Our position is that business associate agreements are not required under HIPAA in relation to the employment services we provide. While it is true that many of our external employees handle personal data or even perhaps personal health information while assigned to work with clients, we believe that for data protection law purposes, these employees ought to be considered client personnel, authorized to process information by the client, under the client's instructions, management and supervision.
We've spoken with our external advisors about an equivalent matter under European law (e.g. the role of Remote and the EOR employee as 'processor' for the client (or the client's customer)). We've been advised that EOR employees ought to be treated as part of the client's organisation and as individuals authorized to process information by the client, rather than as separate/external information recipients. Hence, under European law, there's no need for us or our employees to enter into data processing agreements under GDPR (which are somewhat equivalent to business associate agreements under HIPAA). That being said, clients are of course free (and invited) to take their own independent legal advice on the matter. Our position is that this isn’t necessary for compliance and while we won’t stand in your way to do that, please note we take no responsibility (and exclude liability) in relation to matters associated with any direct agreements between clients and employees.