Whenever a health care provider or health care provider hires a contractor to process protected health information as part of their assigned work, both parties must sign a BAA. To put it simply, a business partner is a person or organization that interacts with phi from a covered entity or other business partner. Many vendors do not have PHI perform tasks on behalf of the covered entity, but ePHI goes through their systems. Many software solutions affect ePHI, which means that the software provider is classified as a business partner. There are exceptions for entities that act as conduits that ePHI easily passes through (see the conduit exception), although most cloud service and software providers are not exempt from HIPAA compliance and BAAs are required. From award-winning HIPAA training to contracts and agreements, we can meet your needs to help protect your business. General provision. The confidentiality rule requires that a covered entity receive satisfactory assurances from its business partner that the business partner is adequately protecting the protected health information it receives or creates on behalf of the covered entity. Satisfactory assurances must be given in writing, whether in the form of a contract or other agreement between the targeted entity and the business partner. However, as a HIPAA-covered organization, you know that most of your suppliers are BAs as well. So let`s move on to your BA contract: the business partner contract.
Direct employees of this organization do not have to sign a BAA because they are part of your organization and are not considered business partners themselves. That is, they always fall under HIPAA laws. As an employer, you have a responsibility to train your employees on how to maintain the integrity and sanctity of protected health information. Finally, non-compliance with the requirements of an agreement by a business partner/subcontractor can have a significant impact: once the covered companies, business partners and subcontractors have identified their relationship with each other, it is necessary to ensure that third parties protect the PHI they receive. A signed agreement documents that the BA knows it must manage PSR safely. The HHS Office of Civil Rights has imposed numerous fines for the failure of trade partnership agreements. In the case of investigations and complaints regarding data breaches, OCR found that the following affected companies failed to obtain a signed HIPAA-compliant BAA from at least one vendor. This was either the only reason for the fine or the additional violation added to the severity of the fine. If you hire a subcontractor and that contractor comes into contact with a PHI, you will need to do a BAA between the two of you.
The confidentiality rule states that all business partner contractors must accept restrictions identical to those of the original business partner. Business Partnership Agreements consist of information about the authorized and inappropriate use of PSR between two organizations required by HIPAA. The contract should require the trading partner to put in place appropriate administrative, technical and physical safeguards in accordance with the security rule in order to ensure the confidentiality, integrity and availability of the ePHI. .