The Health Insurance Portability and Accountability Act (HIPAA) applies to HIPAA-backed businesses and their business partners, but which companies are covered by HIPAA and what types of businesses are classified as business partners? * Under HIPAA, the term “covered facility” means: (1) a health care plan. 2. A clearing-house mechanism for health information. 3. A health care provider who submits health information in electronic form as part of a transaction covered by the Privacy, Security, Notification and Enforcement Rules. Question: If we use a business partner abroad, does they have to follow HIPAA? Are we even allowed to use someone in another country? HHS`s OCR database contains a list of resolution agreements entered into between HHS and a relevant company or business partner after HHS has been informed that the relevant company or business partner may have violated HIPAA. This is a great resource for learning what the government considers HIPAA non-compliance and can be insightful to any organization dealing with HIPAA. A settlement agreement is a settlement agreement signed by a covered entity or business partner. It is important to note that by entering into a resolution agreement, the company or business partner concerned does not admit any liability with respect to alleged violations of HIPAA and HHS indemnifies the parties for any action it may have against it for the conduct in question. Under the terms of the resolution agreement, the relevant entity or counterparty undertakes to comply with certain obligations and to report to HHS, usually for a period of three years. During this period, HHS monitors compliance with its obligations and may include the payment of a settlement amount. If HHS fails to reach a satisfactory solution by demonstrating compliance with the regulations of the covered entity or its counterparties through other informal means, including a resolution agreement, civil fines (CMPs) may be imposed on them for non-compliance. Covered Companies may disclose PHI to business partners if the Covered Companies receive “satisfactory assurances” as described in 45 CFR 164.502(e)(1) that the Business Partner will only use the Information for the purposes for which it was engaged by the Covered Entity, protect the Information from misuse, and help the Collected Entity comply with some of the Entity`s Obligations collected under the HIPAA privacy policy to be completed.

Satisfactory assurances must be given in writing, whether in the form of a contract or other agreement between the targeted entity and the business partner. This is the reason for the existence of the `Business Partnership Agreement`, which can sometimes be overlooked or agreed upon as a mere formality of companies or individuals receiving PSR from a covered entity; However, it is an important legal document that describes the regulatory obligations of the covered entity and its counterparty under HIPAA in the processing of these IMIs, as well as the obligations of a subcontractor`s business partner when PSR is shared between a business partner and its subcontractor. . If you have a question about business partner compliance, please let us know [email protected] HIPAA-covered companies are healthcare providers, healthcare plans, and healthcare clearing houses that electronically submit health information for transactions covered by HHS. A provider whose work is not an integral part of your healthcare services and who may accidentally encounter PHI is not a business partner. However, you should make sure you follow your own guidelines to maintain patient privacy and safety – use “safety precautions” such as locking drawers, covering screens, and shredding paper information to minimize accidental disclosures. According to the privacy policy, any business that meets the definition of a covered entity, regardless of its size or complexity, is generally subject to the privacy policy in its entirety.

However, the privacy rule provides a way in which many affected companies can avoid the global application of the rule through the provisions on the designation of hybrid companies. This designation determines which parts of the company must comply with the data protection rule. Covered entities may disclose PSR to an entity in its role as a trading partner only to assist the covered entity in performing its health functions – and not for the independent use or purposes of the trading partner, unless this is necessary for the proper administration and administration of the trading partner. Answer: No, you are a business partner because PSR is more than a medical diagnosis (or complaint). A single name or phone number only linked to a health care request is PHI, and by answering the phone for a health care provider, you “get” PHI. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy policy applies only to covered businesses – health plans, healthcare clearing houses, and certain healthcare providers. However, most health care providers and health care plans do not perform all of their health activities and functions themselves. Instead, they often use the services of a variety of other people or companies called “business partners.” Business partners are subject to HIPAA, and this article describes what a business partner is, what a business partner`s obligations are, how to hold a business partner accountable for HIPAA violations, and tips on how to avoid such liability. For example, a covered business such as a health care provider, health care plan, or healthcare exchange house may also be a business partner of another covered company. A staff member of the affected company is NOT a business partner, nor is anyone who might accidentally encounter patient information (such as a concierge service or electrician). Commercial Associate Contracts. A covered entity`s contract or other written agreement with its counterparty must contain the elements specified in 45 CFR 164.504(e).

For example, the contract must: describe the authorized and required use of the protected medical information by the business partner; Provide that business partner does not use or disclose Protected Health Information other than to the extent contractually permitted, required or required by law; and Request the Business Partner to take appropriate safeguards to prevent the use or disclosure of Protected Medical Information not provided for in the Agreement. If a covered entity becomes aware of a material breach or breach of the contract or agreement by the business partner, the affected entity is required to take reasonable steps to remedy the breach or terminate the breach and, if such measures fail, to terminate the contract or agreement. If termination of the contract or agreement is not possible, an affected company is required to report the problem to the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS). Please take a look at our business partner contract template. Question: I have an answering machine company and we never hear medical information, just a patient`s name and number for a reminder. Doesn`t this mean that we do not receive protected health information and therefore we are not a business partner, but only a regular supplier? Accountable is designed to simplify and streamline the HIPAA compliance process for relevant businesses and business partners. Our solution comes with several templates that are easily customizable for all types of service contracts, allowing the BA to adopt the right policies and procedures to protect the RPS in its charge and provide them with a framework for HIPAA compliance. Legally, the HIPAA Privacy Rule only applies to covered companies, although the HIPAA Privacy Rule generally requires that affected companies have the services of providers who may need access to PHI to perform certain tasks, the HIPAA Privacy Rule allows affected companies to share PHI with those companies. The privacy policy also protects individually identifiable health information when it is created or managed by a person or entity performing certain functions on behalf of a covered company. A business partner is a person or entity that is not a member of the workforce and that performs or supports for or on behalf of a registered company a function or activity governed by HIPAA administrative simplification rules, including the privacy rule, which involves the use or disclosure of individually identifiable health information, or that provides certain services to a registered company.

that involves the use or disclosure of individually identifiable health information. Since hipaa administrative simplification rules do not directly govern research activities, the confidentiality rule does not require a researcher or research sponsor to become a business partner of a company covered for research purposes. However, a covered company may hire business partners to help de-identify PSRs, prepare limited records, or perform data aggregation. The confidentiality rule requires a relevant company to enter into a written contract or other agreement authorized by the rule with its business partners if both parties are government entities. The trading partner terms of the rules can be found in Articles 164.502(e) and 164.504(e). As a general rule, for the purposes permitted by the confidentiality rule and set out in its written agreement with its business partner, a covered company may disclose PSR to that business partner and allow the business partner to use, create or receive PSR on its behalf. .