in the state(s) where we operate.

    2. Ensure that individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), is properly protected and safeguarded by our Business Associates.

    3. Ensure that Business Associates understand the importance and necessity of protecting individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), whether in electronic form (“ePHI”) or hardcopy form.

    4. Ensure that Business Associates have proper and appropriate safeguards in place for individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA), before entrusting such information to them.

    5. Ensure that Business Associates understand and are properly prepared to detect and respond to breaches of individually identifiable health information, including Protected Health Information (“PHI”, as defined by HIPAA).