Business partners must also comply with other federal and state data protection laws, which are stricter than HIPAA. A lawyer can discuss the laws in force and the compliance obligations that flow from them. Encrypting all ePHI stored or transferred by a trading partner is an important protection, but encryption alone is not enough to ensure HIPAA compliance. Physical security measures must also be implemented to ensure that the ePHI cannot be accessed by unauthorized persons and administrative security measures must be taken, written guidelines and procedures must be developed and maintained. (g) [optional] Counterparties may provide data aggregation services related to the entity`s health services collected. Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act and its entry into HIPAA in 2013 through the HIPAA Omnibus Final Rule, subcontractors used by business partners are also required to comply with HIPAA. A counterparty must also obtain from its subcontractors a counterparty agreement SIGNED BY THE HIPC before having access to PHI or ePHI. If subcontractors use suppliers who need access to PHI or ePHI, they must also enter into counterparty agreements with their subcontractors. HHS`s Office of Civil Rights has imposed numerous fines for the failure of the counterparty agreements. With respect to privacy breach investigations and complaints, OCR found that the following affected companies did not obtain a HIPAA-compliant BAA from at least one vendor. This was either the only reason for the fine or the additional infringement contributed to the severity of the fine. Recitals can help to explain the relationship between BAA and the underlying agreements between the parties.
Consider asking a lawyer to verify the accuracy of the recitals and any underlying agreements. (f) [Optional] The counterparty may disclose protected health information for the proper management and management of the counterparty or to fulfil the counterparty`s legal obligations, provided that the disclosures are required by law or that the counterparty receives reasonable assurances from the person to whom the information is disclosed that the information remains confidential and that it is only used at that time or remain open shall be disclosed to the person for the purposes for which it was used and the person shall inform the counterparty of all cases of which he is aware and in which the confidentiality of the information has been breached. This form applies only to the agreement between a counterparty and a covered entity. Counterparties must enter into separate BAAs with their subcontractors….
Recent Comments