Business Associate Agreement Needed
It is also worth drawing the attention of a business partner to the consequences of non-compliance with HipAA requirements. Counterparties may be sanctioned directly by supervisory authorities for HIPC infringements. Both the Civil Rights Office of the Ministry of Health and Human Services and attorneys general have the power to impose financial penalties for violations of HIPC rules. Once covered companies, counterparties and counterparty subcontractors have identified their mutual relationships, it is necessary to ensure that third parties protect the PHI they receive. A signed agreement certifies that the BA knows that it must manage PHI safely. The contract should provide that the BA (or subcontractor) must take appropriate administrative, technical and physical security measures to ensure the confidentiality, integrity and availability of the ePHI and meet the requirements of the HIPC security rule. Some of these measures may be recorded in the BAA or may be left to ba`s discretion. The BAA should also include permitted uses and advertisements of IHP in order to meet the requirements of the HIPC Data Protection Rule. In case of access to IHP by persons who do not have the right to consult the information, for example. B in the event of an internal infringement or cyber-attack, the counterparty is obliged to inform the undertaking concerned of the infringement and possibly to send notifications to persons whose IHP has been compromised.
The timing and responsibilities of notifications should be set out in the agreement. From award-winning HIPAA training to contracts and agreements, we can meet your needs so you can protect your business. Covered companies may be fined if they have not entered into a HIPAA counterparty agreement or an incomplete agreement – although HITECH § 78 EN 5574 provides that BAs are required to comply with the HIPC security rule, even if no HIPAA counterparty agreement is executed. An entity that maintains [PHI] on behalf of a covered entity is a business partner and not a conduit, even if the entity does not actually see the [IHP]. We recognize that, in both situations, the company providing the service to the covered company has the opportunity to access the [PHI]. However, the difference between the two situations is the temporary versus persistent nature of this occasion….