(78 FR 5574). However, even if a counterparty agreement is not necessary because an entity assists the counterparty in its own administrative or administrative functions, HIPAA limits the use or disclosure of PHI by the entity: o to the extent that the counterparty must meet the obligation of an insured entity pursuant to section HIPPA, the requirements that apply to the entity covered in the performance of that obligation; General provision. The data protection rule requires that a covered entity receive satisfactory assurances from its counterparty that the counterparty adequately protects the protected health information it receives or creates on behalf of the entity concerned. Satisfactory assurances must be made in writing, either in the form of a contract or other agreement between the covered entity and the counterparty. “[A] a person or corporation that is not a member of the staff of a covered company, performs functions or activities on behalf of a covered company, or provides certain services that include consideration of protected health information. A [BA] is also a subcontractor that creates, receives, manages or transmits protected health information on behalf of another [BA].” If you sign up for a Hushmail for Healthcare account, you will receive a signing agreement. As soon as you sign it and send it back to us, we will add our signature and return the agreement. A business partner should also be drawn to the consequences of non-compliance with HIPAA requirements. The counterparties may be directly sanctioned by the authorities for the supervision of hip-hop offences. A BAA is a signed document that confirms the willingness of a third-party supplier to take responsibility for the safety of your customers`PHI, to comply with appropriate security measures and to meet hipaa requirements when dealing with PHI on your behalf. BAAs are necessary if you are a covered company.
Be sure to follow the BAA`s signature process and submit it to a safe and accessible location. If your practice has already been verified or affected by a data breach, you should quickly find the document to demonstrate the steps you have taken to protect your customers` PHI and HIPAA compliance. An entity that owns [PHI] on behalf of an insured company is a business partner and not a channel, even if the entity does not actually look at the [PHI]. We recognize that in both situations, the entity that provides the service to the covered entity has the ability to access the [PHI]. However, the difference between the two situations lies in the temporary nature and the sustainable nature of this opportunity. For example, a data storage company that has access to [PHI] (digital or paper) is classified as a business partner, even if the entity does not look at them or looks at them only randomly or in a rare way. For example, document storage companies that manage [PHI] on behalf of covered companies are considered counterparties, whether or not they have access to the information they retain or not.