When an organization is responsible for using, storing, transferring or accessing protected health information in one way or another, it will most likely be referred to as BA under HIPAA. By law, the hipaa privacy rule only applies to covered institutions – health plans, health care compensation rooms and some health care providers. However, most health care providers and health plans do not perform all of their health activities and functions themselves. Instead, they often use the services of many other individuals or businesses. The data protection rule allows providers and covered health plans to transmit protected health information to these “counterparties” when providers or plans receive satisfactory assurances that the counterparty uses the information only for the purposes for which it was mandated by the covered entity, which protects the information from abuse and helps the added entity fulfill some of the obligations of the entity covered under the data protection rule. Covered companies may disclose protected health information to a company in its role as a business partner only to assist the insured company in fulfilling its health missions – not for independent use or for the purposes of counterparty, unless it is necessary for the proper management and management of the counterparty. It became much more disturbing when the hitech HIPAA Omnibus Rule expanded in 2013 the simple previous definition of the business partner to the so-called subcontractor. Subcontractors, such as a software developer or host, are typically service or technology organizations that provide additional services to partners that provide services to covered businesses. The HIPAA omnibus rule has changed the way BAS and business association subcontractors (BAS) can be held responsible for possible HIPAA violations. It is therefore in the interest of the insured unit and the BA to maintain a thorough understanding of their relationship and to know how they expect each other to secure patient, customer or employee data. Question: If we use an offshore business partner, should they follow HIPAA? Can we use someone in another country? The HhS Office for Civil Rights has imposed numerous fines for contractual errors committed by trading partners.
In investigations into data protection and complaint violations, the OCR found that the following covered companies had not received at least one PROVIDER from a HIPAA-signed BAA. This was either the sole reason for the fine or the additional injury contributed to the heaviness of the fine. Does a contractor have to comply with any provision of your BAA? The data protection rule seems to say so.