Skip to content

Sample Hipaa Business Associate Agreement

The HhS Office for Civil Rights has imposed numerous fines for contractual errors committed by trading partners. In investigations into data protection and complaint violations, the OCR found that the following covered companies had not received at least one PROVIDER from a HIPAA-signed BAA. This was either the sole reason for the fine or the additional injury contributed to the heaviness of the fine. Like covered companies, counterparties must implement these security measures in accordance with the HIPAA security rule. CONSIDERING that the entity concerned has obliged the counterparty to provide specific services for or for hedging entities that are described and defined in one or more separate agreements for services between the parties, order forms and/or work declarations (a « service agreement ») package, and that they may use or disclose, in conjunction with those services, certain individual health information protected by data protection and data protection rules; OCR`s investigation showed that ACH never entered into a matching agreement with the person providing medical billing services to ACH, as requested by HIPAA, and that it did not adopt a directive requiring matching contracts until April 2014. Although it had been in service since 2005, ACH had not conducted a risk analysis until 2014, nor had it implemented safety measures or other written GUIDELINEs or procedures from HIPAA. The counterparty agreement guarantees the use of a retention chain for PIS. A seller of a business covered by HIPAA must enter into a contract with the covered company and a subcontractor used by a counterparty is also required to enter into a contract of this type. A subcontractor is a consideration for consideration and is not covered by the ba/covered enterprise contract.

A separate contract must be signed before access to PHI is granted. The chain can be longer and further away from the covered entity that transmits the ePHI, the greater the potential for violations of the HIPAA business association agreement. Encryption of all ePHI stored or transferred by a business partner is an important protection, but encryption alone is not enough to ensure HIPAA compliance. Physical security measures must also be put in place to ensure that unauthorized persons cannot access ePHI, and administrative security measures must be put in place and written guidelines and procedures must be developed and maintained.

Sidebar