Business Access Agreement

[The parties may wish to add additional details regarding the reporting obligations of the trading partner,. B for example, a stricter time frame for the business partner to report a potential breach to the relevant entity and/or whether the business partner will deal with the reported violations to individuals, the HHS Office of Civil Rights (OCR) and possibly the media on behalf of the captured company.] In the event that persons who are not authorized to view the information to the PSRs are accessible in the custody of the Business Partner, the Business Partner is obliged to inform the relevant company of the breach and possibly send notifications to the persons whose PSR has been compromised. The timing and responsibilities for notifications should be set out in detail in the agreement. While it may seem reasonable to have a short window of opportunity to report a violation, keep in mind that the BA may not be notified of the violation until a few days after the event. A business partner contract is also a useful tool for the allocation of liability. A number of 2013 changes to HIPAA regulations make business partners directly liable for the unauthorized use or disclosure of PH if such unauthorized use or disclosure violates HIPAA or the terms of the Business Partnership Agreement. Since business partners are now subject to direct liability, the Business Partnership Agreement may contain a provision that contains this direct liability and requires the covered company to be legally liable for its own breaches and the business partner to be liable for its own breaches. Upon termination of this Agreement for any reason, Business Partner shall do the following with respect to Protected Health Information received by or created, retained or received by a Business Partner on behalf of a Relevant Entity: (a) The waiver by either party of any breach or violation of any provision of this BAA shall not be deemed a waiver of any subsequent breach of the same or any other Provision of this Agreement or shall be construed as such. (b) In the event that any provision of this BAA is held to be unenforceable for any reason, the unenforceability shall not affect the remainder of this BAA, which shall remain in full force and effect in accordance with its terms. c) Whenever the context so requires, the gender of all words must include masculine, feminine and neuter, and the number of all words includes the singular and plural. (d) This BAA constitutes the entire agreement of the parties with respect to the subject matter of this Agreement, and all prior and contemporaneous agreements, understandings and representations, whether oral or written, with respect to such matters are superseded. (e) This BAA may only be amended with the written consent of both parties.

The parties agree to take the necessary steps to amend this BAA from time to time to enable the facility to meet hipaa requirements. (f) A reference in this BAA to a section of the Privacy Rule or Security Policy means the items, as amended or modified, for which compliance is required. (g) Any ambiguity in this BAA will be dispelled in favor of a meaning that allows the institution to comply with HIPAA. (h) This BAA is binding on the parties and their respective successors and assigns. (i) Nothing in this BAA shall be construed as limiting the right of either party to join another person or entity on a limited or general basis or to enter into a contract with another person or entity for as long as such BAA is in effect. (k) The Contractor`s respective rights and obligations under Sections E and F of this BAA shall continue to apply after termination of the BAA. By law, the HIPAA privacy rule only applies to covered companies – health plans, health care clearing houses, and certain health care providers. However, most health care providers and health care plans do not perform all of their health activities and functions themselves. Instead, they often use the services of a variety of other people or companies. The confidentiality rule allows covered health care providers and plans to share protected health information with these “business partners” if the providers or plans receive satisfactory assurances that the business partner will only use the information for the purposes for which it was engaged by the collected entity, protect the information from misuse, and help the covered entity comply with some of the obligations of the covered entity under the To comply with the data protection rule.

Collected companies may disclose protected health information to an entity in its role as a business partner only to assist the captured entity in performing its healthcare tasks – and not for the use or purposes independent of the business partner, unless this is necessary for the proper administration and administration of the business partner. Business Partnership Agreements consist of information about permitted and prohibited uses of PSR between two HIPAA-related organizations. The contract should require the business partner to take appropriate administrative, technical and physical safeguards in accordance with the security rule to ensure the confidentiality, integrity and availability of the ePHI. Contracts can also be formatted to detail the relationship between a covered company and a business partner, as well as the relationship between two business partners. The Contractor agrees that if the Facility determines or has reasonable grounds to believe that the Contractor has used, disclosed or provided access to the Information in a manner not authorized by this BAA, the Entity may, in its sole discretion, request the Contractor to: (a) promptly investigate and provide the Entity with a written record of the Contractor`s decision regarding any allegation or provide a disclosure, unauthorized access or use; (b) put an end to such practices without delay; (c) return or destroy any information to the institution; and (d) take such other reasonable measures as the Facility considers appropriate […].