I Don`t Need A Business Associate Agreement For

Healthcare organizations must use IHP encryption tools to securely send them to their partners and enforce the use of these tools in their PPTEA counterpart agreements. But the security of your data depends not only on good encryption technology and training, but also on convenience. If a tool is too difficult, slow, or unreliable to use, employees take shortcuts to get the job done using unsafe alternatives such as unencrypted emails. `[A] natural or legal person, with the exception of a member of the staff of a registered undertaking, performing functions or activities on behalf of an undertaking concerned or providing certain services for which the counterparty has access to protected health information. A [BA] is also a subcontractor who creates, receives, maintains or transmits protected health information on behalf of another [BA]`. The agreement should also set out how the partner will ensure this. Worker training, monitoring, internal audit and other appropriate measures must be taken into account. Write down the infringement notification clause with details, for example. B how and under what circumstances the employee should contact you and how quickly they should do so.

It`s like a chain that follows the IHP from the very first link in the chain, the entity covered. The following link would be the business partner and all its subcontractors (including business partners) would be links that will follow. Imagine subcontractors as business partners. The BAA follows the direct path of the chain. A covered entity is therefore not required to sign a BAA with the subcontractors of its business partners, but it is the business partner. Counterparties that violate the HIPC may be subject to penalties ranging from $100 to more than $50,000 per violation. (45 CFR 160.404). If the offense is due to wilful negligence, the Civil Rights Office (OCR) must impose a fine of at least $10,000 per violation. (Id.).

If the counterparty has been deliberately neglected and does not correct the breach within thirty (30) days, the OCR must impose a fine of at least USD 50,000 per breach. (Id.). An individual offence can give rise to many offences. For example, the loss of a laptop containing hundreds of patient PHI can represent hundreds of offenses. Similarly, each day on which a covered undertaking or counterparty fails to implement a necessary directive constitutes a separate infringement. (45 CFR 160.406). In addition to regulatory penalties, counterparties that fail to comply with counterparty agreements may also be liable for contractual damages and/or indemnification obligations set out in the counterparty agreement. You can find a detailed list of what you need to include in your business agreements in the Department of Health and Human Services….

Comments are closed.