You will find a detailed list of the information you need to include in your trade agreements in the Department of Health and Human Services. Transitional provisions for existing contracts. Covered companies (excluding small health plans) that have entered into an existing contract (or other written agreement) with consideration prior to October 15, 2002 may continue to work under this contract beyond April 14, 2003 until an additional year, unless the contract is extended or amended before April 14, 2003. This transitional period applies only to written contracts or other written agreements. Oral contracts or other agreements are not eligible for the transitional period. As part of these contracts with their counterparts, covered companies that are entitled to enter into contracts may continue to work with their counterparties until April 14, 2004 or until the renewal or modification of the contract, depending on whether the date is earlier, whether or not the contract meets the existing contractual requirements of Rule 45 CFR 164.502 (e) and 164,504 (e). A covered company must also comply with the data protection rule, for example. B only provide authorized information to the counterparty and allow individuals to exercise their rights in accordance with the rule. See 45 CFR 164.532 (d) and (e). What does this definition mean? If you hire a company or person outside of a W-2 staff member who accesses, uses, distributes or processes PHI in their work, they are considered business partners and must have a BAA. For example, delivery companies, grinding companies, software or IT companies, accounting and billing companies, call centers and even 1,099 employees. The need for a continuous review of counterparty agreements stems from an increased focus on compliance and audits of DHHS` Office of Civil Rights (OCR). In the past, HIPAA compliance audits have been limited to specifically listed institutions, such as medical practices and hospitals.

The use of HIPPA-compliant providers such as fax companies in the healthcare sector to transfer protected data to their encrypted servers was the best way for healthcare professionals to avoid audit problems. General provision. The data protection rule requires that a covered entity receive satisfactory assurances from its counterparty that the counterparty adequately protects the protected health information it receives or creates on behalf of the entity concerned. Satisfactory assurances must be made in writing, either in the form of a contract or other agreement between the covered entity and the counterparty. Not all of these services need to manage your customers` information. However, some of them, like the . B an email provider like Hushmail, could at some point manage the PHI. If you are a covered entity, this PHI must be protected. In particular, when they provide services or technologies to a covered company (for example. B a hospital) or another business partner as a subcontractor (.

B for example, a PaaS provider such as Datica), counterparties process, process, transfer or interact in some way with protected electronic health information (ePHI) of these companies. With this PHI access, all business partners must sign a Business Associate Agreement (BAA).