Many vendors do not use PHI to perform tasks on behalf of the covered entity, but ePHI goes through their systems. Many software solutions affect ePHI, which means that the software provider is classified as a business partner. There are exceptions for entities that act as conduits through which ePHI is easily routed (see conduit exception), although most cloud service and software providers are not exempt from HIPAA compliance and BAAs are required. [Optional] The Covered Entity may not require business partners to use or disclose protected health information in a manner that would not be permitted under Subsection E of Part 164 of 45 CFR if it were doing so by a Covered Entity. There`s no point in asking them to sign a BAA or a subcontractor BAA because they don`t have the compliance infrastructure required by HIPAA. An associated subcontractor is a person or entity to whom a business partner delegates a function, activity or service.3 Although a covered entity receives assistance from a business partner, BAs apply their own assistance. HIPAA designates these individuals and companies as business associate subcontractors. Similarly, business partners must have a business partner subcontractor agreement with their after-sales service. The BA and BAS agreements are almost identical, so the main difference lies in the definition of the category. [The parties may wish to add additional details on how the trading partner will respond to an access request that the business partner receives directly from the person (e.B. whether and when and how a business partner must grant the requested access or if the business partner forwards the person`s request to the relevant company in order to satisfy it) and the time limit for the business partner to provide the information to the covered company.] According to HHS, the business partnership/subcontractor agreement must contain the following information: This document contains examples of provisions on business partner agreements that help the companies and business partners concerned to more easily meet the requirements of the business partner agreement.
Although these model provisions are drafted for the purposes of the contract between a covered entity and its business partner, the language may be adapted for the purposes of the contract between a trading partner and a subcontractor. From award-winning HIPAA training to contracts and agreements, we can meet your needs so your business is protected. Become HIPAA compliantBecome new customers and grow your business. “A business partner is directly liable under HIPAA rules and is subject to civil and, in some cases, criminal penalties for the use and disclosure of protected health information that is not contractually permitted or required by law. A business partner/processor is also directly liable and subject to civil penalties if it fails to protect electronically protected health information in accordance with the HIPAA security rule. “4 Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act and its inclusion in HIPAA in 2013 through the HIPAA Omnibus Final Rule, subcontractors used by business partners are also required to comply with HIPAA.