Why all this slippage and slippage? “You want to shift responsibility as much as possible,” says Chris Apgar, CISSP, President and CEO of Apgar Associates, a privacy and security consulting firm. “If you are the covered entity, you want the counterparty to sign your matching contract.” A covered business may be a counterpart to another insured business. In addition, it is important to note that disclosure by a company covered in PHI to a health care provider for treatment purposes does not have the effect that such a receiving party is a consideration of the public party. In summary also, a “counterpart” is a person who, on behalf of a covered entity, establishes, manages, manages or transmits specific functions or activities such as claims processing and management, data analysis, processing or management, usage verification, quality assurance, certain patient safety activities, billing, profit management , practice management and reassessment; or (b) provides legal, actuarial, accounting, advisory, data aggregation, administration, accreditation or financial services to the covered entity or to that agency, where the provision of the service involves the disclosure of PHI. BA agreements are the most effective and extensive. Prior to 2013, counterparties were only required to comply with HIPAA on the basis of the terms of their contractual agreements with insured companies; Ba agreements had to be concluded between insured companies and their trading partners. And there was no obligation for business partners to deal with HIPAA compliance with their subcontractors. They are often boring, dense and technical, but BAAs are important both from a legal and a commercial point of view, and they deserve our attention. Non-participation in a BAA, if required, may constitute a hipaa violation that results in significant liability, as shown by some recent comparisons by the Department of Health and Human Services (HHS).1 A trading partner who makes an unauthorized or legally authorized disclosure by the applicable BAA may be subject to civil penalties and, in some cases, Criminal. In addition, parties are often subject to AAAs that contain unilateral incriminating compensation and other provisions that could disfigure an organization in the event of a HIPAA violation. A third reason why a company may not have a BA agreement is that the seller “refuses to characterize himself as a business partner,” Hagan says, noting that this is more common since the HITECH Act made AAS directly responsible for compliance.
But frustration can be avoided, Hagan said. “It will not take long to reach a compliant BA agreement. There is even an appendix with an agreement consistent with the OCR`s blessing, which is added to the rule. Time has passed to develop these selfish provisions, where people try to fend off risk. It takes time,” he says. The importance of a BAA is often fully understood by the parties only in the event of a problem (for example. B a HIPAA security incident or violation, an audit of the Office for Citizens` Rights (OCR) or a breakdown in relations between the parties), and at that time, the possibilities of reducing legal and commercial risks are limited. Ideally, at the beginning of the business relationship, when the parties are able to meet regulatory requirements, take into account the planning and preparation for potential adverse events and the appropriate distribution of risks between the parties, attention should be paid. As with most health compliance initiatives, it is preferable to take a proactive approach to BAAs.