It became much more disturbing when the hitech HIPAA Omnibus Rule expanded in 2013 the simple previous definition of the business partner to the so-called subcontractor. Subcontractors, such as a software developer or host, are typically service or technology organizations that provide additional services to partners that provide services to covered businesses. www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlsearchsecurity.techtarget.com/definition/business-associatewww.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html for [all] information that is not required by law, [HIPAA] requires that the consideration receive appropriate assurances from the person to whom the [PHI] is disclosed, that it is confidential and that it is used or disseminated only at that time, in accordance with the law, or for the purposes for which it was disclosed to the person, and that the person inform the counterparty of any cases for which he is aware of the confidentiality of the information. See point 164.504 (e) (4) (ii) (B). Association business requirements. In general, a company that is a “business partner” under HIPAA must: HIPAA requires that a covered company and its business partners who contact PHI as part of their services sign a Business Associate Agreement (BAA) which is a contract between a covered organization and an organization or individual that will dere off that organization`s obligations and responsibilities with respect to the protection of protected health information shared between the two parties. All matching agreements mention the following: Contractors who work exclusively for your business, people with other customers and employees recruited through a company are not counterparties. However, your company is liable if one of these people violates the PHI. HIPAA requires insured entities to cooperate only with trading partners that guarantee full protection of the PHI. These insurances must take the form of a contract or other agreement between the insured company and BA.1 3. Offer to implement an appropriate confidentiality agreement.
Instead of a counterparty agreement, the counterparty or subcontractor may propose to enter into an appropriate confidentiality agreement that protects the covered entity while avoiding the full liability or regulatory liability of a counterparty agreement. Even offshore organizations can be considered business partners if any of the information they receive, transfer or manage can potentially be used to identify a patient in the United States.