Instead, ask them to sign a confidentiality agreement. We insert these points into the confidentiality agreements we offer to our clients: if a partner/subcontractor violates or violates a BAA, the covered unit must take appropriate steps to correct the infringement or terminate the infringement. “If such measures fail, they must terminate the contract or agreement,” HHS explains. “If termination of the contract or agreement is not possible, a covered entity is required to report the issue to the HHS Office for Civil Rights.” 1 Once companies, business partners and covered counterparties have identified their relationship, it is important to ensure that third parties monitor the PHI they receive. A signed agreement proves that the BA knows that they must manage THE PHI. If they have not done so recently, insured companies should identify their trading partners and ensure that appropriate agreements are reached with them. The Business Associate/Subcontractor Agreement should contain the following information, according to HHS: But… It is difficult, if not impossible, to run a business without the help of third parties. Hiring outside help when you need extra hands or if you have special needs is often made sense by business. Exceptions to Business Associate/Subcontractor include the following examples, which are considered “lines” for PHI: finally, failure to comply with the requirements of an agreement by a partner/subcontractor could have significant consequences: HHS can monitor HIPAA compliance and subcontractors, and not just for covered companies. This means that organizations must have a Trade Association Agreement (BAA) for all three levels in order to meet HIPAA requirements. It is in your best interest to have an agreement, as all three classifications are responsible for the protection of the PHI. www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlsearchsecurity.techtarget.com/definition/business-associatewww.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html HIPAA requires insured companies to cooperate only with business partners that guarantee full protection of the PHI.
These assurances must take the form of a contract or other agreement between the insured company and BA.1 The omnibus rule extends the definition of “counterparties” to data storage companies, companies that provide data services when they require routine access to PHI and counterparty subcontractors.