[HIPAA] requires, for [all] information that is not required by law, that the consideration receive reasonable assurances from the person to whom the [PHI] is disclosed, that it is confidential and that it is only used or disseminated at that time, in accordance with the law or for the purposes for which it was disclosed to the person, and that the person informs the consideration of the cases of which he or she is aware of the information. See point 164.504 (e) (4) (ii) (B). Matching contracts. The contract of a covered company or any other written agreement with its counterparty contains the elements covered in paragraph 45 CFR 164.504 (e). The contract must, for example. B Describe the authorized and necessary use of health information protected by the counterparty; provide that the counterparty will not continue to use or disclose protected health information, with the exception of the contract or the law; and require the counterpart to adopt appropriate security measures to prevent the use or disclosure of protected health information that is not provided for by the contract. If a covered entity is aware of a significant violation or violation by the counterparty of the contract or agreement, the covered entity is required to take appropriate steps to correct the violation or terminate the violation and if such measures are inconclusive, to terminate the contract or agreement. If termination of the contract or agreement is not possible, a covered company is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Please consult our standard contract for business partners. Once companies, business partners and covered business partners have identified their relationship, it is important to ensure that third parties protect the POs they receive. A signed agreement proves that the BA knows that they must manage THE PHI.
In particular, when they provide services or technologies to a covered company (for example. B a hospital) or another business partner as a subcontractor (. B for example, a PaaS provider such as Datica), counterparties process, process, transfer or interact in some way with protected electronic health information (ePHI) of these companies. With this PHI access, all business partners must sign a Business Associate Agreement (BAA). The BAA is a legal contract that describes how the business partner joins HIPAA, as well as the responsibilities and risks it assumes. www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlsearchsecurity.techtarget.com/definition/business-associatewww.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html So we`re a BA for an EC.