After years of uncertainty about the extent of business partners` direct liability under HIPAA, HHS` Office of Civil Rights („OCR“) has released a fact sheet outlining the circumstances under which business partners can be held directly responsible for HIPAA violations. The companies concerned are also required to comply with certain administrative requirements regarding the reporting of infringements. For example, affected companies must have written policies and procedures in place to report violations, train employees in these policies and procedures, and develop and apply appropriate sanctions against employees who do not comply with these policies and procedures. The BAA contract describes in detail why the BA must have access to the client organisation`s PHI. It should also include details on how the BA will take appropriate measures to protect PSRs. In addition, the BAA Contains a Protocol that the BA intends to adopt in the event of a data breach or other privacy breach that could jeopardize PSR. 4. Respect the privacy policy. Most of the provisions of the Privacy Policy do not apply directly to business partners,26 However, since business partners cannot use or disclose PSRs in a manner contrary to the restrictions that apply to the companies concerned,27 Business partners will likely have to implement many of the same policies and safeguards that the privacy rule requires for covered companies.

including rules for the use and disclosure of PSRs and individual rights relating to their PSR. These are generally described in the business partner`s agreement with the covered company.28 Business partners should generally be aware of the requirements of the privacy policy, as well as any additional restrictions or restrictions that the relevant company may have imposed on itself through its notice of privacy practices or agreements with individuals. With increasing penalties, lowering standards for reporting violations, and expanded enforcement, it`s more important than ever for business partners to comply with or at least document compliance efforts in good faith to avoid accusations of intentional negligence, mandatory penalties, and civil lawsuits. Here are the most important compliance actions that trading partners should take. Covered companies may sometimes add conditions or impose obligations in trading partner agreements that are not required by HIPAA. Business partners should carefully review agreements with business partners to ensure that they do not unconsciously assume unforeseen obligations, such as.B. indemnification provisions or insurance requirements. Conversely, business partners may want to add conditions to limit their liability, e.B. liability caps, mutual compensation, etc. A checklist for trade partnership agreements and proposed terms can be found at this link.

A „Business Partner“ means a natural or legal person who „creates, receives, manages or transmits protected health information (PHI) on behalf of a registered legal entity“; or provides services that involve the use or disclosure of RPS to a covered company. [1] To engage with a business partner, a covered company must have a business partner agreement or other written agreement detailing the business partner`s obligations and requirements to comply with HIPAA privacy regulations. In addition, business partners must put in place safeguards to prevent the use or disclosure of PSR beyond the terms of the agreement. Affected companies and business partners can only provide the necessary notifications if the breach involved insecure protected health information. Unsecured protected medical information is protected medical information that has not been rendered useless, illegible or indecipherable to unauthorized persons by the use of any technology or methodology specified by the Secretary in the instructions. This guide was first published in April 2009 with a request for public comment. The guidelines were reissued after reviewing the public comments received and specify that encryption and destruction are the technologies and methods to make protected health information unusable, unreadable or indecipherable to unauthorized persons. In addition, the guidelines also apply to insecure personal health data that is identifiable under FTC regulations.

Covered companies and business partners, as well as companies regulated by FTC regulations and securing information in accordance with the guidelines, will be exempt from providing notices after such information has been breached. The OCR clarified this uncertainty by releasing the fact sheet, which lists 10 provisions of the HIPAA rules for which trading partners can be held directly liable. Thus, OCR is only allowed to take enforcement action against business partners for the following requirements and prohibitions: 10. Report security incidents and breaches in a timely manner. Business partners must inform the relevant company of certain threats to PSR. First, business partners must report breaches of protected insecure PSR to the relevant company so that the relevant company can report the breach to the individual and HHS.39 Second, the business partner must report uses or disclosures that violate the business partner agreement with the registered company, which would likely include uses or disclosures that violate HIPAA, even if they are subject to the notification rules. 40 Third, business partners must report „security incidents“ defined as „the attempt or success of unauthorized access, use, disclosure, modification or destruction of PSR or interference with the operation of the system in a PSR system.“ 41 The fact sheet is important because it reminds us that there are situations in which a business partner could cause a hipaA violation but cannot be held directly accountable to the OCR. In these cases, it is the supplier that would likely be directly responsible for the trading partner`s actions towards ocr. Following a breach of unsecured protected health information, affected companies must inform data subjects, the secretary and, in certain circumstances, the media of the breach. In addition, business partners must inform the companies concerned if a violation occurs at or by the business partner. The good news is that if the trading partner does not act with intentional negligence, the OCR can waive or reduce penalties depending on the circumstances.10 More importantly, if the trading partner does not act with intentional negligence and corrects the breach within 30 days, the OCR cannot impose a penalty; A timely correction is a positive defence.11 Whether trading partners have implemented the necessary policies and safeguards is an important consideration in determining whether they have intentionally neglected.12 5.

Perform a risk analysis for security rules. Unlike the data protection rule, business partners are directly required to comply with the security rule.33 Business partners must perform and document a risk analysis of their computer and other information systems in order to identify potential security risks and react accordingly.34 HHS has developed and provided a risk assessment tool for registered companies and business partners: www.healthit.gov/providers-professionals/security-risk-assessment-tool.. .