(78 FR 5574). These “reasonable assurances” can be obtained through a limited confidentiality agreement; a full-fledged counterparty agreement is not necessary. It`s like a chain that follows the PHI from the first link in the chain, which is the covered entity. The following link would be the trading partner and all their subcontractors (including trading partners) would be the following links. Think of subcontractors as business partners. The BAA follows the direct path of the chain. A covered company is therefore not required to sign an BAA with the subcontractors of its trading partners, but it is the business partner that is. For many covered companies, it is not always clear who is subject to a HIPAA business partnership agreement. The Department of Health and Human Services defines a counterparty as “a person or organization that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered company or that provide services to a covered business.” (FAQ OCR). Although classifying as a staff member would help contractors circumvent counterparty obligations, covered companies may refuse to classify contractors as staff, as this may indicate that the contractor is acting as an agent of the target company, exposing the covered company to additional liability for the contractor`s actions.
(see 45 CFR 160.402 (c); 78 FR 5581. The counterparty agreement is a contract that defines the types of protected health information (PHI) made available to the counterparty, the authorized uses and disclosures of PHI, the measures to be implemented to protect this information (for example. B encryption at rest and during transmission), and the measures that the BA must take in the event of a security breach the PHI is available. To be simple, a business partner is a person or organization that interacts with PHI through a covered entity or other business partner. For this reason, it is preferable for BAAs to include in the breach notification section of the agreement a language such as “as soon as the offence has been discovered or should have been discovered”. You will find a detailed list of the information you need to include in your trade agreements in the Department of Health and Human Services. As a general rule, the BAA also defines the services provided by the counterparty, the nature of the data with which it interacts and deals with the areas relating to injury notifications (for example. B calendars) and sanctions. Be sure to go through this BAA signing process and submit it to a safe and accessible location.