(a) [optional] The entity concerned informs the counterparty of any restrictions (s) in the notice of the data protection practices of the covered entity in accordance with 45 CFR 164.520, as this restriction may affect the use or disclosure of health information protected by counterparties. This document contains examples of provisions relating to counterparty agreements that help companies and covered counterparties more easily meet the contract requirements for counterparties. While these standard rules are written for the purpose of the contract between a covered entity and its counterpart, the language may be adapted for the purposes of the contract between a counterparty and a subcontractor. This is what the BAA must do, according to the Department of Health and Health Services (HHS). A “counterpart” is a person or organization other than a staff member of a covered company that performs functions or activities on behalf of a covered entity or provides certain services to a classified entity that includes consideration access to protected health information. A “business partner” is also a subcontractor that creates, receives, manages or transmits protected health information on behalf of another counterparty. HIPAA rules generally require covered companies and counterparties to enter into contracts with their trading partners to ensure that counterparties properly protect health information. The counterparty contract is also intended to clarify and, if necessary, limit the use and disclosure permitted by the counterparty of protected health information on the basis of the relationship between the parties and the activities or services of the counterparty. A counterparty may only use or disclose protected health information to the extent that its counterparty contract is authorized or required or required by law. A counterparty is directly responsible under HIPAA rules and is subject to civil and, in some cases, criminal penalties for the use and disclosure of protected health information that is not authorized by the treaty or prescribed by law.
A trading partner is also directly responsible and is subject to civil penalties if it does not protect health information protected electronically in accordance with the HIPAA safety rule. BAAs both respect HIPAA rules and create a relationship of responsibility between the two parties. If one party violates a BAA and reveals the PHI, it has the other legal status. If there is no BAA or incomplete, or if the agreement is ruthlessly violated, both employees may find themselves in the crosshairs of the Department of Health Services and Human Resources, the Civil Rights Office and perhaps even the Department of Justice. The contract should provide that the BA (or subcontractor) must take appropriate administrative, technical and physical security measures to ensure the confidentiality, integrity and availability of ePHI and meet the requirements of the HIPAA security rule. Some of these measures may be indicated in the BAA or left to the BA`s discretion. The BAA should also include authorized uses and disclosures of PHI to meet the requirements of the HIPAA data protection rule. In case people who do not have access to the PHI for advertising information, such. B as the internal violation or cyberattack, access PHI, the business partner is required to inform the entity concerned of the violation and may be required to send notifications to persons whose PHI has been compromised. The timing and reporting responsibilities should be detailed in the agreement.
Recent Comments