7. Enforce written security policy policies. As with affected companies, business partners must adopt and comply with the written guidelines required by the security rule.36 A checklist of required policies can be found at this link. According to HHS, maintaining the required written guidelines is a critical factor in avoiding penalties for “wilful negligence.” Rite Aid paid $1,000,000 to resolve HIPAA violations, in part due to non-compliance with required HIPAA policies. If you are a business partner, notify the relevant companies immediately after discovering the data breach (and no later than 60 days after the breach is discovered). Identify each person affected by the breach and send this information to all relevant companies. (a) The Business Partner may only use or disclose protected health information (g) [Optional] The Business Partner may provide data aggregation services related to the healthcare activities of the collected entity. On the other hand, a covered company (CE) is a health scheme, a health care clearing-house or a health care provider that transmits health information electronically (para. B e.g. doctors, dentists, pharmacies, health insurance companies, occupational health insurance companies, etc.). Although a member of the covered company`s workforce is not a business partner, a covered healthcare provider, healthcare plan, or healthcare exchange chamber may be a business partner of another covered company.
Business partners must comply with HIPAA for the following reasons: Exceptions to the Business Associate Standard. The privacy policy contains the following exceptions to the Business Associate Standard. See 45 CFR 164.502(e). In such situations, a relevant undertaking shall not be required to enter into a business partnership agreement or other written agreement before protected health information can be disclosed to the natural or legal person. Business partners may come from legal, actuarial, consulting, data aggregation, management, administrative, accreditation and/or financial organizations. Some possible functions of business partners include: Basically, each unit covered with business partners must receive assurance that you are treating patient data as the HHS wishes and as it wishes. Some affected companies require proof of a completed risk analysis, require the implementation of a standard risk management plan, and/or perform a HIPAA audit before even sending your patient data. 2. Execute and comply with valid Business Partnership Agreements. Companies that are business partners must sign and execute written business partnership agreements that essentially require the business partner to respect PHI`s privacy; limit the counterparty`s use or disclosure of PSRs for the purposes approved by the covered entity; and help relevant companies respond to individual requests regarding their PHI.19 OCR has published on its website an example of the language of the Business Partners Agreement: www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html. 11.
Keep the required documentation. Business partners must keep the documents required by the security rule for six years from the date of the document`s last entry into force.42 While this is not necessary, documenting other measures to promote compliance can help refute the allegation of intentional negligence. Companies covered by HipAA are individuals or entities that submit protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103). A business partner is an organization or person that performs work or activities on behalf of a registered business that may involve the use or disclosure of protected health information. In other words, if a third-party organization could potentially access certain PSRs in the normal course of its delegated work, it is a business partner. Business partners of HIPAA companies include third-party service providers, billing companies, transcribers, cloud service providers, data storage companies – electronic and physical records, EHR providers, consultants, attorneys, CPA firms, pharmaceutical service managers, claims processors, debt collection agencies, and medical device manufacturers. One of the first steps in protecting PSRs is to determine how much you have, what type you have, where to find them in your organization, what systems manage them, and with whom you share them. (d) Business Partners may not use or disclose protected health information in a manner that would violate Subpart E of Part 164 of 45 CFR if performed by a covered entity [if the contract allows the business partner to use the protected health information for its own management, administrative and legal responsibilities, or for data aggregation services in accordance with an optional provision (e); or (f) or (g) below, and then add “except for the specific uses and disclosures set out below”.] HIPAA companies and business partners who have signed a BAA with a covered company must comply with HIPAA rules. Failure to comply with any aspect of HIPAA may result in financial penalties. The maximum penalty for a HIPAA violation is $50,000 per incident, up to a maximum of $1.5 million per violation category per year. (h) to the extent that the counterparty is expected to comply with one or more of the obligations of the covered entity under Subsection E of Part 164 of 45 CFR, comply with the requirements of Subsection E that apply to the covered entity in the performance of that obligation or obligations; In this white paper, you`ll learn the basics of trading partners, what you need to know to protect PSRs, and best practices for trading partners.
.