The BAA places the responsibility for protecting the PHI directly on the shoulders of the service provider when the information is in its hands. A software company that hosts software that contains information on its own server or accesses patient information when the software function is bypassed is a business partner of a covered entity. In these examples, a covered company would be required to enter into a counterparty agreement before the software company had access to [PHI]. However, when an employee of a contractor, such as a software or IT service provider, has his primary service with an on-site covered company, the covered entity may treat the creditor`s employee as a member of the insured company`s staff and not as a business partner. “Don`t roll the dice” when it comes to HIPAA compliance. If you hire a BA and share your PHI with them without creating a BAA beforehand, you should expect serious consequences. 3) members of an organized health care plan. Covered institutions participating in organized health care (OHCA) are not business partners of each other, while they perform functions on behalf of the OHCA; “As a result, they can use [PHI] for OHCA`s joint health activities and disclose them without entering into a matching agreement.” (OCR FAQ; see 45 CFR 160.103). An OHCA (1) is “a clinically integrated care framework in which people are generally cared for by more than one health care provider” (for example. B a hospital and its medical staff); (2) an organized health care system involving more than one covered company and in which the participating companies involved conduct a joint review of operations, quality improvement or payment activities (e.g.
B supplier networks); or (3) certain agreements between group health plans and other insurers. CFR 160.103). The OHCA waiver only applies to covered businesses (for example. B health care providers and health plans) who perform functions for the OHCA; It does not apply to other entities that require PHI to perform functions on behalf of OHCA. Counterparts who violate HIPAA may be fined between $100 and more than $50,000 per violation. CFR 160.404). If the violation is the result of intentional negligence, the Office of Civil Rights (“OCR”) must impose a fine of at least $10,000 per violation. (Id.) If the trading partner has intentionally issued and does not correct the violation within 30 days, the OCR must impose a fine of at least $50,000 per violation. (Id.) A single offence can result in many offences. For example, the loss of a laptop containing hundreds of PHI patients can represent hundreds of offenses. Similarly, every day when a covered company or counterparty does not implement a necessary directive is a separate offence. CFR 160.406).
In addition to regulatory sanctions, counterparties that do not comply with counterparty agreements may also be held liable for contractual damages and/or compensation requirements in the counterparty agreement.