Close

Not a member yet? Register now and get started.

lock and key

Sign in to your account.

Account Login

Forgot your password?

Written Business Associate Agreements Are Required With

22 Dec Posted by in Uncategorized | Comments
Written Business Associate Agreements Are Required With

Unlike most contracts, a HIPAA counterparty agreement does not necessarily protect a covered company from financial penalties for violations of the PHI. When an insured company does not receive assurance that a counterparty is able to work in a HIPAA-compliant framework before entering into a contract and then violates the PHI, the covered entity may be considered responsible for the infringement. d) make sure, if, in accordance with 45 CFR 164.502 (e) (1) (ii) and 164.308 (b) (2), all subcontractors who produce, receive, maintain or transmit protected health information on behalf of the counterparty accept the same restrictions, conditions and requirements that apply to the counterparty with respect to this information; “A counterparty is directly responsible under HIPAA rules and is subject to civil and, in some cases, criminal penalties for the use and disclosure of protected health information that is not authorized by a contract or prescribed by law. A partner/subcontractor is also directly responsible and is subject to civil penalties if it does not protect protected health information online in accordance with the HIPAA safety rule.” 4 6. Entities that perform administrative or administrative functions for counterparties. Covered companies may authorize counterparties to use PHI for their own management and management or legal responsibilities of the counterparty. (45 CFR 164.504 (e) (4)). If so, you will be HIPA CompliantAttract new customers and grow your business. (78 FR 5572, highlighted). Note that the predicted analysis applies to data storage companies that have “access” to the PHI. Unless we receive conflicting instructions from HHS, there is a fairly strong argument that business partner requirements do not apply and should not apply to entities that manage encrypted PIs if the entity does not have the encryption key.

The HHS rule for reporting violations assumes that encrypted data is secure. (See OCR`s guide to www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html).

 

Comments are closed.