Many experts agree that BAAs should be reviewed at least once a year or more frequently if they expire or when the business relationship changes significantly. www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlsearchsecurity.techtarget.com/definition/business-associatewww.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html a detailed list of information you need to include in your business agreements, check out the Department of Health and Human Services. Transitional provisions for existing contracts. Covered companies (excluding small health plans) that have entered into an existing contract (or other written agreement) with consideration prior to October 15, 2002 may continue to work under this contract beyond April 14, 2003 until an additional year, unless the contract is extended or amended before April 14, 2003. This transitional period applies only to written contracts or other written agreements. Oral contracts or other agreements are not eligible for the transitional period. As part of these contracts with their counterparts, covered companies that are entitled to enter into contracts may continue to work with their counterparties until April 14, 2004 or until the renewal or modification of the contract, depending on whether the date is earlier, whether or not the contract meets the existing contractual requirements of Rule 45 CFR 164.502 (e) and 164,504 (e). A covered company must also comply with the data protection rule, for example. B only provide authorized information to the counterparty and allow individuals to exercise their rights in accordance with the rule.
See 45 CFR 164.532 (d) and (e). Once you and your business partner have signed the BAA, the signature will be valid until there is a substantial change to alS that requires a change in the BAA. Make sure you and your BA signs and BAA date and document your comments. Your BAA is valid as long as the lender contract is in effect. However, if there is a change in ALS that affects your BA`s use or disclosure of PHI, you must tailor your BAA to new uses and advertisements. As mentioned above, you may also need to amend your BAA to respond to legislative changes. Matching contracts. The contract of a covered company or any other written agreement with its counterparty contains the elements covered in paragraph 45 CFR 164.504 (e). The contract must, for example. B Describe the authorized and necessary use of health information protected by the counterparty; provide that the counterparty will not continue to use or disclose protected health information, with the exception of the contract or the law; and require the counterpart to adopt appropriate security measures to prevent the use or disclosure of protected health information that is not provided for by the contract.
If a covered entity is aware of a significant violation or violation by the counterparty of the contract or agreement, the covered entity is required to take appropriate steps to correct the violation or terminate the violation and if such measures are inconclusive, to terminate the contract or agreement. If termination of the contract or agreement is not possible, a covered company is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Please consult our standard contract for business partners. For some credit institutions, you only need a Service Level Contract (SLA). However, for lenders that create, receive, manage or transfer POs on behalf of your organization („business partners”), you must have an associate agreement next to ALS. Even if your provider can`t view the PHI (z.B because it`s encrypted), you still need a BAA with it. Sometimes a business partner has its own BAA.