MYTH: A Business Associate Agreement is required when a covered entity contracts with an external Institutional Review Board (IRB).
FACT: Even if the IRB is an external organization, not part of the covered entity, the IRB is not a business associate if its functions are limited to review, approval, and oversight of research.
In general, covered entities (health care providers, health plans, or clearinghouses) must enter into business associate agreements when they intend to share PHI with an external organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity for specific business functions. However, the final HIPAA regulations clarify that an external institutional review board is not a business associate of a covered entity by virtue of its performing research review, approval and continuing oversight functions. To learn more about business associate agreements in the context of am external Institutional Review Board, please read our Myth Buster below.
Enter the password to open this PDF file:
.png)