Instead, ask them to sign a confidentiality agreement. We include these points in the confidentiality agreements we offer our clients: you do not want an interpretation to give someone else the right to look at your entire business ecosystem, unless it makes commercial sense. (78 FR 5574). Even if no counterparty agreement is required because an entity assists the counterparty in its own administrative or administrative functions, HIPAA limits the use or disclosure of PHI by the company: not all of these services are required to process your customers` information. However, some of them, like the . B an email provider like Hushmail, could at some point manage the PHI. If you are a covered entity, this PHI must be protected. However, it is not enough to define your partner`s responsibility for protecting PIs. They must also explain how they are expected. A HIPAA Business Partnership Agreement should look at how the partner has the right to use the PHI, who can access it and under what circumstances, and what protections the partner will benefit from subcontractors. Avoid unnecessary counterparty agreements.
Unfortunately, many covered companies or counterparties seek matching agreements out of ignorance or precaution, even if these agreements are not technically necessary. Entities should avoid the execution of unnecessary counterparty agreements. they submit to contractual commitments that they would not have, but to the agreement, including compliance costs, which do not otherwise apply; Restrictions on the use of disclosure; and damage in case of non-compliance. In addition, by implementing unnecessary counterparty agreements, the entity may improperly admit that it is a trading partner and thus expose itself to HIPAA penalties for non-compliance. To avoid such situations, companies that are invited to implement unnecessary matching agreements may consider reacting as follows: according to the law, the HIPAA data protection rule applies only to covered companies: health plans, health clearing houses and certain health care providers. However, most health care providers and health plans do not perform all of their health activities and functions themselves. Instead, they often use the services of many other individuals or businesses. The data protection rule allows providers and covered health plans to transmit protected health information to these “counterparties” when providers or plans receive satisfactory assurances that the counterparty uses the information only for the purposes for which it was mandated by the covered entity, which protects the information from abuse and helps the added entity fulfill some of the obligations of the entity covered under the data protection rule. Covered companies may disclose protected health information to a company in its role as a business partner only to assist the insured company in fulfilling its health missions – not for independent use or for the purposes of counterparty, unless it is necessary for the proper management and management of the counterparty. Compliancy Group`s web compliance solution, The Guard, is equipped with everything you and your business need to manage your HIPAA business associates. General provision. The data protection rule requires that a covered entity receive satisfactory assurances from its counterparty that the counterparty adequately protects the protected health information it receives or creates on behalf of the entity concerned.
Satisfactory assurances must be made in writing, either in the form of a contract or other agreement between the covered entity and the counterparty.