7. Enforce written security policy policies. As with affected companies, business partners must adopt and comply with the written guidelines required by the security rule.36 A checklist of required policies can be found at this link. According to HHS, maintaining the required written guidelines is a critical factor in avoiding penalties for “wilful negligence.” Rite Aid paid $1,000,000 to resolve HIPAA violations, in part due to non-compliance with required HIPAA policies. If you are a business partner, notify the relevant companies immediately after discovering the data breach (and no later than 60 days after the breach is discovered). Identify each person affected by the breach and send this information to all relevant companies. (a) The Business Partner may only use or disclose protected health information (g) [Optional] The Business Partner may provide data aggregation services related to the healthcare activities of the collected entity. On the other hand, a covered company (CE) is a health scheme, a health care clearing-house or a health care provider that transmits health information electronically (para. B e.g. doctors, dentists, pharmacies, health insurance companies, occupational health insurance companies, etc.). Although a member of the covered company`s workforce is not a business partner, a covered healthcare provider, healthcare plan, or healthcare exchange chamber may be a business partner of another covered company.
Keep the required documentation. Business partners must keep the documents required by the security rule for six years from the date of the document`s last entry into force.42 While this is not necessary, documenting other measures to promote compliance can help refute the allegation of intentional negligence. Companies covered by HipAA are individuals or entities that submit protected health information for transactions for which the Department of Health and Human Services has adopted standards (see 45 CFR 160.103). A business partner is an organization or person that performs work or activities on behalf of a registered business that may involve the use or disclosure of protected health information. In other words, if a third-party organization could potentially access certain PSRs in the normal course of its delegated work, it is a business partner. Business partners of HIPAA companies include third-party service providers, billing companies, transcribers, cloud service providers, data storage companies – electronic and physical records, EHR providers, consultants, attorneys, CPA firms, pharmaceutical service managers, claims processors, debt collection agencies, and medical device manufacturers. One of the first steps in protecting PSRs is to determine how much you have, what type you have, where to find them in your organization, what systems manage them, and with whom you share them. (d) Business Partners may not use or disclose protected health information in a manner that would violate Subpart E of Part 164 of 45 CFR if performed by a covered entity [if the contract allows the business partner to use the protected health information for its own management, administrative and legal responsibilities, or for data aggregation services in accordance with an optional provision (e); or (f) or (g) below, and then add “except for the specific uses and disclosures set out below”.] HIPAA companies and business partners who have signed a BAA with a covered company must comply with HIPAA rules. Failure to comply with any aspect of HIPAA may result in financial penalties. The maximum penalty for a HIPAA violation is $50,000 per incident, up to a maximum of $1.5 million per violation category per year. (h) to the extent that the counterparty is expected to comply with one or more of the obligations of the covered entity under Subsection E of Part 164 of 45 CFR, comply with the requirements of Subsection E that apply to the covered entity in the performance of that obligation or obligations; In this white paper, you`ll learn the basics of trading partners, what you need to know to protect PSRs, and best practices for trading partners.