For some vendors, you only need a service level agreement (SLA). However, for vendors who create, receive, manage, or transfer PSRs on behalf of your organization (called trading partners), you must have a business partnership agreement in addition to the SLA. Even if your provider can`t really see the PHI (e.B. because it`s encrypted), you still need a BAA with it. Many vendors do not use PHI to perform tasks on behalf of the covered entity, but ePHI goes through their systems. Many software solutions affect ePHI, which means that the software provider is classified as a business partner. There are exceptions for entities that act as conduits through which ePHI is easily routed (see conduit exception), although most cloud service and software providers are not exempt from HIPAA compliance and BAAs are required. The contract must: describe the authorized and required use of the health information protected by the business partner; provide that the business partner does not use or disclose protected health information other than to the extent contractually permitted, required or required by law; and require the Business Partner to take appropriate safeguards to prevent the misuse or disclosure of protected health information not provided for in the Agreement. A HIPAA Business Partnership Agreement is a contract between a HIPAA-covered company and a supplier used by that covered company.
A HIPAA-covered company is typically a healthcare provider, health care plan, or healthcare clearing house that conducts transactions electronically. A HIPAA-covered enterprise provider that must receive protected health information (PHI) to perform tasks on behalf of the covered company is called a business associate (BA) under HIPAA. A supplier is also classified as a ba if electronic PSR (ePHI) passes through its systems as part of the services provided. A signed HIPAA Business Partnership Agreement must be obtained from the covered entity before a business partner can contact PHI or ePHI. The HHS Office of Civil Rights has imposed numerous fines for the failure of trade partnership agreements. During the investigation of the data breaches and complaints, OCR found that the following registered companies failed to obtain a signed HIPAA-compliant BAA from at least one vendor. This was either the only reason for the fine or the additional violation that contributed to the severity of the fine. Finally, the fact that a business partner/subcontractor does not meet the requirements of an agreement could have a significant impact: some covered companies have taken a «better to apologize» approach to solving their definition problems and have entered into agreements with all the companies they do business with – whether necessary or not. . . .