It`s like a chain that follows the PHI from the first link in the chain, which is the covered entity. The following link would be the trading partner and all their subcontractors (including trading partners) would be the following links. Think of subcontractors as business partners. The BAA follows the direct path of the chain. A covered company is therefore not required to sign an BAA with the subcontractors of its trading partners, but it is the business partner that is. Contractors who work exclusively for your business, individuals with other customers, and employees hired through a company are not business partners. However, your company is liable if one of these people violates the PHI. Unlike most contracts, a HIPAA counterparty agreement does not necessarily protect a covered company from financial penalties for violations of the PHI. When an insured company does not receive assurance that a counterparty is able to work in a HIPAA-compliant framework before entering into a contract and then violates the PHI, the covered entity may be considered responsible for the infringement. To understand the HIPAA definition of a business partner, it is useful to first understand the definition of a HIPAA ”covered business.” A ”secure unit” is defined as part of HIPAA, including health plans, health clearing houses and some health care providers that electronically transmit health information related to certain hip-.B operations. By law, the hipaa privacy rule only applies to covered institutions – health plans, health care compensation rooms and some health care providers.
However, most health care providers and health plans do not perform all of their health activities and functions themselves. Instead, they often use the services of many other individuals or businesses. The data protection rule allows providers and covered health plans to transmit protected health information to these ”counterparties” when providers or plans receive satisfactory assurances that the counterparty uses the information only for the purposes for which it was mandated by the covered entity, which protects the information from abuse and helps the added entity fulfill some of the obligations of the entity covered under the data protection rule. Covered companies may disclose protected health information to a company in its role as a business partner only to assist the insured company in fulfilling its health missions – not for independent use or for the purposes of counterparty, unless it is necessary for the proper management and management of the counterparty. A business partner should also be drawn to the consequences of non-compliance with HIPAA requirements. The counterparties may be directly sanctioned by the authorities for the supervision of hip-hop offences. BAAs both respect HIPAA rules and create a relationship of responsibility between the two parties. If one party violates a BAA and reveals the PHI, it has the other legal status.
If there is no BAA or incomplete, or if the agreement is ruthlessly violated, both employees may find themselves in the crosshairs of the Department of Health Services and Human Resources, the Civil Rights Office and perhaps even the Department of Justice. The BAA model provided here (tk-Link to pdf) is widespread. Any effective use of such an agreement requires adaptation to the specific needs of the organization.