[The parties may add an additional specificity to the way the counterparty responds to an access request that the counterparty receives directly from the person (for example. (b) the question of whether a counterparty should grant the requested access and in what time, or whether the counterparty transmits the person`s request to the entity concerned to respond to it) and the time frame within which the counterparty can transmit the information to the entity concerned.] The companies concerned and counterparties may be sanctioned if they do not enter into a counterparty agreement if necessary, and the penalties can be severe. For example, a group of doctors in Florida paid a $500,000 fine if they did not enter into a business agreement with their billing company. After the settlement company PHI incorrectly published on its website, the U.S. Department of Health and Human Services` Office for Civil Rights (OCR) sanctioned the group for failing to take appropriate steps to secure the PHI, including the failure to enter into a commercial partnership agreement with the settlement company. This document contains examples of provisions relating to counterparty agreements that help companies and covered counterparties more easily meet the contract requirements for counterparties. While these standard rules are written for the purpose of the contract between a covered entity and its counterpart, the language may be adapted for the purposes of the contract between a counterparty and a subcontractor. probably. Most of the time, independent contractors and consultants will not be under your direct control and should be treated as business partners, which means they must be prepared to fully comply with HIPAA, including signing a BAA and taking responsibility for compliance. Whenever there is a business relationship between two parties, they must execute a BAA.
(Note that a BAA should not be a stand-alone agreement. The necessary provisions can be incorporated into terms of service, master service agreements, data security agreements, etc.) A “counterparty” is a person or organization (with another entity of a covered entity) that performs certain functions or activities on behalf of a covered entity or provides certain services involving consideration access to PHI. A “business partner” also includes a subcontractor who creates, receives, manages or transfers PHI on behalf of another counterparty. Counterparties` functions and activities include: processing or managing receivables; Data analysis, processing or management Checking usage Quality assurance Settlement of accounts Benefit management Practice management and reassessment. The services provided by the counterparties may include: actuarial; Accounting; The council data aggregation Administration medical, administrative transport; Accreditation and financially. Good question. The HHS did not tell us directly. This probably means that the other entity (a covered company or another business partner) pays you or guides you in processing the PHI. Exceptions to the Business Associate Standard.
The data protection rule contains the following exceptions to the Business Associate standard. See 45 CFR 164.502 (e). In these cases, an insured company is not required to enter into a counterparty contract or other written agreement until protected health information can be disclosed to the individual or legal person. (a) Counterparties may only use or disclose protected health information to comply with HIPAA, where a counterparty agreement contains a description of the uses and declarations of PHI authorized and necessary by the counterparty.