The counterparty agreement is a contract that defines the types of protected health information (IHP) made available to the counterparty, the permitted uses and advertisements of IHP, the measures to be implemented to protect this information (for example. B encryption at rest and during transmission) and the measures that the BA must take in the event of a security breach, The PHI has been detected. Encrypting all ePHI stored or transferred by a trading partner is an important protection, but encryption alone is not enough to ensure HIPAA compliance. Physical security measures must also be implemented to ensure that the ePHI cannot be accessed by unauthorized persons and administrative security measures must be taken, written guidelines and procedures must be developed and maintained. HIPAA requires covered entities to only collaborate with business partners who ensure full protection of PHI. These assurances must be made in writing in the form of a contract or other agreement between the covered company and ba.1 Many suppliers do not receive PHI to perform tasks on behalf of the covered company, but ePHI goes through their systems. Many software solutions affect ePHI, which means that the software provider is considered a business partner. There are exceptions for entities that act as conduits through which ePHI passes easily (see waiver conducted), although most cloud service and software providers are not exempt from HIPAA compliance and require BAAs. Answer: No, you are a business partner because PHI is more than a medical diagnosis (or complaint). A single name or phone number associated with a health care request is PHI, and by answering the phone for a health care provider, you will “receive” PHI. Exceptions to the Business Associate Standard. The confidentiality rule contains the following exceptions to the counterparty standard.
See 45 CFR 164.502(s). In such situations, the entity concerned shall not be required to enter into a counterparty contract or any other written agreement before the protected health information can be transmitted to the natural or legal person. It is also worth drawing the attention of a business partner to the consequences of non-compliance with HipAA requirements. Counterparties may be sanctioned directly by supervisory authorities for HIPC infringements. The Civil Rights Office (OCR) has just published a fact sheet on the direct liability of business partners. In this fact sheet, OCR reminds companies that, since 2009, HIPAA counterparties have been directly responsible for certain violations of HIPC rules. Counterparties are set against the backdrop of different entities that need “protected health information” to assist “covered entities” (health care providers, health insurers and health clearing houses) or other counterparties to perform various functions. Contractors who work exclusively for your company, people with other customers and employees hired through a company are not business partners.
However, your company is liable if any of these people contravene PHI. General provision. The data protection rule requires that a covered entity receive satisfactory assurances from its counterparty that the counterparty adequately protects the protected health information it receives or produces on behalf of the covered entity. Satisfactory assurances must be made in writing, whether in the form of a contract or other agreement between the covered entity and the counterparty. A staff member of the covered company is not a business partner, nor is someone who stumbles upon patient information (such as a janitor or electrician). . . .