13 Sep 2021by tobiasschaller

Business Associate Agreement Requirements Cfr


Warning: in_array() expects parameter 2 to be array, boolean given in /homepages/1/d630864974/htdocs/clickandbuilds/TobiasSchaller59512/wp-content/plugins/lazy-retina/inc/class-lazy-retina.php on line 92

The HIPC privacy rules now apply to covered companies (e.g.B. healthcare providers and health plans) and their business partners. A “counterparty” is generally a natural or legal person who creates, receives, maintains or transmits protected health information on behalf of the relevant company in the course of the provision of services (“PHI”) (for example. B adviser; management, billing, coding, transcription or marketing companies; IT contractors; data storage or document destruction companies; companies or data transmission providers that regularly access THE PHI; third-party administrators; providers of personal health records; lawyers; accountant; insurers of processing errors; etc.) (See 45 CFR 160.103). “A covered enterprise may be a business partner of another covered enterprise.” (Id.). With very limited exceptions, a subcontractor or any other entity created, received, maintained or transferred by PHI on behalf of a counterparty is also a business partner. (id.; 78 FR 5572). Information on whether an entity is a counterparty can be found in the attached decision structure for counterparties. 5. If the counterparty uses subcontractors or other companies to provide services to the covered entity in which PHI is involved, you enter into counterparty agreements with the subcontractors.

(45 CFR 164.314 (a) and 164.504 (e)). Counterparties that violate the HIPC may be subject to penalties ranging from $100 to more than $50,000 per violation. (45 CFR 160.404). If the offense is due to wilful negligence, the Civil Rights Office (OCR) must impose a fine of at least $10,000 per violation. (Id.). If the counterparty has been deliberately neglected and does not correct the breach within thirty (30) days, the OCR must impose a fine of at least USD 50,000 per breach. (Id.). An individual offence can give rise to many offences. For example, the loss of a laptop containing hundreds of patient PHI can represent hundreds of offenses. Similarly, each day on which a covered undertaking or counterparty fails to implement a necessary directive constitutes a separate infringement.

(45 CFR 160.406). In addition to regulatory penalties, counterparties that fail to comply with counterparty agreements may also be liable for contractual damages and/or indemnification obligations set out in the counterparty agreement. (iii) a statement that, if the person does not report a statement of disagreement, the person concerned may require the entity concerned to provide the person`s request for modification and the refusal of any future disclosure of the protected health information that is the subject of the modification; and (A) describe the personnel or groups of employees or other persons under the control of the Plan Sponsor in order to have access to the protected health information to be disclosed, provided that any employee or person who provides protected health information with respect to payments made in connection with payments, health care or other matters related to the Group Health Plan, must be included in this description; (b) dismissal for unfounded cause. The counterparty shall authorize the termination of this Agreement by the Covered Entity if the Covered Entity finds that the Counterparty has breached an essential provision of the Agreement [and that the Counterparty has not cured or terminated the Breach within the period specified by the Covered Entity]. [A language in parentheses may be added if the undertaking concerned wishes to give the counterparty the opportunity to remedy a breach or breach of contract prior to termination for an indispensable reason.] 4. healthcare providers received by PHI for the treatment of patients. A healthcare provider is not a business partner of other companies covered while treating patients. (See 45 CFR 160.103; see also 65 FR 82476 and 82504).

As explained in the OCR: (c) Implementation specifications: provision of access. If the covered enterprise gives a person access, in whole or in part, to protected health information, the covered entity must meet the following requirements. . . .

Categories: Allgemein