The CE has a BAA with the Business Associate which governs the appropriate use of PHI. A NoPP is for informing patients of your processes and their rights. No need to supply it to a BA that I can see.
Scot Lovejoy RPh. CHC CHPC
Chief Pharmacy Officer
9 Campus Drive, 2nd Floor East
Parisippany, N.J. 07054
(O) 973-540-8400 x227
Confidentiality Notice: This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure. If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system. Thank you.
I agree it is not required to include language about a CEs NPP or to provide one but OCR does include such notification as optional in its model BAA. I see this language pretty often when reviewing BAAs for clients. In the end it is the responsibly of the CE to inform the BA is there are granted restriction requests, authorization revocations, etc. If the CE does not inform the BA, the BA will not act on such revocations, granted restriction rights, etc.
Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
(a) [Optional] Covered entity shall notify business associate of any limitation(s) in the notice of privacy practices of covered entity under 45 CFR 164.520, to the extent that such limitation may affect business associate's use or disclosure of protected health information.
(b) [Optional] Covered entity shall notify business associate of any changes in, or revocation of, the permission by an individual to use or disclose his or her protected health information, to the extent that such changes may affect business associate's use or disclosure of protected health information.
(c) [Optional] Covered entity shall notify business associate of any restriction on the use or disclosure of protected health information that covered entity has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect business associate's use or disclosure of protected health information.
The link to the model BAA is: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
Chris Apgar, CISSP
CEO & President
(503) 384-2538 (o)
(503) 816-8555 (c)
(503) 384-2539 (f)
Privacy | Information Security | Compliance | Certification Readiness | Security Incident Response
The information contained in this email message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by email, and destroy the original message.
No. However, a covered entity must ensure through its contract with the business associate that the business associate's uses and disclosures of protected health information and other actions are consistent with the covered entity's privacy policies, as stated in covered entity's notice. Also, a covered entity may use a business associate to distribute its notice to individuals.