C. What are the provisions to be included in a matching agreement? To understand the HIPAA definition of a business partner, it is useful to first understand the definition of a HIPAA “covered business.” A “secure unit” is defined as part of HIPAA, including health plans, health clearing houses and some health care providers that electronically transmit health information related to certain hip-.B operations. If you know that one of your business partners has significantly violated a BAA, HIPAA rules require you to correct this or terminate the BAA. Otherwise, you could be on the hook for non-compliance by the lender. And it makes HHS very angry when entities deliberately ignore hipaa rules. 1In hipAA, “counterparties” are generally defined as companies that are not staff members of the covered entity, that create, receive, manage or transfer POs on behalf of a covered company, in order to perform certain listed functions, including claims processing; Data analysis Checking usage Quality assurance Patient safety activities Settlement of accounts Benefit management Practice management Legal, insurance, accounting, consulting, data aggregation, management, accreditation or financing services; data services when access to data is needed and subcontractors from business partners. 45 CFR 160.103. 2 d. under nr. 164.402 and .404. 3id. in nr. 164.308 (b) and .502 (e) (1)-2.
4The omnibus rule extends the deadline until September 23, 2014 if (1) the BAA complied with the HIPAA rules as they existed before January 25, 2013 and (2) the BAA is not renewed or amended until September 23, 2014. See id. nr. 164.532 (e). 164.103. 6A registered company is not obligated to perform a BAA if the entity concerned has disclosed to the counterparty only a limited set of data (as defined by HIPAA) and if the entity concerned has entered into an agreement to use the data with the counterparty which, if applicable, complies with the provisions of P. 164.514 (e) and 164.314 (a)). See point 164.504 (e) (3) (iv). If the covered entity and counterparty are state entities, the BAA may provide for certain alternative or complementary provisions.
See point 164.504 (e) (3). 7i. in nr. 164.314 (a) (2) (iii) and .504 (e) (5). 8id. under 164,504 (e) (2) (i) and (4) (i) -ii). 9ide. at 164.504 (e) (e) (2) (ii) and .314 (a) (a) (2) d.
at 164.504 (2) (ii) and (iii) The covered entity may refrain from authorizing termination if such authorization is inconsistent with the legal obligations of the insured company or its counterparty. See point 164.504 (e) (3) (iii). 11 d. under . 164.504 (e) (1) (ii). 12 d. under . 160.402 (c). 13 quin.
under nr. 160.402 (c) and 164,504 (e) (1) (iii). The HIPAA data protection rule requires a covered company to obtain satisfactory assurances from its trading partners. It is essential that they understand the need to protect information about patient health care. The law also stipulates that such assurances must be made in writing. Companies and covered counterparties may face similar effects when the data breach is compromised by the ePHI. A formal contract may reduce the risk of the covered business, but it is also a mandatory HIPAA requirement. Just as a business partner is someone who provides a service to a covered business, a counterparty subcontractor is a person or organization that provides a similar service on behalf of a BA.
Organizations may be both AAS and business partners, depending on who they provide services for in this case.