In August 2015, the HHS Office for Civil Rights (OCR) launched a compliance audit of the Centre for Children`s Health (CCDH) following an investigation by a business partner, FileFax, Inc., which recorded records containing protected health information (PHI) for the CCHR. While CCDH began notifying Filefax PHI in 2003, neither party was able to submit a Trade Association (BAA) agreement signed before October 12, 2015. Encryption of all ePHI stored or transferred by a business partner is an important protection, but encryption alone is not enough to ensure HIPAA compliance. Physical security measures must also be put in place to ensure that unauthorized persons cannot access ePHI, and administrative security measures must be put in place and written guidelines and procedures must be developed and maintained. The counterparty agreement is a contract that defines the types of protected health information (PHI) made available to the counterparty, the authorized uses and disclosures of PHI, the measures to be implemented to protect this information (for example. B encryption at rest and during transfer) and the measures the BA must take in the event of a security breach, the PHI. Trade association agreements consist of information on the authorized and unauthorized use of PHI between two HIPAA organizations. The contract should require the consideration to implement appropriate administrative, technical and physical security measures, in accordance with the security rule, to ensure the confidentiality, integrity and availability of ePHI. Contracts can also be formatted to describe in detail the relationship between a covered company and a business partner, as well as the relationships between two business partners. If you hire a subcontractor and the contractor comes into contact with a PHI, you must execute a BAA between the two of you. The data protection rule stipulates that all counterparty contractors must consent to restrictions identical to those of the original counterparty.
2. A counterparty may authorize, receive, maintain or transmit on its behalf to a counterparty that is a subcontractor only if the counterparty receives satisfactory assurances in accordance with Article 164.314 (a) that the subcontractor adequately protects the information.” The matching agreement is required by HIPAA to allow a third party (“counterparty”) to have access to protected health information (PHI) by a medical organization (“covered body”). It outlines the rules under which personal medical records can be transmitted in accordance with federal law. After the authorization, the business partner is responsible for the protection of all protected health information shared with specific instructions in case of security violation. It is strictly forbidden for the counterpart to sell or use health information prohibited for the subsystem. www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlsearchsecurity.techtarget.com/definition/business-associatewww.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html The HHS Civil Rights Office has imposed numerous fines for contractual errors committed by business partners.