The definition of a business partner is quite simple. It is anyone to whom you enter into a contract who will process your protected health information (PHI) for some reason. A striking example: in a famous HIPAA case, a clinic asked a supplier to convert its X-ray films into digital format and recover money from the films. They were unable to sign a BAA and were struck by the OCR with a payment order of $750,000. For this reason, it is preferable for BAAs to include in the breach notification section of the agreement a language such as “as soon as the offence has been discovered or should have been discovered”. www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlsearchsecurity.techtarget.com/definition/business-associatewww.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html business association. The contract of a covered company or any other written agreement with its counterparty contains the elements covered in paragraph 45 CFR 164.504 (e). The contract must, for example. B Describe the authorized and necessary use of health information protected by the counterparty; provide that the counterparty will not continue to use or disclose protected health information, with the exception of the contract or the law; and require the counterpart to adopt appropriate security measures to prevent the use or disclosure of protected health information that is not provided for by the contract.
If a covered entity is aware of a significant violation or violation by the counterparty of the contract or agreement, the covered entity is required to take appropriate steps to correct the violation or terminate the violation and if such measures are inconclusive, to terminate the contract or agreement. If termination of the contract or agreement is not possible, a covered company is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Please look at our standard contract for business partners. If a member violates a BAA, there is another avenue of redress. If there is no BAA or it is incomplete, or if it is injured, then both employees may be in hot water with HIPAA and other FDA rules. What is a business associate? “counterparty”: a person or organization that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered company or that provide services to a covered business; An insured company staff member is not a business partner. A covered health care provider, health plan or health care clearinghouse may be a counterpart to another insured company. The data protection rule lists some of the functions or activities and related services that make an individual or organization a business partner when the activity or service involves the use or disclosure of protected health information. The types of functions or activities that can make an individual or organization a counterpart include payment or health transactions, as well as other functions or activities governed by administrative simplification rules. The guide below contains the basics of BAAs, including the need, if necessary, what needs to be put in one, and a HIPAA business agreement model (PDF) for 2017.