(78 FR 5572, highlighted only here). Note that the above analysis applies to data storage companies that “have access” to the IHP. If and as long as we do not receive instructions to the contrary from HHS, there is a fairly strong argument that counterparty requirements do not apply to entities that manage encrypted PHI if the entity does not have the encryption key. The HHS rule on breach notification assumes that encrypted data is secure. (See OCR instructions under www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html). As a result, it would be logical to think that the maintenance of keyless encrypted data should not trigger counterparty obligations. To put it simply, a business partner is a person or organization that interagulates with PHI from a covered entity or other business partner. Conclusion and caution. I hope that the above will allow companies that are not really “counterparties” under HIPC to avoid counterparty status and related liabilities. On the other hand, if a company is truly a “counterparty” in accordance with the rules, it cannot escape regulatory liability by avoiding a counterparty agreement.
`[A] person or entity is a counterparty, if the natural or legal person meets the definition of `counterparty`, even if a legal person or counterparty does not refuse, in respect of a subcontractor, the required counterparty contract with the person or entity.` (78 FR 5574). The purpose of a counterparty agreement is to describe the responsibility of your BA, to keep your PHI private and safe. The BAA sets the expectations and requirements of both parties – you and your BA. It is a legally binding document. 7. Entities that are simple “channels” for PHI. Companies that transmit PHI for a covered company are not counterparties if they are not obliged to regularly access PHI, i.e. they are only “channels” of the IHP (e.g. B Internet service providers, telephone companies, etc.).
(45 CFR 160.103; 78 FR 5571; 65 FR 82476). Under the Health Insurance Portability and Accountability Act of 1996 and the Implementing Rules (“HIPAA”), covered companies and counterparties are required to comply with the HIPC. A covered unit includes healthcare providers who transmit information electronically as part of a HIPC transaction, health plans and healthcare clearing houses. In particular, where a healthcare provider provides, invoices or receives payments for healthcare and transmits those transactions electronically, the provider is an enterprise covered by the HIPC. avoid unnecessary counterpart arrangements. Unfortunately, many covered companies or counterparties request counterparty agreements out of ignorance or caution, even if these agreements are not technically necessary. companies should avoid implementing unnecessary counterpart arrangements; this may be subject to contractual obligations that they would not have without the agreement, including compliance fees that otherwise do not apply; restrictions on the use of information disclosure; and damages for non-compliance. In addition, by implementing unnecessary counterparty arrangements, the entity may inappropriately admit that it is a counterparty, exposing it to penalties for non-compliance with the HIPC. In order to avoid such situations, companies invited to enter into unnecessary counterparty agreements could consider reacting as follows: after the HIPC update in 2013, counterparties are directly subject to THE HIPC data protection and security rules, such as.B. the adoption of physical, technical and administrative security measures under the security rule and compliance with data protection rules. and obligations to notify infringements. .