Where a counterparty/processor infringes or infringes a BAA, the covered entity must take appropriate measures to remedy the infringement or to bring the infringement to an end. «If such measures fail, they must terminate the contract or agreement,» HHS explains. «If termination of the contract or agreement is not possible, a covered organization is required to report the problem to the HHS Office for Civil Rights.» 1 The problem for many covered companies is that they are not always sure who a HIPC counterparty agreement applies. The Department of Health & Human Services defines a counterparty as «a natural or legal person who performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or that provides services to a covered entity.» The counterparty agreement ensures that there is a custody chain for PHI. A supplier of a HIPC enterprise must enter into a contract with the covered entity and a subcontractor engaged by a counterparty is also required to enter into such a contract. A subcontractor is a business partner of a counterparty and is not covered by the BA/Covered Entity contract. Before allowing access to PHI, a separate contract must be signed. The chain can be long and the further ePHI is from the covered entity, the greater the potential for breach of the HIPC counterparty agreement. While it is almost always necessary for a counterparty to sign an agreement with a covered entity when a counterparty creates, receives, maintains or transmits ePHI on behalf of the covered entity, the entity is not a counterparty and no agreement is required if the entity does not provide a covered service to the covered enterprise (i.e. A landscaper).
In the event that PHI is called under the responsibility of the counterparty by persons who are not entitled to consult the information, the counterparty is required to inform the entity concerned of the infringement and possibly to send notifications to persons whose IHP has been compromised. The timing and responsibilities of notifications should be set out in the agreement. While it may seem reasonable to have a short period of time to report a violation, remember that the BA may not be aware of the violation until a few days after the event. There are many HIPAA counterparty agreement models, but one must be careful before they are used. Before using such a template, it is important to check for whom this template was designed to make sure it is relevant. It should also be customized to include all requirements defined by the covered entity. This document contains examples of counterparty agreements that make it easier for companies and covered counterparties to meet counterparty contract requirements. While these examples of provisions have been drafted for the purposes of the contract between a classified entity and its counterparty, the language may be adapted for the purposes of the contract between a counterparty and a subcontractor. The BAA pdf above was designed as an agreement between a single covered company and a single business partner….
- Posted by wbase
- On 12 septiembre, 2021
- 0 Comments