Compliancy Group`s web compliance solution, The Guard, is equipped with everything you and your business need to manage your HIPAA business associates. (OCR Frequently Asked Questions (“FAQ”), available at Similarly, “the simple sale or provision of software to a registered business does not result in a business relationship if the seller does not have access to the [PHI] of the registered business.” (Id.) Companies wishing to avoid counterparty obligations may wish to include in their service contracts a provision confirming that phi is not required to perform its functions and that their customers, who are registered companies or counterparties, do not make available to the company POs (or, as explained below, unencrypted POs) without the prior approval of the entity. 4. Condition of the matching agreement. If the covered entity continues to insist on a counterparty agreement, the counterparty or subcontractor could minimize its commitment by conditioning a counterparty agreement on the entity`s counterparty status as consideration, i.e. it assumes responsibility if and to the extent that it is a counterparty within the meaning of HIPAA. While this is an imperfect solution, it could at least allow the company to avoid regulatory sanctions if it is really not a trading partner. HIPAA data protection rules now apply to both covered businesses (for example.

(B) health care providers and health plans) than to their business partners. A “counterparty” is usually a person who receives, manages or transfers protected health information (“PHI”) as part of the performance exercise on behalf of the company concerned (. B, for example, consulting, management, accounting, coding, transcription or marketing); IT entrepreneurs Data storage or document destruction companies Data companies or providers that have regular access to PIS; Third-party directors; Providers of personal health registries Lawyers; Accountants (see 45 CFR 160.103). “A covered business can be a counterpart to another insured business.” (Id.) In addition, a subcontractor or other entity created, received, managed or transmitted by PHI on behalf of a counterparty is also a consideration, with very limited exceptions. (Id.; 78 EN 5572). You will find information on whether an entity is a counterparty in the attached case award decision structure. A business partnership contract is a written agreement that defines each party`s responsibilities with respect to PHI. 7. Entities that are only “tubes” for PHI. Companies that transfer POs to a covered company are not business partners when they are not required to regularly access the PHI, i.e. they are only “lines” of the PHI (for example.

B Internet service providers, telephone companies, etc.). (45 CFR 160.103; 78 FR 5571; 65 FR 82476). If you answered “yes” to these two questions, you are a “secure unit” and you must receive a BAA from all the third parties you use for your firm when they process mit PHI. A business partner should also be drawn to the consequences of non-compliance with HIPAA requirements. The counterparties may be directly sanctioned by the authorities for the supervision of hip-hop offences. 5. If the counterparty uses subcontractors or other entities to provide services to the registered business in which PHI is involved, you enter into matching agreements with the subcontractors. (45 CFR 164.314 (a) and 164,504 (e)).

However, if the covered entity has performed its due diligence prior to the conclusion of an agreement, these situations are rare. Assuming that the covered company is diligent, it is unlikely that the covered business will be guilty if a supplier violates the BAA and in any way violates HIPAA.