Written Business Associate Agreement

[Option 1 – if the business partner must return or destroy all protected medical information upon termination of the contract] By law, the HIPAA privacy rule only applies to covered companies – health plans, health care clearing houses, and certain health care providers. However, most health care providers and health care plans do not perform all of their health activities and functions themselves. Instead, they often use the services of a variety of other people or companies. The confidentiality rule allows covered health care providers and plans to share protected health information with these « business partners » if the providers or plans receive satisfactory assurances that the business partner will only use the information for the purposes for which it was engaged by the covered entity, protect the information from misuse, and help the covered entity comply with some of the obligations of the covered entity under the To comply with the data protection rule. Registered entities may disclose protected health information to an entity in its role as a business partner only to assist the captured entity in performing its health functions, and not for the business partner`s own use or purposes, unless this is necessary for the proper administration and administration of the business partner. Tax Class – A business partner in this agreement is treated as a 1099 independent contractor who is responsible for paying its personal and employee income tax. In the event of termination of this Agreement for any reason, the Business Partner shall retain or receive protected health information obtained by a Relevant Entity or created, maintained or received by a Business Partner on behalf of the Covered Entity: there are certain exceptions to the requirement to sign a Business Partnership Agreement. These include specialists to whom a hospital refers a patient and submits the patient`s medical record for treatment, laboratories to which a physician transmits a patient`s PSR for treatment, and disclosure of PSR through a group health plan to a health plan sponsor such as an employer. (d) Business Partners may not use or disclose protected health information in a manner that would violate Subpart E of Part 164 of 45 CFR if performed by a covered entity [if the contract allows the business partner to use the protected health information for its own management, administrative and legal responsibilities, or for data aggregation services in accordance with an optional provision (e); or (f) or (g) below, and then add « except for the specific uses and disclosures set out below ».] There are many HIPAA contract templates for trading partners, but caution should be exercised before using them. Before using such a template, it is important to check for whom this template was designed to make sure it is relevant.

It must also be customized to meet all the requirements set by the covered entity. Once the covered companies, business partners and subcontractors of the business partners have identified their relationship with each other, it is important to ensure that third parties protect the PSR they receive. A signed agreement certifies that the BA knows that it must manage PSR safely. For this reason, it is preferable for BAAs to include language such as « as soon as the breach is discovered or should have been discovered » in the « Notification of Violations » section of the agreement. `[A] natural or legal person who is not a member of the staff of a covered undertaking who performs functions or activities on behalf of a covered undertaking or who provides certain services to a covered undertaking, including the business partner`s access to protected health information. A [BA] is also a subcontractor who creates, receives, retains or transmits protected health information on behalf of another [BA]. The definition of a trading partner is quite simple. According to the Department of Health and Human Services, a business partner is: The problem for many covered companies is that they don`t always know who a HIPAA trade partnership agreement applies to. The Ministère de la Santé et des Services sociaux defines a business partner as « a natural or legal person who performs certain functions or activities that involve the use or disclosure of protected medical information on behalf of a covered business or the provision of services to a covered company. » Finally, pursuant to paragraph 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), ensure that all subcontractors who create, receive, retain or transmit protected medical information on behalf of the business partner accept the same restrictions; the conditions and requirements that apply to the business partner with respect to such information; However, if the company concerned has exercised its due diligence before entering into an agreement, such situations are rare. Assuming that the Covered Company has exercised its due diligence, it is unlikely that the Covered Company will be found guilty if a supplier violates the BAA and HIPAA in any way. When the seller signs the document, he assumes responsibility for the protection of the PHI. The contract must provide that the BA (or subcontractor) must put in place appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI and to comply with the requirements of the HIPAA security rule. Some of these measures may be specified in the BAA or left to the discretion of the BA.

The BAA should also include permitted uses and disclosures of PSRs to meet the requirements of the HIPAA Privacy Rule. In the event that persons who are not authorized to consult the information, e.B. in the event of an internal violation or cyberattack, the business partner is obliged to inform the company concerned of the violation and possibly send notifications to the persons whose RPS has been compromised. .