In addition, the final rule states that a subcontractor cannot use the PHI in a manner that is not authorized in the counterparty agreement between the principal counterparty and the covered entity. HHS explained that any agreement in the « Business Associate Chain must be as strict or stricter » as the agreements in question in the chain. The counterparty agreement guarantees the use of a retention chain for PIS. A seller of a business covered by HIPAA must enter into a contract with the covered company and a subcontractor used by a counterparty is also required to enter into a contract of this type. A subcontractor is a consideration for consideration and is not covered by the ba/covered enterprise contract. A separate contract must be signed before access to PHI is granted. The chain can be longer and further away from the covered entity that transmits the ePHI, the greater the potential for violations of the HIPAA business association agreement. We also strongly advise you to contact a lawyer or seek legal advice regarding your responsibilities in accordance with HITECH, as we do not intend to provide legal advice in this FAQ document. The HhS Office for Civil Rights has imposed numerous fines for contractual errors committed by trading partners.
In investigations into data protection and complaint violations, the OCR found that the following covered companies had not received at least one PROVIDER from a HIPAA-signed BAA. This was either the sole reason for the fine or the additional injury contributed to the heaviness of the fine. As a courtesy, we provide you with the following questions and answers to help you understand these new changes. Counterparties are directly responsible for HIPAA infringements as follows: If the covered entity is aware that the shares of the counterparty constitute a substantial infringement or contrary to the counterparty agreement, the revised rule removes the obligation for covered entities to report to the secretary if termination of a counterparty agreement is not possible. HHS stated that it did not consider the notification requirement necessary, as counterparties are now directly responsible for non-compliance with certain HIPAA provisions and have their own independent obligation to report violations to the Secretary. Section 1 (A) of the additional terms of the contract in the amendment is the only one specifically requested by HITECH. We strongly recommend that your business partners also accept Section 1 (B). Additional conditions are recommended in light of the changes to HITECH. By law, the hipaa privacy rule only applies to covered institutions – health plans, health care compensation rooms and some health care providers. However, most health care providers and health plans do not perform all of their health activities and functions themselves. Instead, they often use the services of many other individuals or businesses. The data protection rule allows providers and covered health plans to transmit protected health information to these « counterparties » when providers or plans receive satisfactory assurances that the counterparty uses the information only for the purposes for which it was mandated by the covered entity, which protects the information from abuse and helps the added entity fulfill some of the obligations of the entity covered under the data protection rule.