Qualified Service Agreement
Health care providers who receive 1) federal funding[ii] and 2) retain themselves as substance abuse treatment[iii] by 42 CFR, Part 2 (chapter 2). A conventional BAA alone is not enough to protect patient confidentiality for a Part 2 program. A third-party provider, z.B. an information-sharing provider like ScanSTAT, is called the Qualified Services Organization (QSO) when working with a Part 2 program. This relationship must be controlled by an agreement to organise qualified services (QSOA). [iv] However, while the Part 2 program is also a covered unit within the meaning of the data protection rule,[v] the service provider is also a partner in the Part 2 program and also requires the necessary contractual provisions in an BAA to be formalized in an agreement between the parties. This hybrid agreement is often referred to as the Business Associate/Qualified Services Organization Agreement. However, since drug abuse treatment programs cannot disclose protected health information without authorization for treatment, payment and exploitation, a qualified service organization agreement can only be authorized with a psychiatric provider as an alternative to patient authorization. On the other hand, the data protection rule allows for an agreement with trading partners with accrediting bodies as an alternative to authorisation, while an agreement with a qualified service organisation is not necessary to carry out audit and evaluation activities – although the activities are strictly regulated by law (2.53) and must be reflected in this counterparty agreement. Today, when you write business partner contracts for a health care provider, you have probably found that there are often no magic words or formulas that lead to an agreement. While sample forms from different sources may be useful, there are generally not two business partners who are the same. For Part 2 programs that are also covered entities, it is best practice to have an agreement with your qualified third-party partners as qualified trading partners and service organizations to execute an agreement containing the requirements of an BAA as well as the additional requirements of a QSOA. If you work with a provider with information such as ScanSTAT, make sure you have a QSOA.
ScanSTAT runs QSOAs with our qualified customers. In some cases, national legislation may further protect the privacy rights of drugs and alcohol, mental health and other patients (e.g. B HIV and AIDS) as the data protection rule HIPAA and 42 CFR, part 2. If this is the case, the more restrictive law normally prevails and must be reflected in decisions regarding participation in trade partners and qualified service arrangements. [vi] www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html With respect to admissible claims, the covered entity is prohibited from asking the counterparty to do anything that is not permitted under the data protection rule if it also does so by the affected entity.