Specifically, when they provide services or technologies to a covered company (for example. B, a hospital) or to any other business partner as a subcontractor (e.g. B, a PaaS provider such as Datica), business partners process, process, transmit or otherwise interact with the electronic protected health information (ePHI) of these covered companies. With this PHI access, all trading partners must sign a Trade Partnership Agreement (BAA). The BAA is a legal contract that describes how the business partner adheres to HIPAA, as well as the liabilities and risks they assume. (OCR FAQ). While the qualification of a member of the workforce would help contractors to agree with the obligations of business partners, covered entities may object to the classification of contractors as members of their workforce, as it may indicate that the contractor is acting as a representative of the covered entity, thereby exposing the affected entity to tort for the contractor`s actions. (See 45 CFR 160.402(c); 78 FR 5581). 8. Perhaps entities that maintain encrypted PHI. Unlike entities that transfer PSRs, entities that manage PSRs (i.B. data storage companies) are generally considered business partners. (45 CFR 160,103; 78 FR 5572).
As HHS explained, Compliancy Group`s web-based compliance solution, The Guard, is equipped with everything you and your organization need to manage your HIPAA business partners. (Frequently Asked Questions (“FAQ”), available at www.hhs.gov/ocr/privacy/hipaa/faq/index.html). Similarly, `the mere sale or supply of software to a covered entity does not create a business partner relationship if the supplier does not have access to the [PSR] of the covered entity`. (Id.). Companies that wish to evade the obligations of business partners may wish to include a provision in their service contracts that confirms that they do not need PHI to perform their functions and that their customers, who are covered companies or business partners, do not provide the Company with a PHI (or, as described below, an unencrypted PHI) without the prior consent of the Company. You need to be able to identify the classification of your workforce before you know what HIPAA requires. As defined in the Health Information Portability and Accountability Act (hipaa), a business partner is any organization or person that works in connection with a covered entity or provides services to a covered entity that generates, processes, or discloses protected health information (PHI).2 BAAs are both HIPAA compliant and create an obligation of liability between both parties….