With respect to privacy breach investigations and complaints, OCR found that the following affected companies did not obtain a HIPAA-compliant BAA from at least one vendor. This was either the only reason for the fine or the additional infringement contributed to the severity of the fine. 2. A counterparty may authorize a counterparty that is a subcontractor to produce, receive, maintain or transmit electronically protected health information on its behalf only if, in accordance with Article 164.314(a), the counterparty receives satisfactory assurances that the processor adequately protects the information” [Optional] The entity concerned may not require the counterparty to provide protected health information in: in a way that would not be allowed. in accordance with Subsection E of 45 CFR Part 164, if done by the covered organization. [Insert an exception if the counterparty uses or discloses protected health information for data aggregation or management, as well as the counterparty`s legal responsibilities and the agreement contains provisions relating to data aggregation or management.] (d) survival. The counterparty`s obligations under this Section shall apply even after the termination of this Agreement. In addition to the provisions required by the HIPC, one Party may wish to include additional safeguard measures. For example, an affected entity may include a compensation provision to protect itself when a counterparty is the victim of a security breach involving the PHI of the covered company.
www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlsearchsecurity.techtarget.com/definition/business-associatewww.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html [option 2], subject to the following minimum requirements: [contain specific minimum requirements necessary, in accordance with the necessary minimum directives and procedures of the undertaking covered.] Many vendors do not receive PHI to perform tasks on behalf of the covered entity, but ePHI goes through their systems. Many software solutions affect ePHI, which means that the software provider is considered a business partner. There are exceptions for entities that act as conduits through which ePHI passes easily (see waiver conducted), although most cloud service and software providers are not exempt from HIPAA compliance and require BAAs. Covered companies may be fined if they have not entered into a HIPAA counterparty agreement or an incomplete agreement – although HITECH § 78 EN 5574 provides that BAs are required to comply with the HIPC security rule, even if no HIPAA counterparty agreement is executed. A HIPC counterparty agreement is a contract between a HIPC entity and a supplier that is used by that entity. A unit covered by the HIPC is typically a health care provider, health plan or clearing house for the health sector that conducts transactions electronically. . . .