Business Associate Agreements With Subcontractors

At Datica, we know that subcontractors, as defined by HIPAA, have been around for a long time. As more and more health applications and services have been transferred to hosted or cloud-based applications and more infrastructure tools (application developers, logging, analytics, data collection, etc.), companies and business partners covered have begun to rely on “subcontractors.” The new HIPAA rules now mean that these subcontractors must cooperate with trading partners to ensure that all parties are covered in liability matters. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) stipulates that covered companies must enter into contracts with their trading partners to ensure that counterparties properly protect protect protected health information (“PHI”). Counterparties who mandate contractors for certain functions related to the PHI are also required to enter into co-partner contracts with their subcontractors. This article provides an overview of the rules for counterparty agreements. It became much more disturbing when the hitech HIPAA Omnibus Rule expanded in 2013 the simple previous definition of the business partner to the so-called subcontractor. Subcontractors, such as a software developer or host, are typically service or technology organizations that provide additional services to partners that provide services to covered businesses. HIPAA requires that a covered company enter into a HIPAA-compliant counterparty agreement with all counterparties. In addition, all counterparties must enter into HIPAA-compliant counterparty contracts with subcontractors who perform certain functions and have access to the covered company`s PHI. (d) the subcontractor undertakes to put in place appropriate security measures to prevent the use or disclosure of the PHI, except for what is authorized by this BASA or the underlying agreement or as required by law. These security measures include the requirements for the implementation of the security rule for electronic PPHs. (a) counterparties.

“counterparty” generally has the same meaning as the term “counterpart” for 45 CFR 160.103 and means, with respect to the party in this agreement, the party to the agreement [insert the name of the consideration]. HIPAA requires insured entities to cooperate only with trading partners that guarantee full protection of the PHI. These assurances must take the form of a contract or other agreement between the insured company and the BA.1)The subcontractors undertake to make available to the secretary, at the request of the secretary or ACCESS, his internal practices, his books and his statements relating to the use and disclosure of PHI, after having received at least five (5) days in advance a written notification from ACCESS. to determine compliance with HIPAA rules. Instead, ask them to sign a confidentiality agreement. We include these points in the confidentiality agreements we offer to our customers: contractors who work exclusively for your business, individuals with other customers and employees hired through a company are not business partners. However, your company is liable if one of these people violates the PHI. (e) ACCESS undertakes, as far as possible and within the liability limits set out in the underlying contract or a maximum of six (6) months of fees paid by the counterparty to ACCESS, as required (or no more than six (6) months of expenses, if there is no limitation of liability in the underlying agreement, to mitigate the adverse effects for the known counterparty of ACCESS , a violation of an unsecured PHI or the use or disclosure of PHI by ACCESS as a result of the access violation is THE maximum liability of ACCESS for all claims, means, fines, penalties, damages, costs or related expenses.

Comments are closed.