Business Associate Agreement With Foreign Company

In accordance with the HIPAA omnibus rule, business partners and subcontractors are directly responsible for HIPAA compliance, including penalties for data breaches. And enforcement action by federal supervisors can be as high as $1.5 million per HIPAA injury. The omnibus rule has added PHI maintenance to functions that trigger business partner status. For example, a data storage company that has access to the PHI in print or digital form is a business partner, even if the storage company never indicates the PHI, or is only a little or rarely. Prior to the omnibus rule, the OCR had indicated that a document storage company would not be considered a business partner if the PHI was kept in closed and sealed containers and if the document storage company could not access the PHI (with access other than random access, for example). B if a box is damaged and needs to be repackaged). Well, a medical practice that stores old medical records on an external site needs an agreement with the business partner with the storage company. With respect to data services that trigger commercial partner status, the omnibus rule identifies two types of service providers: CEPs (i.e. organizations such as the exchange of health information, which oversee and govern the exchange of health information between organizations) and electronic prescribing channels. The definition also includes others who provide data services to companies seized under the PHI and who have routine access to the PHI.

The OCR distinguishes between data services that require routine access to PHI and are therefore considered trading partners, and lines that are not trading partners. This is a factual provision based on the nature of the services provided and the extent to which the service provider needs access to the PHI to provide its data services to the company concerned. OCR closely interprets the exception of the channel and the limit to pure courier services such as the U.S. POSTAL service UPS and its electronic equivalents, such as . B ISPs, which provide data services. Given the complete provision of data transfers, the addition of PHI maintenance as a business associate function, commentary on the omnibus preamble and the latest OCR guidelines on cloud computing (see below) now included the definition of counterparty to a broad network that may include service providers such as cloud providers. , Internet service providers (ISPS), application service providers (ASPs) and document storage companies that have not been considered commercial partners to date. 3) members of an organized health care plan.