The driving clause is a HIPAA provision for certain establishments or individuals, such as postal employees, that provide mailings that may contain PIs. In the event of a violation or non-compliance with a BAA by a counterparty/subcontractor, the covered unit must take appropriate measures to remedy the infringement or terminate the infringement. “If such measures fail, they must terminate the contract or agreement,” HHS explains. “If termination of the contract or agreement is not possible, a covered entity is required to report the issue to the HHS Office for Civil Rights.” 1 This does not mean, however, that your HIPAA business association agreement applies to your supplier`s contractor. Find more information about contractors in our “Preparing Contractors for HIPAA Compliance” blog and in our podcast “Should employers train entrepreneurs who see PHIs? Once companies, business partners and covered business partners have identified their relationship, it is important to ensure that third parties protect the POs they receive. A signed agreement proves that the BA knows that they must manage THE PHI. This may seem complicated, but remember that the purpose of all this is to ensure that the individual`s health information remains protected by all stakeholders. Professional association agreements should be compared to HIPAA rules and rules to ensure that they cover all aspects of the employment relationship. In our case, the BAAs that participate in our HIPAA compliance platform will be fully monitored and included in our solution. A HIPAA business association agreement is the best way to protect your practice or organization in the event of a breach of your supplier.

If you are not convinced, BAAs are prescribed by the HIPAA safety rule. In principle, BAAs must contain these provisions: “[A person or organization that is not a member of the staff of a covered company that performs functions or activities on behalf of a covered company or provides certain services that include consideration access to protected health information. A [BA] is also a subcontractor that creates, receives, manages or transmits protected health information on behalf of another [BA].” A business partner should also be drawn to the consequences of non-compliance with HIPAA requirements. The counterparties may be directly sanctioned by the authorities for the supervision of hip-hop offences. A HIPAA business association agreement should not be a stand-alone contract. The language of an BAA can be summarized in data security agreements, master service agreements or terms of service. BAAs both respect HIPAA rules and create a relationship of responsibility between the two parties. If one party violates a BAA and reveals the PHI, it has the other legal status. If there is no BAA or incomplete, or if the agreement is ruthlessly violated, both employees may find themselves in the crosshairs of the Department of Health Services and Human Resources, the Civil Rights Office and perhaps even the Department of Justice. Finally, failure to meet the requirements of an agreement by a counterparty/subcontractor could have significant consequences: in addition to the provisions required by HIPAA, a party may include additional safeguards.