Finally, non-compliance with the requirements of an agreement by a trading partner/subcontractor could have important implications: Commercial Partnership Agreements consist of information about the permitted and inappropriate use of PHI between two organizations subject to HIPAA. The contract should require the business partner to take appropriate administrative, technical and physical safeguards in accordance with the security rule to ensure the confidentiality, integrity and availability of the ePHI. Contracts can also be formatted to detail the relationship between a covered company and a business partner, as well as the relationship between two business partners. HIPAA`s privacy policy now applies to both covered companies (e.B, healthcare providers, and health plans) and their business partners. A «Business Partner» is generally a natural or legal person who «creates, receives, retains or transmits» Protected Health Information («PHI») in connection with the provision of services on behalf of the company collected (p.B. Consultant; administration, billing, coding, transcription or marketing companies; IT contractors; data storage or documentation destruction companies; Data transfer companies or suppliers who regularly access PSR; Third-party administrators; seller of personal health records; lawyers; accountant; malpractice insurers; etc.) (See 45 CFR 160.103). «A covered enterprise may be a business partner of another covered enterprise.» (Id.). With very few exceptions, a subcontractor or other entity that creates, receives, maintains or transfers PSR on behalf of a business partner is also a business partner. (Id.; 78 FR 5572).
To find out if a company is a business partner, see the attached business partner decision tree. A BAA is an essential component for any person, company or other organization that deals with PSR from a covered entity. It not only describes the relationship between the two parties, but can also protect one of them in the event of a violation. Ultimately, BAAs are signed, legal documents indicating that you are fulfilling your duty of care when it comes to ensuring that your customers` information is safe and secure. (Frequently Asked Questions («FAQ»), available at www.hhs.gov/ocr/privacy/hipaa/faq/index.html). Similarly, «the mere sale or supply of software to an affected entity does not result in a business partner relationship if the seller does not have access to the [PSR] of the affected entity». (Id.). Companies that wish to evade their business obligations may wish to include in their service contracts a provision that confirms that they do not need PHI to perform its functions and that its customers, who are relevant companies or business partners, will not provide PHI (or, as explained below, unencrypted PHI) to the Company without the Company`s prior consent. You need to be able to identify the classification of your workforce before you know what HIPAA requires. As defined by the Health Information Portability and Accountability Act (hipAA), a business partner is any organization or person that works in connection with a Covered Company or that provides, manages, or discloses services to a Covered Company that generates, manipulates, or discloses Protected Health Information (PHI).2 If a business partner/subcontractor violates or violates a BAA, the Covered Entity must have reasonable health information.
Take steps to remedy the violation or terminate the violation. «If such steps don`t succeed, they have to terminate the contract or agreement,» HHS says. «If termination of the contract or agreement is not feasible, a covered company is required to report the issue to the HHS Office of Civil Rights.» 1 A trading partner must also be informed of the consequences of non-compliance with HIPAA requirements. Business partners can be fined directly by regulators for violating HIPAA. The Department of Health and the Office of Human Rights and Attorneys General have the power to impose fines for violating HIPAA rules. Business Partnership Agreements (BAAs) are an integral part of any effective HIPAA compliance program. But understanding what a good BAA should and shouldn`t include isn`t as intuitive as understanding that you need it at all. 3. Members of organized health care.
Covered entities participating in an Organized Health Agreement («OHCA») are not business partners of each other when performing functions on behalf of OHCA; «Therefore, they may use and disclose [PHI] for OHCA`s joint health activities without entering into a commercial partnership agreement.» (OCR FAQ; see 45 CFR 160.103). An OHCA is (1) «a clinically integrated care environment in which individuals typically receive health care from more than one health care provider» (e.g., B a hospital and its medical staff); (2) an organised health system involving more than one covered entity and in which the participating covered entities carry out a joint review of use, quality improvement or payment activities (e.B. provider networks); or (3) certain agreements between group health insurance funds and other insurers. (45 CFR 160.103). The OHCA exemption applies only to covered businesses (p.B. health care providers and health care plans) that perform functions for the OHCA; it does not apply to other entities that require IHP to perform tasks on behalf of OHCA. It`s like a chain that follows the IHP from the first link in the chain, the entity covered. The following link would be the business partner and all its subcontractors (including business partners) would be links that follow. Think of subcontractors as business partners of business partners. The BAA follows the direct path of the chain. Thus, a covered company is not obliged to sign a BAA with the subcontractors of its business partners, but the business partner is. According to HHS, covered companies can only disclose PSR to a company to help it perform its health functions, and not for the business partner`s independent use or purposes.
«1 For example, a business partner/processor cannot use the covered company`s PSR for its own email campaign. If you need to continue to expand your practice and hire additional services, you may find yourself in a situation where a service that offers a BAA is obviously not the best financial choice. General provision. The confidentiality rule requires that a registered entity receive satisfactory assurance from its trading partner that the business partner is adequately protecting the protected health information it receives or creates on behalf of the captured entity. Satisfactory assurances must be given in writing, whether in the form of a contract or other agreement between the targeted entity and the business partner. Business partners who violate HIPAA can face penalties ranging from $100 to more than $50,000 per violation. (45 CFR 160,404). If the violation is due to intentional negligence, the Office of Civil Rights («OCR») must impose a fine of at least $10,000 per violation. (Id.). If the business partner has acted with intentional negligence and fails to correct the breach within thirty (30) days, the OCR shall impose a penalty of at least $50,000 per breach.
(Id.). A single violation can result in many violations. For example, the loss of a laptop containing hundreds of PHI of patients can be hundreds of violations. Similarly, any day on which a relevant business or business partner fails to implement a required policy is a separate violation. (45 CFR 160.406). In addition to regulatory penalties, business partners who fail to comply with business partnership agreements may also be held liable for contractual damages and/or claims for compensation set forth in the business partnership agreement. The problem for many covered companies is that they don`t always know who a HIPAA trade partnership agreement applies to. The Ministère de la Santé et des Services sociaux defines a business partner as «a natural or legal person who performs certain functions or activities that involve the use or disclosure of protected medical information on behalf of a covered business or the provision of services to a covered company.» Individuals, organizations, and agencies that meet the definition of an entity covered by HIPAA must comply with the requirements of the Health Information Privacy and Security Rules and grant individuals certain rights with respect to their health information.
If a covered entity engages a trading partner to help it carry out its health activities and functions, the covered entity must have a written business partnership agreement or other agreement with the business partner that specifies exactly what the trading partner has been engaged to do and requires the business partner to comply with the requirements of the privacy and security rules. protected medical information. .