When Is A Business Associate Agreement Necessary

But let`s be honest. Running a business without the help of third parties is difficult, if not impossible. Hiring outside help when you need extra hands or have special needs often makes business sense. C. What provisions should be included in a trade partnership agreement? Specifically, when they provide services or technologies to a covered company (for example. B, a hospital) or to any other business partner as a subcontractor (e.g. B, a PaaS provider such as Datica), business partners process, process, transmit or otherwise interact with the electronic protected health information (ePHI) of these covered companies. With this PHI access, all trading partners must sign a Trade Partnership Agreement (BAA). The BAA is a legal contract that describes how the business partner adheres to HIPAA, as well as the liabilities and risks they assume. In simpler terms, a Business Partnership Agreement (BFA) is a legal contract between a healthcare provider and a person or organization that accesses, transmits, or stores protected health information (Phi) as part of its services to the provider. Whether you prefer to call it a business partnership agreement or, like HIPAA, call it a business partnership agreement, in some way, they are an essential part of a company`s efforts to be HIPAA compliant. Below, we`ve compiled the basic components and definitions of a HIPAA Business Partnership Agreement template that you can browse.

Keep in mind that EAs are legally binding agreements, so it`s best to have a security guard, attorney, or HIPAA compliance solution designated to help you navigate these contracts. A software company that hosts the software with patient information on its own server or accesses the patient information when troubleshooting the software feature is a business partner of a covered entity. In these examples, a covered company would have to enter into a business partnership agreement before it could grant the software company access to [PHI]. However, if an employee of a contractor, such as. B a software or information technology provider, has its main office on site in a covered company, the company concerned may treat the supplier`s employee as a member of the workforce of the covered company and not as a business partner. Trade partnership agreements are not optional! HIPAA requires that you sign the BAA with your business partner before sharing a PHI with them. This will help you avoid a data breach as well as penalties for not having a BAA. The contract must: describe the authorized and required use of the health information protected by the business partner; provide that the Business Partner shall not use or disclose protected Health Information other than to the extent permitted by contract or as prescribed or required by law; and request the business partner to take appropriate security measures to prevent the misuse or disclosure of protected health information not provided for in the contract.

Business partners who violate HIPAA can be fined between $100 and more than $50,000 per violation. (45 CFR 160,404). If the violation is the result of intentional negligence, the Office of Civil Rights (“OCR”) must impose a fine of at least $10,000 per violation. (Id.). If the business partner has been intentionally overlooked and does not correct the violation within thirty (30) days, the OCR must impose a penalty of at least $50,000 per violation. (Id.). A single violation can result in many violations. For example, losing a laptop containing hundreds of PHI patients can be hundreds of violations. .


Comments are closed.