Hipaa Final Rule Business Associate and Subcontractor
[In addition to other permitted purposes, parties must indicate whether the business partner is authorized to use protected health information to anonymize the information in accordance with 45 CFR 164.514(a)-(c). A subcontractor is a business partner if this function, activity or service involves the creation, receipt, maintenance or transmission of protected health information. We also refuse to replace the term “subcontractor” with another, as we were not convinced of any of the alternatives proposed by commentators (e.g. B “business partner”, “downstream business partner” or “downstream entity”). Direct responsibility according to the safety rule. The Final Rule amends the Regulation to explicitly subject business partners to the administrative, physical and technical security requirements of the Security Rule. HHS noted that since trading partners previously had to agree in their business partnership agreements with covered companies to adequately protect and protect PSRs, business partners and subcontractors “should already have security practices” that are compliant with the rule or need only “modest improvements.” However, HHS acknowledged that many trading partners will not have participated in the “formal administrative safeguards” required by the rule. The final regulation specifies that a covered entity is not required to enter into a direct contract or other agreement with subcontractors of its business partners. HHS believes that the direct liability of subcontractors for violations of applicable HIPAA provisions will help allay concerns among affected companies that PSRs are not sufficiently protected when made available to subcontractors. An important change to the final rule is the changes to the definition of “trading partner”. HIPAA generally defines a business partner as a person who performs functions or activities on behalf of a covered company or certain services involving the use or disclosure of PHI.
For example, the definition includes various functions that a business partner may provide, including handling or handling complaints; usage management; performance management; Legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services. The final rule adds “patient safety activities” to the list of features and activities that lead to a business partner relationship. Section 13401 of the Economic and Clinical Health Information Technology Act (HITECH) provides that the administrative, physical and technical security requirements of the Security Rule, as well as the policies, procedures and documentation requirements of the Rule, apply to business partners in the same way as those requirements apply to registered companies, and business partners may be held liable under civil and criminal law for violations of these provisions. In the last rule, OCR has modified the security rule to implement the provisions of the HITECH Law that extend direct responsibility for compliance with the security rule to business partners and subcontractors of business partners. (g) [Optional] The business partner may provide data aggregation services related to the health services of the covered entity. Subcontractors. In broadening the definition of “business partner,” OCR also indicated that a business partner includes a “subcontractor who creates, receives, retains or transmits protected medical information on behalf of the business partner.” The term “subcontractor” is defined in HIPAA SECTION 160.103 as “a person to whom a business partner delegates a function, activity, or service, except as a member of that business partner`s staff.” Throughout the final rule and commentary, the OCR states that although the use of the term “subcontractor” indicates that there is a contract between the parties, a natural or legal person that meets the definition of a subcontractor will be treated as a subcontractor, even if the business partner has not entered into a business partnership agreement (BAA) with that person or organization. The obligation to enter into BAAs with subcontractors rests with the business partner that subcontracts or delegates its responsibilities and not with the covered entity. The final rule specifies that a natural or legal person is a business partner if it receives PSR from an entity covered in the provision of services, whether or not it has entered into a written agreement from BA. What is a business associate? A “Business Partner” is a natural or legal person who performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a collected company or who provides services to it. A staff member of the registered company is not a business partner. .