Are Business Partners of Business Partners covered under HIPAA?
Such entities would have a relationship to the Business Partner but not directly to the Covered Entity.
If a Business Partner of a Business Partner receives Covered Information, does the second Business Partner come under HIPAA?
The final rule for Standards for Electronic Transactions defines "business associate" at 45 CFR 160.103 and discusses the requirements for covered entities using business associates at 162.923 (c).
This section says that if a covered entity chooses to use a business associate to conduct all or part of a transaction on behalf of the covered entity, the covered entity must require the business associate to do the following:
- Comply with all applicable requirements
- Require any agent or subcontractor to comply with all applicable requirements.
Therefore, in order to be in compliance, the covered entity must require that its business associate require its business associate to comply.
Assuming the second Business Partner does fall under HIPAA, what steps must that entity take? The same steps as Covered Entities? Where in HIPAA does it state the responsibility of the Business Partners if they want to disclose protected health information?
The second business associate would be required to comply with the same requirements that apply to the covered entity, and to the first business associate, when acting on behalf of the covered entity. The requirements at 162.923 (c) apply when a business associate is conducting a standard transaction on behalf of a covered entity. The final regulation for standards for privacy of individually identifiable information, when it is adopted, will give requirements for business associates with respect to protected health information.