HHS can monitor AABs and subcontractors to verify HIPAA compliance, not just covered companies. This means that organizations must have a Trade Association Agreement (BAA) for all three levels in order to meet HIPAA requirements. It is in your best interest to have an agreement, as all three classifications are responsible for the protection of the PHI. Some covered companies have taken a “safer than sad” approach to addressing their definitional problems, and have entered into agreements with all the companies with which they have business relationships, whether necessary or not. Recent studies funded by the California Healthcare Foundation have shown that many companies unnecessarily enter into agreements with other covered companies and also enter into agreements with suppliers who did not have access to the PHI and would probably never do so. In one case, a covered company asked its landscaper to sign a HIPAA business partnership agreement. Contractors who work exclusively for your business, individuals with other customers, and employees hired through a company are not business partners. However, your company is liable if one of these people violates the PHI. HIPAA requires insured entities to cooperate only with trading partners that guarantee full protection of the PHI. These assurances must be made in writing in the form of a contract or other agreement between the insured unit and BA.1 But let`s be honest… It is difficult, if not impossible, to run a business without the help of third parties. Hiring outside help when you need extra hands or if you have special needs is often made sense by business. By law, the hipaa privacy rule only applies to covered institutions – health plans, health care compensation rooms and some health care providers.

However, most health care providers and health plans do not perform all of their health activities and functions themselves. Instead, they often use the services of many other individuals or businesses. The data protection rule allows providers and covered health plans to transmit protected health information to these “counterparties” when providers or plans receive satisfactory assurances that the counterparty uses the information only for the purposes for which it was mandated by the covered entity, which protects the information from abuse and helps the added entity fulfill some of the obligations of the entity covered under the data protection rule. Covered companies may disclose protected health information to a company in its role as a business partner only to assist the insured company in fulfilling its health missions – not for independent use or for the purposes of counterparty, unless it is necessary for the proper management and management of the counterparty. Covered companies may be fined for not entering into a HIPAA counterparty agreement or for entering into an incomplete agreement – while HITECH 78 FR 5574 AAS are required to comply with the HIPAA safety rule, even if no HIPAA counterparty agreement is reached. It also means ensuring that each business partner also follows HIPAA`s best practices to protect the personal data or PPHs it touches.