How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask socrateaser Your Own Question
socrateaser, Attorney
Category: Business Law
Satisfied Customers: 38452
Experience:  Retired (mostly)
Type Your Business Law Question Here...
socrateaser is online now
A new question is answered every 9 seconds

Two HIPAA compliant organizations has a business relationship

This answer was rated:

Two HIPAA compliant organizations has a business relationship encompassing data exchange and querying of said data. A Hospital and a Patient Billing/Denial database company. The Pt Billing/Denial data compnay imports teh hospitals pt financial data to its databases which is accessed by the hospital to create reports and perform querys. When the hospital has an employee that they require to have access to the data, the Pt Billing/Denial database company requires a signed access request form from the hospital enduser. Does not HIPAA cover "implied trust" between two HIPAA compliant organizations which would make this requirement not necessary?

HIPAA violations are subject to severe penalties. Error on the side of caution is reasonable.


Employees engaged in patient care can reasonably discuss and disclose patient information so as to provide care, without a risk of violation. However, as the distance between patient care and the provider increases, the risk of disclosure to an unauthorized person increases.


An implied agency between contracting parties and employees that would protect all from a HIPAA violation may be sufficient to cover the exchange of information. But, without a signed access request, the billing company could be accused of not taking reasonable steps to prevent an unauthorized third party from accessing patient records.


Thus, the requirement is reasonable, even if not expressly required.


Hope this helps.


Terms and Conditions: By your continuing in this conversation with me, or by your clicking “Accept”, you are expressly agreeing to all of the following: (1) our communication is for entertainment purposes only; (2) you are not consulting me in my professional capacity as an attorney; (3) you do not seek to establish an attorney-client relationship with me, nor do I with you; (4) you will not rely on anything I say and you will obtain appropriate legal counsel via a traditional/office consultation with an attorney licensed to practice in the jurisdiction where your legal issue arises (and you may not use our communication to avoid taxpayer penalties imposed by the U.S. Dept. of Treasury); (5) by communicating with me in this public forum you are irrevocably waiving any right to privacy, confidentiality and attorney-client privilege concerning the matters discussed. You further separately declare that any payment made by you is not consideration for this contract, nor offered for any services rendered by me on your behalf, but rather is made in genuine admiration and respect for my desire to help others. If you do not agree with these terms and conditions, then you must advise me immediately.

Customer: replied 7 years ago.
Sorry, I didn't meant to imply that the non-hospital agency was a billing entity. The other agency imports the hospital's pt billing data and regurgitates it into queriable database that is accessed via the internet by the hospital Business Office employees for reference purposes. So, in other words, the BO emplolyees are accessing data that they already have access to just in a different format/venue (secured queriable internet provided by the non-hospital agency).
What's the goal you're trying to accomplish? That may clarify my understanding enough to provide an intelligent response. Thanks.
Customer: replied 7 years ago.

GOAL: To eliminate physical signatures on a access request form that the non-hospital agency states it needs to be HIPAA compliant.


> The problem is not the access request form but the physical signatures that they seem to have a need for.

> The requested signatures are redundant since we have HIPAA compliant process in place.

> This also creates undue costs attempting to acquire a physical signature and then faxing the form back (times the number of employees that require a access.)

> Doesn't HIPAA cover "implied trust" between two organizations?




No "implied trust." Just the opposite. 45 CFR Part 164, Subpart C provides specific security requirements, which although flexible, must be established and maintained.


An electronic signature may or may not be a sufficient safeguard. It would depend upon the degree of ease with which the electronic signature could be hacked, as compared to a physical signature.



socrateaser and other Business Law Specialists are ready to help you
Customer: replied 7 years ago.

Thank you even though that is not the answer I was looking for. :) I do appreciate your time and answers.


Thanks again,



You're welcome and good luck.

Related Business Law Questions