The contract should provide that the BA (or subcontractor) must take appropriate administrative, technical and physical security measures to ensure the confidentiality, integrity and availability of the ePHI and meet the requirements of the HIPC security rule. Some of these measures may be recorded in the BAA or may be left to ba`s discretion. The BAA should also include permitted uses and advertisements of IHP in order to meet the requirements of the HIPC Data Protection Rule. In case of access to IHP by persons who do not have the right to consult the information, for example. B in the event of an internal infringement or cyber-attack, the counterparty is obliged to inform the undertaking concerned of the infringement and possibly to send notifications to persons whose IHP has been compromised. The timing and responsibilities of notifications should be set out in the agreement. Trade agreements consist of information on the permitted and unauthorized use of IHP between two organizations subject to the HIPC. The contract should provide that the counterparty must take appropriate administrative, technical and physical security measures, in accordance with the security rule, in order to ensure the confidentiality, integrity and availability of ePHI. Contracts may also be formatted to describe in detail the relationship between a covered entity and a counterparty, as well as the relationship between two counterparties. BAAs comply with both HIPC rules and the obligation of liability between the two parties. If one party violates a BAA and discloses PHI, the other party has a lawsuit.
If there is no BAA, if it is incomplete, or if the agreement is blatantly violated, both staff members may be in the crosshairs of the Department of Health and Human Services, the Office of Civil Rights, and perhaps even the Department of Justice. When it comes to doing so, baAs are signed and are legal documents that state that you are ad compliance with your duty of care when it comes to ensuring that your customers` information is safe and protected. The HIPC privacy rules now apply to covered companies (e.g.B. healthcare providers and health plans) and their business partners. A “counterparty” is generally a natural or legal person who, in the course of providing services on behalf of the undertaking concerned, creates, receives, maintains or transmits protected health information on behalf of the undertaking concerned (e.g.B. advisor; management, billing, coding, transcription or marketing companies; IT contractors; data storage or document destruction companies; companies or data transmission providers that regularly access THE PHI; third-party administrators; providers of personal health records; lawyers; accountant; insurers of processing errors; etc.) (See 45 CFR 160.103). “A covered enterprise may be a business partner of another covered enterprise.” (Id.). With very limited exceptions, a subcontractor or any other entity created, received, maintained or transferred by PHI on behalf of a counterparty is also a business partner. (id.; 78 FR 5572). Information on whether an entity is a counterparty can be found in the attached decision structure for counterparties. This document contains examples of counterparty arrangements that make it easier for companies and covered counterparties to meet counterparty contract requirements. .
. .