Response: Business partners are suppliers (of a relevant entity) who “create, receive, maintain or transmit” protected health information (PHI) while performing a service with the PHI. This is just an example of language, and the use of these sample provisions is not required to comply with HIPAA rules. The wording may be amended to more accurately reflect the commercial agreements between a covered entity and a trading partner or trading partner and a subcontractor. In addition, such provisions or similar provisions may be included in an agreement on the provision of services between a covered entity and a business partner or business partner and a subcontractor, or they may be incorporated into a separate business partnership agreement. These provisions apply only to the concepts and requirements set forth in the HIPAA Privacy, Security, Breach Reporting, and Enforcement Policies, and may not be sufficient to result in a binding contract under state law. They do not contain many formalities and substantive provisions that may be required or generally included in a valid contract. The use of this sample may not be sufficient to comply with state law and is not a substitute for consulting with a lawyer or negotiating between the parties. General provision. The confidentiality rule requires that a registered entity receive satisfactory assurance from its trading partner that the business partner is adequately protecting the protected health information it receives or creates on behalf of the captured entity. Satisfactory assurances must be given in writing, whether in the form of a contract or other agreement between the targeted entity and the business partner. In 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act, which makes the business partners of affected companies directly responsible for meeting certain HIPAA requirements. In accordance with the HITECH Act, the Department of Health and Human Services` (HHS) Office of Civil Rights (OCR) issued a final rule in 2013 to amend HIPAA by identifying HIPAA provisions that apply directly to business partners and are directly accountable to business partners.
78 Fed. Reg. 5566 (2013, January 25). As set forth in the HITECH Act and the 2013 OCR Final Rule, OCR has the authority to take enforcement action against business partners in the following cases: Upon termination of this agreement, for any reason, business partners, with respect to protected health information received by the covered entity or created, Maintained or received by business partners on behalf of the covered entity, Must: One problem with the regulations that require HIPAA Business Associate compliance is that many of those covered by the regulation may not have known that they were considered business partners. In addition, the affected companies have had several years to reconcile their files, while the business partners have not obtained this luxury. Therefore, to meet trading partner compliance, these companies must determine which business relationship includes HIPAA compliance organizations and then conduct a HIPAA compliance assessment. Once the assessment has identified regulatory obligations, current compliance, and gaps related to HIPAA HITECH regulations, the company can develop a plan to meet the requirements of the law. One point that is required in the context of compliance is the creation of an incident response plan to mitigate the risks of potential data breaches. If you have a question about business partner compliance, please let us know email@example.com. (a) [Optional] The Covered Entity shall notify Business Partners of any restrictions in the Entity`s Privacy Practices Notice collected pursuant to 45 CFR 164.520 to the extent that such restriction may affect business partners` use or disclosure of protected health information. A business partner is an organization or person that performs work or activities on behalf of a registered business that may involve the use or disclosure of protected health information.
This is the second section that contains the so-called privacy rule, which regulates the use and disclosure of protected health information held by so-called covered companies. However, the law did not contain any provisions for a so-called HIPAA business partner. Answer: No, you are a business partner because PSR is more than a medical diagnosis (or complaint). A single name or phone number only linked to a health care request is PHI, and by answering the phone for a health care provider, you “get” PHI. A “business partner” is a natural or legal person who is not a member of the workforce of a registered company, who performs functions or activities on behalf of a registered company, or who provides certain services to a target company that include the business partner`s access to protected medical information […].