Have you signed business contracts? If not, you are in danger! To learn more about trade partner agreements, click here. The HIPAA data protection rule expressly excludes information from an insured company for the purpose of processing counterparty requirements. See 45 CFR 164.502 (e) (1). Therefore, any health care provider (or other covered business) [PHI] may participate in a health care provider without a matching contract for treatment. 2. Staff members of a company. A company`s staff members are not business partners of the company, including “employees, volunteers, interns and others whose conduct while performing work for an insured company or counterparty is under the direct control of that unit or consideration, whether or not they are paid by the insured unit or by a consideration.” CFR 160.103). In order to avoid counterparties` obligations, contractors may attempt to be classified as staff members of the covered company. The OCR stated: 2. Implement specified administrative, technical and physical security measures to protect the integrity, confidentiality and availability of electronic PPH (e.g. B setting up access controls; The use of firewalls, anti-virus protection and encryption; Backup data Implement appropriate security policies and procedures, etc.).
CFR 164,300 ff.). 4. Condition of the matching agreement. If the covered entity continues to insist on a counterparty agreement, the counterparty or subcontractor could minimize its commitment by conditioning a counterparty agreement on the entity`s counterparty status as consideration, i.e. it assumes responsibility if and to the extent that it is a counterparty within the meaning of HIPAA. While this is an imperfect solution, it could at least allow the company to avoid regulatory sanctions if it is really not a trading partner. A Data Use Agreement (AEA) is an agreement that is required and must be entered into in accordance with the data protection rule before a limited data set (defined below) is used or disclosed to an external institution or an external party. A limited set of data remains health information (PHI) and that`s why covered companies, such as Stanford, must enter into a data usage agreement with each recipient of a limited set of Stanford data.
Counterparts who violate HIPAA may be fined between $100 and more than $50,000 per violation. CFR 160.404). If the violation is the result of intentional negligence, the Office of Civil Rights (“OCR”) must impose a fine of at least $10,000 per violation. (Id.) If the trading partner has intentionally issued and does not correct the violation within 30 days, the OCR must impose a fine of at least $50,000 per violation. (Id.) A single offence can result in many offences. For example, the loss of a laptop containing hundreds of PHI patients can represent hundreds of offenses. Similarly, every day when a covered company or counterparty does not implement a necessary directive is a separate offence. CFR 160.406). In addition to regulatory sanctions, counterparties that do not comply with counterparty agreements may also be held liable for contractual damages and/or compensation requirements in the counterparty agreement. prohibit the recipient from using or disclosing the information unless the agreement permits or otherwise allows it; (78 FR 5574). These “reasonable assurances” can be obtained through a limited confidentiality agreement; a full-fledged counterparty agreement is not necessary. Each party in the chain is legally and contractually obligated to protect the PHI and manage it to the same extent as the obligations of the company covered at the top of the chain.