Health Insurance Portability and Accountability Act of 1996
Sakura Finetek Policy on Business Associate Agreements and Data Use Agreements Under the Health Insurance Portability and Accountability Act of 1996
Sakura Finetek USA, Inc. (“Sakura”) receives periodic requests to execute business associate agreements and data use agreements pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Under HIPAA privacy rules, business associate agreements and data use agreements are safeguards used by covered entities in the healthcare industry to protect the confidentiality of patient information disclosed to third parties.
Based on Sakura’s understanding of HIPAA and its associated regulations, in most of its business relationships with Sakura’s customers, Sakura is not a “business associate,” as that term is defined in 45 C.F.R. §160.103 (see attached copy of relevant HIPAA regulations). Under the requirements of HIPAA, a Business Associate Agreement should be used only when your company intends Sakura to provide a “function or activity involving the use or disclosure of individually identifiable information.” (See, 45 C.F.R. §160.103 — defining “individually indentifiable information”.)
As a “covered entity” under HIPAA (45 C.F.R. §160.103), your company is not required to enter into a Business Associate Agreement with Sakura, as a manufacturer or vendor from whom your company merely purchases equipment, devices or supplies, unless your company also provides patient-identifiable information to Sakura in order to perform some other service. This is usually not the case in Sakura’s business relationships with its customers. Sakura generally provides its products for use by its customers without receiving any patient-identifiable information.
Sakura would appreciate your careful consideration of this explanation before submission of a Business Associate Agreement or Data Use Agreement. If your company believes that a Business Associate Agreement or Data Use Agreement will be required due to the potential disclosure of individually indentifiable patient information to Sakura, then please contact the Sakura representative indicated below.
If you would like further information on HIPAA, you may wish to visit the Web site of the US Department of Health and Human Services at www.hhs.gov/ocr/hipaa/.
Thank you for your attention and consideration of this matter.
Regulatory Affairs Dept.