It`s a good idea to regularly review your business partnership agreements. You can plan for this by reviewing your privacy and security policies and procedures. Also ask them to let you know if they have any dramatic changes in the way they do business. Your business partner should be able to provide an updated compliance plan as you wish. If you have a question about business partner compliance, please let us know info@hipaaetool.com. Question: If we use a business partner abroad, does they have to follow HIPAA? Are we even allowed to use someone in another country? Exceptions to the Business Partner Standard. The privacy policy contains the following exceptions to the Business Associate Standard. See 45 CFR 164.502(e). In such situations, a relevant undertaking shall not be required to enter into a business partnership agreement or other written agreement before protected health information can be disclosed to the natural or legal person. Some companies may or may not be considered business partners, depending on the information they access as part of their service agreement: 2) Assess whether business partners are hipaa compliant Under the law, the HIPAA privacy rule only applies to covered businesses – health plans, health care clearing houses and certain health care providers.
However, most health care providers and health care plans do not perform all of their health activities and functions themselves. Instead, they often use the services of a variety of other people or companies. The confidentiality rule allows covered health care providers and plans to share protected health information with these « business partners » if the providers or plans receive satisfactory assurances that the business partner will only use the information for the purposes for which it was engaged by the covered entity, protect the information from misuse, and help the covered entity comply with some of the obligations of the covered entity under the To comply with the data protection rule. Registered entities may disclose protected health information to an entity in its role as a business partner only to assist the captured entity in performing its health functions, and not for the business partner`s own use or purposes, unless this is necessary for the proper administration and administration of the business partner. Question: I have an answering machine company and we never hear medical information, just a patient`s name and number for a reminder. Doesn`t this mean that we do not receive protected health information and therefore we are not a business partner, but only a regular supplier? Question: Our doctor`s office uses data backup via Google Cloud Storage [or Amazon Web Service]. They say they are HIPAA compliant. Do we still need a business partnership agreement with Google [or AWS]? What does this tell us? You need to be careful what your business partners do with the information they have and work with in turn. Under HIPAA, there are two types of companies responsible for protecting PSR: covered entities and business partners. Most of the entities covered are organizations that have direct contact with patients, such as doctors, clinics and hospitals, or their information, such as. B insurance companies. Even if business partners don`t see patients, they can keep or access their health data.
Answer: No, you are a business partner because PSR is more than a medical diagnosis (or complaint). A single name or phone number only linked to a health care request is PHI, and by answering the phone for a health care provider, you « get » PHI. The functions and activities of business partners include: the processing or management of receivables; data analysis, processing or management; Verification of use; quality assurance; Invoicing; performance management; practice management; and scaling. Services for business associates include: legal; actuarial science; Accounting; Council; data aggregation; management; administratively; Accreditation; and financially. See the definition of « trading partner » in 45 CFR 160.103. The confidentiality rule requires that a registered entity receive satisfactory assurance from its trading partner that the business partner is adequately protecting the protected health information it receives or creates on behalf of the captured entity. Satisfactory assurances must be given in writing, whether in the form of a contract or other agreement between the targeted entity and the business partner. There are many examples of online business partnership agreements, but it is important to be careful before using such templates, as they may have been designed for a different relationship.
Each BAA must be adapted to the uniqueness of the relationship between the covered company and the respective covered company. Question: We have a regular weekly cleaning service that comes to our office and their team may monitor patients in the waiting room or even accidentally see patient information on the desk or in the trash. Are you a business partner? **Here are some examples of potential business partners: Business Associate Contracts. A covered entity`s contract or other written agreement with its counterparty must contain the elements specified in 45 CFR 164.504(e). For example, the contract must: describe the authorized and required use of the protected medical information by the business partner; Provide that business partner does not use or disclose Protected Health Information other than to the extent contractually permitted, required or required by law; and Request the Business Partner to take appropriate safeguards to prevent the use or disclosure of Protected Medical Information not provided for in the Agreement. If a covered entity becomes aware of a material breach or breach of the contract or agreement by the business partner, the affected entity is required to take reasonable steps to remedy the breach or terminate the breach and, if such measures fail, to terminate the contract or agreement. If termination of the contract or agreement is not possible, an affected company is required to report the problem to the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS). Please see our model contract for business partners.
Note: If a business partner delegates an activity to another company, that company is considered a subcontractor – the same rules apply. Answer: Always review your business partner agreement first to decide on next steps, as notification requirements may be shorter than HIPAA. But also NOTE – « Ransomware » is considered a violation under HIPAA unless you can prove that this is not the case. And HIPAA requires that you notify the relevant company of a breach immediately, but no later than 60 days after discovery. .