To comply with HIPAA, a counterparty agreement must include a description of the uses and declarations of PHI authorized and required by the counterparty. The counterparty agreement must also require, among other things, that the counterparty: HIPAA requires that a covered company enter into a HIPAA-compliant counterparty agreement with all counterparties. In addition, all counterparties must enter into HIPAA-compliant counterparty contracts with subcontractors who perform certain functions and have access to the covered company`s PHI. 3. the implementation and implementation of written counterparty contracts with registered companies that, for the most part, require the counterparty to respect PHI`s privacy; Limit the use or disclosure of PHI by the counterparty for purposes approved by the entity concerned; and help affected organizations respond to patient requests for their PHIs. (45 CFR 164.308 (b), 164.314 (a), 164,502 (e) and 164,504 (e)). For more information on partnership agreements, see the attached checklist for HIPAA Business Association Agreements. If the entity in question discloses to the counterparty only a “limited data set,” the parties may execute a data use agreement instead of a full counterparty agreement. CFR 164.514 ( e)). Business Associate Agreements (BAAs) is an essential part of any effective HIPAA compliance program. But understanding what a good BAA should and shouldn`t contain is not as intuitive as understanding that you need it. Counterparts who violate HIPAA may be fined between $100 and more than $50,000 per violation.
CFR 160.404). If the violation is the result of intentional negligence, the Office of Civil Rights (“OCR”) must impose a fine of at least $10,000 per violation. (Id.) If the trading partner has intentionally issued and does not correct the violation within 30 days, the OCR must impose a fine of at least $50,000 per violation. (Id.) A single offence can result in many offences. For example, the loss of a laptop containing hundreds of PHI patients can represent hundreds of offenses. Similarly, every day when a covered company or counterparty does not implement a necessary directive is a separate offence. CFR 160.406). In addition to regulatory sanctions, counterparties that do not comply with counterparty agreements may also be held liable for contractual damages and/or compensation requirements in the counterparty agreement. To be simple, a business partner is a person or organization that interacts with PHI through a covered entity or other business partner.
(78 FR 5572, highlighted). Note that the predicted analysis applies to data storage companies that have “access” to the PHI. Unless we receive conflicting instructions from HHS, there is a fairly strong argument that business partner requirements do not apply and should not apply to entities that manage encrypted PIs if the entity does not have the encryption key. The HHS rule for reporting violations assumes that encrypted data is secure. (See OCR`s guide to www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html). Therefore, it would be logical to think that the maintenance of encrypted data without the key should not trigger counterparty obligations. Conclusion and caution. I hope that companies that are not HIPAA`s “business partners” will avoid the status of a trading partner and the commitments associated with it.