All healthcare organizations have vendor relationships. These relationships can be a source of security and privacy breaches. There are two broad categories of third parties: contractors and business associates. Generally, the vendor’s exposure to critical Protected Health Information (PHI) will determine the category it falls into. A contractor may be in your facility providing a service (example: cleaning), but not necessarily handling data. A business associate, on the other hand, actually handles PHI data. An example of a business associate is a data clearinghouse or a doctor’s office that would have specific access to data.
These two types of relationships imply different standards related to data. Those holding PHI data must be held to standards that are acceptable for privacy and security concerns. Some organizations may require business associates to be HITRUST certified. The wording of agreements with third parties should clarify the standards to which a third party will be held. For the Unit 4 assignment, you will explore the language found in these types of agreement documents and create examples that a healthcare organization could use.
Develop two items for your Healthcare Security and Privacy Plan: an Example Contract and a Business Associate Agreement.
To develop your Example Contract:
- Clarify the type of relationship or service you would cover with a contract.
- Develop a sample contract showing the type of specific language that might be used in a contract.
- Cite your sources for the contract language you use.
To develop your Business Associate Agreement:
- Research Business Associate Agreements on the Internet.
- Clarify the type of relationship you would cover with a Business Associate Agreement.
- Develop a sample agreement.
- Cite your sources for the agreement language you use.
Note: Privacy and security and regulatory Web sites may be good resources for this assignment.