Hipaa Agreement For Vendors

The contract should provide that the BA (or subcontractor) must take appropriate administrative, technical and physical security measures to ensure the confidentiality, integrity and availability of ePHI and meet the requirements of the HIPAA security rule. Some of these measures may be indicated in the BAA or left to the BA`s discretion. The BAA should also include authorized uses and disclosures of PHI to meet the requirements of the HIPAA data protection rule. In case people who do not have access to the PHI for advertising information, such. B as the internal violation or cyberattack, access PHI, the business partner is required to inform the entity concerned of the violation and may be required to send notifications to persons whose PHI has been compromised. The timing and reporting responsibilities should be detailed in the agreement. There are a few exceptions to the requirement to sign a counterparty agreement. These include specialists to whom a hospital refers a patient and transmits the patient`s medical card for treatment, laboratories to which a physician discloses a patient`s PPH for treatment, and the disclosure of PHI to a health plan sponsor, such as an employer, through a collective health plan. Since the passage of the Economic and Clinical Health Information Technology Act (HITECH) in 2013 and its inclusion in HIPAA through the Hipaa Omnibus Final Rule, subcontractors employed by business partners are also required to comply with HIPAA.

A counterparty must also obtain a HIPAA counterparty agreement signed from its subcontractors before accessing the PHI or ePHI. When subcontractors use creditors who need access to the PHI or ePHI, they must also enter into matching contracts with their subcontractors. Exceptions to the Business Associate Standard. The data protection rule contains the following exceptions to the Business Associate standard. See 45 CFR 164.502 (e). In these cases, an insured company is not required to enter into a counterparty contract or other written agreement until protected health information can be disclosed to the individual or legal person. Sometimes a business partner has its own BAA. Which one should you use your or theirs? HIPAA is silent about this.

Nevertheless, it is typical of the recruitment organization to dictate the terms of an agreement. You`d be z.B. Use your BAA with your business partner, and the business partner will use its BAA with its subcontractors. However, you never enter a BAA with your BA subcontractors! For some credit institutions, you only need a Service Level Contract (SLA). However, for lenders that create, receive, manage or transfer POs on behalf of your organization (“business partners”), you must have an associate agreement next to ALS. Even if your provider can`t view the PHI (z.B because it`s encrypted), you still need a BAA with it. In the event of a violation or non-compliance with a BAA by a counterparty/subcontractor, the covered unit must take appropriate measures to remedy the infringement or terminate the infringement.

Responses are currently closed, but you can trackback from your own site.

Comments are closed.

Subscribe to RSS Feed Follow me on Twitter!