Other Arrangements provide government entities with compliant pathways tailored to their specific needs, helping them fulfill their HIPAA obligations effectively.
The HHS provides that, “...provides the specific criteria required for written contracts or other arrangements between a covered entity and its business associates. The actual language used to address the requirements can be tailored to the needs of each organization, as long as the requirements are addressed.”
When both the covered entity and its business associate are government entities, they have the option to choose between two alternative approaches. First, they can enter into a Memorandum of Understanding (MOU) that includes terms and conditions designed to achieve the objectives outlined in the Business Associate Contracts section of the Security Rule.
Alternatively, if there are existing laws or regulations that already impose requirements on the business associate related to the protection of electronic protected health information (ePHI), the covered entity can rely on these other laws to ensure compliance with the Security Rule. The term "Other Arrangement" encompasses these two options and allows government entities to tailor their compliance efforts according to their specific legal obligations and circumstances.
A Business Associate Agreement (BAA) is a legal document outlining the responsibilities and obligations of a covered entity - your healthcare organization - and its business associates under HIPAA regulations. And you should ask for a business associates agreement whenever PHI is involved.
Any third-party organization that performs services involving PHI on your behalf is considered a business associate. The BAA is required to ensure that the business associate complies with HIPAA rules and safeguards PHI appropriately.
See also: When should you ask for a business associates agreement?
A BAA is a formal, legally binding contract between a covered entity (such as a healthcare provider) and a business associate (such as a medical billing company). Its purpose is to clearly outline the business associate's roles, responsibilities, and obligations regarding the handling, storage, and safeguarding of ePHI.
BAAs are highly customizable and allow the parties to negotiate specific terms and security measures that align with the requirements of the HIPAA Security Rule. They provide a structured and formal framework for ensuring ePHI protection and create legally enforceable obligations on the part of the business associate. This level of customization and formality offers the covered entity greater control and specificity in how ePHI is managed by the business associate.
In contrast, an "Other Arrangement" is a broader term encompassing alternative methods for achieving HIPAA compliance, particularly when both parties are government entities. These alternatives can include Memoranda of Understanding (MOUs) or relying on existing laws and regulations that already impose requirements on the business associate.
While MOUs can be formal agreements, "Other Arrangements" may not always involve a written contract or the same level of formality as a BAA. These alternative methods may provide less flexibility for customization and may rely on pre-existing legal frameworks, potentially offering less control and specificity compared to a BAA.
See also: HIPAA Compliant Email: The Definitive Guide
Entities subject to "Other Arrangements" in the context of HIPAA generally include government entities that qualify as covered entities under HIPAA regulations. A few examples of these entities include
See also: What is the Privacy Act of 1974?
It is an individual or entity that performs certain functions or activities on behalf of covered entities involving PHI.
It is a label given to organizations like postal services or internet service providers that transmit PHI but don't access or store it.
It is an organization that needs to comply with HIPAA like a healthcare provider, health plan, and healthcare clearinghouses.