General provision. The data protection rule requires that a covered entity receive satisfactory assurances from its counterparty that the counterparty adequately protects the protected health information it receives or creates on behalf of the entity concerned. Satisfactory assurances must be made in writing, either in the form of a contract or other agreement between the covered entity and the counterparty. [Option 1 – if the counterparty is to return or destroy all protected health information after the termination of the contract] A “counterpart” is a person or organization other than a staff member of a covered company that performs functions or activities on behalf of a covered entity or provides certain services to a classified entity that includes consideration access to protected health information. A “business partner” is also a subcontractor that creates, receives, manages or transmits protected health information on behalf of another counterparty. HIPAA rules generally require covered companies and counterparties to enter into contracts with their trading partners to ensure that counterparties properly protect health information. The counterparty contract is also intended to clarify and, if necessary, limit the use and disclosure permitted by the counterparty of protected health information on the basis of the relationship between the parties and the activities or services of the counterparty. A counterparty may only use or disclose protected health information to the extent that its counterparty contract is authorized or required or required by law. A counterparty is directly responsible under HIPAA rules and is subject to civil and, in some cases, criminal penalties for the use and disclosure of protected health information that is not authorized by the treaty or prescribed by law. A trading partner is also directly responsible and is subject to civil penalties if it does not protect health information protected electronically in accordance with the HIPAA safety rule. Trade association agreements consist of information on the authorized and unauthorized use of PHI between two HIPAA organizations. The contract should require the consideration to implement appropriate administrative, technical and physical security measures, in accordance with the security rule, to ensure the confidentiality, integrity and availability of ePHI.
Contracts can also be formatted to describe in detail the relationship between a covered company and a business partner, as well as the relationships between two business partners. BAAs both respect HIPAA rules and create a relationship of responsibility between the two parties. If one party violates a BAA and reveals the PHI, it has the other legal status. If there is no BAA or incomplete, or if the agreement is ruthlessly violated, both employees may find themselves in the crosshairs of the Department of Health Services and Human Resources, the Civil Rights Office and perhaps even the Department of Justice. [The agreement could also provide that the counterparty could, at the time of termination, pass on the protected health information to another counterparty of the insured company and/or add conditions relating to a counterparty`s obligations to receive or insure protected health information produced, received or managed by subcontractors.] The direct staff of this organization are not required to sign an BAA because they are part of your organization and are not considered a business partner. Yet they are still covered by HIPAA laws. As an employer, you have a responsibility to train your staff in how to preserve the integrity and disqualification of protected health information. With many suppliers comes an increased complexity. For example, a hospital may have 100 software vendors with whom they have contracted by business partners.