As a general rule, associated trade agreements (BAAs) do not cover the confidentiality rule, although it may be different for your business – so check the confidentiality requirements of your BAA, for example. B patients` access to their recordings. Business partners are not responsible for the management of patients` rights, unless they are specifically recruited for this purpose. A HIPAA Data Protection Controller is responsible for developing, implementing, and maintaining the data protection policy and procedures for the management of protected health information (PHI) in your organization. They must act in accordance with federal and federal data protection laws and HIPC rules imposed by the HIPC Data Protection Act. What is an “associate”? `counterparty` means any natural or legal person who performs certain functions or activities involving the use or disclosure of protected health information on behalf of an undertaking concerned or the services provided to that undertaking. A staff member of the covered company is not a business partner. An insured health care provider, health plan or health care clearing house may be a counterparty to another covered entity. The data protection rule lists certain functions or activities as well as the respective services that make a natural or legal person a counterparty when the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a natural or legal person a counterparty include payment or health activities, as well as other functions or activities governed by the administrative simplification rules. According to the law, the HIPC data protection rule only applies to covered companies – health plans, clearing houses for healthcare and certain healthcare providers.
However, most health care providers and health plans do not perform all of their health activities and functions themselves. Instead, they often use the services of a large number of other people or companies. The data protection rule allows covered providers and health plans to disclose protected health information to these “counterparties” when suppliers or plans receive satisfactory assurances that the counterparty uses the information only for the purposes for which it was mandated by the covered entity, protects the information from abuse and helps the covered company to meet some of the obligations of the covered company, in accordance with r to comply with the data protection rule. The undertakings concerned may disclose protected health information to an undertaking acting in its capacity as counterparty only to assist the entity concerned in the performance of its health functions, for the use or for purposes independent of the counterparty, unless this is necessary for the proper management and management of the counterparty. You are responsible for the organization`s data protection program, which defines, develops, implements and maintains policies and processes that provide effective data protection practices. Above all, these practices minimize the risk and ensure the confidentiality of protected health information (PHI). Because the HIPAA Compliance Officer must retain the role of HIPAA Chief Security Officer and Data Protection Controller, many responsibilities are required of them. That`s why many large companies opt for two delegates instead of one compliance officer. HIPAA requires BAAs to contain specific legal provisions, so it`s important that a BAA has permission from the university`s data protection office to ensure that all of these provisions are included.
If a language other than the UofL BAA templates on this page is used, the Data Protection Office should check the BAA to ensure that it meets all HIPAA requirements. The UofL Privacy Office can be reached at 502-852-3803 or by e-mail at privacy (@) louisville.edu. Counterparty contracts. A covered company`s contract or other written agreement with its counterparty must contain the elements referred to in 45 CFR 164.504(e). For example, the contract must: describe the permitted and necessary use of the health information protected by the counterparty; provide that the counterparty does not use or disclose protected health information other than to the extent permitted, prescribed or prescribed by law; and request the counterparty to take appropriate security measures to prevent protected health information from being taken into account other than as such or in contract. . . . .