by
What is a «business partner»? A «Business Partner» is a natural or legal person who performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a Covered Company or the provision of services to that Company. A member of the workforce of the registered company is not a business partner. A covered healthcare provider, healthcare plan, or healthcare exchange house can be a business partner of another covered business. The Privacy Policy lists some of the features or activities, as well as the respective services that make a natural or legal person a business partner if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a natural or legal person a business partner include payment or health activities, as well as other functions or activities regulated by the Administrative Simplification Regulation. Q: When does an employer need to enter into a HIPAA Business Partnership Agreement (BAA) with a third-party service provider for the plan? By law, the HIPAA privacy rule only applies to covered companies – health plans, health care clearing houses, and certain health care providers. However, most health care providers and health care plans do not perform all of their health activities and functions themselves. Instead, they often use the services of a variety of other people or companies. The confidentiality rule allows covered health care providers and plans to share protected health information with these «business partners» if the providers or plans receive satisfactory assurances that the business partner will only use the information for the purposes for which it was engaged by the covered entity, protect the information from misuse, and help the covered entity comply with some of the obligations of the covered entity under the To comply with the data protection rule. Registered entities may disclose protected health information to an entity in its role as a business partner only to assist the captured entity in performing its health functions, and not for the business partner`s own use or purposes, unless this is necessary for the proper administration and administration of the business partner. Entrepreneurs who work exclusively for your company, people with other customers, and employees hired through a company are not business partners. However, your company is liable if any of these people violate PSR.
For some vendors, you only need a service level agreement (SLA). However, for vendors who create, receive, manage, or transfer PSRs on behalf of your organization (called trading partners), you must have a business partnership agreement in addition to the SLA. Even if your provider can`t really see the PHI (e.B. because it`s encrypted), you still need a BAA with it. Many vendors do not use PHI to perform tasks on behalf of the covered entity, but ePHI goes through their systems. Many software solutions affect ePHI, which means that the software provider is classified as a business partner. There are exceptions for entities that act as conduits through which ePHI is easily routed (see conduit exception), although most cloud service and software providers are not exempt from HIPAA compliance and BAAs are required. The contract must: describe the authorized and required use of the health information protected by the business partner; provide that the business partner does not use or disclose protected health information other than to the extent contractually permitted, required or required by law; and require the Business Partner to take appropriate safeguards to prevent the misuse or disclosure of protected health information not provided for in the Agreement. A HIPAA Business Partnership Agreement is a contract between a HIPAA-covered company and a supplier used by that covered company.
A HIPAA-covered company is typically a healthcare provider, health care plan, or healthcare clearing house that conducts transactions electronically. A HIPAA-covered enterprise provider that must receive protected health information (PHI) to perform tasks on behalf of the covered company is called a business associate (BA) under HIPAA. A supplier is also classified as a ba if electronic PSR (ePHI) passes through its systems as part of the services provided. A signed HIPAA Business Partnership Agreement must be obtained from the covered entity before a business partner can contact PHI or ePHI. The HHS Office of Civil Rights has imposed numerous fines for the failure of trade partnership agreements. During the investigation of the data breaches and complaints, OCR found that the following registered companies failed to obtain a signed HIPAA-compliant BAA from at least one vendor. This was either the only reason for the fine or the additional violation that contributed to the severity of the fine. Finally, the fact that a business partner/subcontractor does not meet the requirements of an agreement could have a significant impact: some covered companies have taken a «better to apologize» approach to solving their definition problems and have entered into agreements with all the companies they do business with – whether necessary or not. . . .
