What are HIPAA's Other Arrangements?

Other Arrangements provide government entities with compliant pathways tailored to their specific needs, helping them fulfill their HIPAA obligations effectively.

What is an Other Arrangement?

An "Other Arrangement," in the context of HIPAA compliance, refers to an alternative method by which government entities and their business associates can meet the requirements of the HIPAA Security Rule. 

When both the covered entity and its business associate are government entities, they have the option to choose between two alternative approaches. First, they can enter into a Memorandum of Understanding (MOU) that includes terms and conditions designed to achieve the objectives outlined in the Business Associate Contracts section of the Security Rule. 

Alternatively, if there are existing laws or regulations that already impose requirements on the business associate related to the protection of electronic protected health information (ePHI), the covered entity can rely on these other laws to ensure compliance with the Security Rule. The term "Other Arrangement" encompasses these two options and allows government entities to tailor their compliance efforts according to their specific legal obligations and circumstances.

When is a business associate agreement required?

A Business Associate Agreement (BAA) is a legal document outlining the responsibilities and obligations of a covered entity - your healthcare organization - and its business associates under HIPAA regulations. And you should ask for a business associates agreement whenever PHI is involved.

Any third-party organization that performs services involving PHI on your behalf is considered a business associate. The BAA is required to ensure that the business associate complies with HIPAA rules and safeguards PHI appropriately.

See also: When should you ask for a business associates agreement?

The difference between an Other Arrangement and a business associate agreement

A BAA is a formal, legally binding contract between a covered entity (such as a healthcare provider) and a business associate (such as a medical billing company). Its purpose is to clearly outline the business associate's roles, responsibilities, and obligations regarding the handling, storage, and safeguarding of ePHI. 

BAAs are highly customizable and allow the parties to negotiate specific terms and security measures that align with the requirements of the HIPAA Security Rule. They provide a structured and formal framework for ensuring ePHI protection and create legally enforceable obligations on the part of the business associate. This level of customization and formality offers the covered entity greater control and specificity in how ePHI is managed by the business associate.

In contrast, an "Other Arrangement" is a broader term encompassing alternative methods for achieving HIPAA compliance, particularly when both parties are government entities. These alternatives can include Memoranda of Understanding (MOUs) or relying on existing laws and regulations that already impose requirements on the business associate. 

While MOUs can be formal agreements, "Other Arrangements" may not always involve a written contract or the same level of formality as a BAA. These alternative methods may provide less flexibility for customization and may rely on pre-existing legal frameworks, potentially offering less control and specificity compared to a BAA.

See also: HIPAA Compliant Email: The Definitive Guide

Memorandum of Understanding versus relying on existing laws and regulations

Memorandum of Understanding (MOU)

1. Customized agreement: An MOU is a customized agreement between the government-covered entity and its business associate. It is specifically tailored to their unique circumstances and needs.
2. Security Rule alignment: The MOU must contain terms and conditions that align with and accomplish the objectives of the Business Associate Contracts section of the HIPAA Security Rule. This means it should cover the elements required by the Security Rule, such as safeguarding ePHI, reporting breaches, and ensuring compliance.
3. Flexibility: Using an MOU provides flexibility in setting security and privacy standards. The covered entity and business associate can negotiate and establish the specifics of how they will meet the Security Rule requirements.

Relying on existing laws and regulations

1. Pre-existing requirements: Instead of creating a separate agreement like an MOU, the covered entity and its business associate rely on existing laws and regulations that already impose specific requirements related to the protection of ePHI.
2. No customization: This approach does not involve creating a separate document. It relies on laws or regulations already in place, and these requirements may not have been designed with the specific intent of aligning with the Security Rule.
3. Compliance assurance: The covered entity and business associate must ensure that the existing laws and regulations they rely on cover the Security Rule's objectives for business associate contracts. They must be in full compliance with these pre-existing legal requirements.

Examples of entities that require an Other Arrangement

Entities subject to "Other Arrangements" in the context of HIPAA generally include government entities that qualify as covered entities under HIPAA regulations. A few examples of these entities include 

1. State health departments
2. Public hospitals
3. City or county health clinics
4. State mental health facilities
5. Prisons and correctional facilities
6. Public universities with healthcare components
7. Public health research agencies
8. State Medicaid agencies
9. Native American tribal health services

See also: What is the Privacy Act of 1974?