The contract should provide that the BA (or subcontractor) must take appropriate administrative, technical and physical security measures to ensure the confidentiality, integrity and availability of ePHI and meet the requirements of the HIPAA security rule. Some of these measures may be indicated in the BAA or left to the BA`s discretion. The BAA should also include authorized uses and disclosures of PHI to meet the requirements of the HIPAA data protection rule. In case people who do not have access to the PHI for advertising information, such. B as the internal violation or cyberattack, access PHI, the business partner is required to inform the entity concerned of the violation and may be required to send notifications to persons whose PHI has been compromised. The timing and reporting responsibilities should be detailed in the agreement. “[A] a person or corporation that is not a member of the staff of a covered company, performs functions or activities on behalf of a covered company, or provides certain services that include consideration of protected health information. A [BA] is also a subcontractor that creates, receives, manages or transmits protected health information on behalf of another [BA].” [Option 1 – if the counterparty is to return or destroy all protected health information after the termination of the contract] To be simple, a business partner is a person or organization that interacts with PHI through a covered entity or other business partner. The Department of Health and Human Services for Civil Rights (HHS/OCR) can impose hefty fines and remedial measures if you do not have a BAA with your AADs. In addition, if HHS/OCR monitors your organization, you must be able to provide your matching agreements and prove that you have performed due diligence with your AAS. The definition of a business partner is quite simple. According to the Ministry of Health and Human Services, a consideration is: d) in accordance with the 45 CFR 164.502 (e) (1) (ii) and 164.308 (b) (2), a counterparty assures: all subcontractors who produce, receive, maintain or transmit protected health information on behalf of the counterparty accept the same restrictions, conditions and requirements that apply to the counterparty with respect to this information; The HIPAA Privacy Rule describes the types of entities covered by HIPAA and entities that must comply with HIPAA data security and protection rules.
The main categories are clearing houses, covered companies (CEs) and counterparties. The more the subcontractor receives from the covered unit, the more confusion there is as to who is actually a business partner and who must sign a matching contract. Once you and your business partner have signed the BAA, the signature will be valid until there is a substantial change to alS that requires a change in the BAA. Make sure you and your BA signs and BAA date and document your comments. The counterparty/sub-contracting contract must contain the following information, in accordance with the HHS: (b) Dismissal of cause. The consideration authorizes the termination of the agreement by a covered entity if the covered entity finds that a counterparty has violated an essential clause of the agreement [and that the counterparty has not cured or terminated the breach within the time allowed by the covered unit]. [Bracketed`s language may be added if the covered company wishes to give the counterparty the opportunity to remedy a violation or violation prior to dismissal on cause.] (d) counterparties must not use or disclose protected health information in any way; which would be contrary to subsection E of 45 CFR Part 164 if this is done by an insured organization [if the agreement allows the counterparty to use or disclose protected health information for its own management and legal management and responsibilities or for data aggregation services, in accordance with the optional provisions (e), f) or (g) below, please add, with the exception of the following provisions: