In the simplest, a Business Association Agreement (BAA) is a legal contract between a healthcare provider and a person or organization that, as part of its services, obtains, transfers or stores protected health information (Phi) as part of its services. Whether you prefer to call it a business associate agreement or, like HIPAA, call it a business associate agreement, in one way or another, they are a critical component of a company`s efforts to be HIPAA compliant. Below, we`ve gathered the basic components and definitions of a HIPAA business agreement template that you can browse. Remember that BAs are legally binding agreements, so it`s best to have a designated security officer, attorney, or HIPAA compliance solution to help you navigate through these contracts. 9. Not to enter into counterparty agreements with subcontractors who establish or receive PHI on their behalf and not to comply with the specifications for the implementation of such agreements. Covered companies may be fined if they have not entered into a HIPAA counterparty agreement or an incomplete agreement – although HITECH § 78 EN 5574 provides that BAs are required to comply with the HIPC security rule, even if no HIPAA counterparty agreement is executed. However, it is not enough to define only your partner`s responsibility for the protection of PHI. They must also indicate how to do so. A HIPC counterparty agreement should address how the partner has the right to use PHI, who can access it and under what circumstances and safeguards the partner will use with subcontractors.
Counterparties are directly responsible for HIPAA violations as follows: HIPAA compliance requires the right partners under the appropriate agreements. As a HIPAA-compliant file and mail encryption provider, we have one goal: to make secure communication easy. Virtru lays military-level encryption on already in use email and file solutions, creating a seamless end-user experience. This convenience ensures that your HIPAA employees and business partners will never have to take unnecessary risks to send and receive PHI. It is significant that counterparties must comply with much, but not all, of the HIPC data protection rule. Counterparties are required to fully comply with the HIPC security rule for electronically protected health information. Finally, counterparties are required to report breaches of insecure protected health information, in accordance with the HIPC rule for reporting breaches. Of course, simply signing a counterparty agreement is not compliance, but is only the trigger for compliance, which includes maintaining guidelines and procedures, conducting a risk assessment according to security rules, and training staff. .