Finally, failure to comply with the requirements of an agreement by a counterparty/subcontractor could have important consequences: the counterparty agreement is a contract, defines the types of protected health information (PHI) made available to the counterparty, the authorized uses and disclosures of PHI, the measures to be taken to protect this information (for example. B encryption at rest and during transit) and the steps BA must take in the event of a security breach. The above BAA PDF was designed as an agreement between a single insured company and a single business partner. This means that it can be modified for use with a business partner and its subcontractor. In the event that PHI is accessed under the responsibility of the counterparty by persons who are not authorized to post the information, the counterparty is required to notify the entity concerned of the violation and may be required to send notifications to persons whose PHI has been compromised. The timing and reporting responsibilities should be detailed in the agreement. While it may seem reasonable to have a short window of opportunity to report an offence, remember that BA may not be aware of the injury until a few days later. Question: Our medical practice uses backup data entucing the storage of Google Cloud [or Amazon Web Service]. They say they are HIPAA compliant. Do we still need an agreement with Google [or AWS]? A HIPAA business association agreement should not be a stand-alone contract.

The language of an BAA can be summarized in data security agreements, master service agreements or terms of service. When an organization is responsible for using, storing, transferring or accessing protected health information in one way or another, it will most likely be referred to as BA under HIPAA. What is a business associate? « counterparty »: a person or organization that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered company or that provide services to a covered business; An insured company staff member is not a business partner. A covered health care provider, health plan or health care clearinghouse may be a counterpart to another insured company. The data protection rule lists some of the functions or activities and related services that make an individual or organization a business partner when the activity or service involves the use or disclosure of protected health information. The types of functions or activities that can make an individual or organization a counterpart include payment or health transactions, as well as other functions or activities governed by administrative simplification rules. The direct staff of this organization are not required to sign an BAA because they are part of your organization and are not considered a business partner.