There are many more business partners than there are covered companies in the health sector. The size and complexity of health care means that the PHI is located in many locations, locally and off-site, to and from addresses, electronically and by mail. A hospital, health plan or doctor`s office has several providers who help them provide services. The healthcare sector depends on outsourcing important activities, from billing to collections to data storage. Question: If we use an offshore business partner, should they follow HIPAA? Can we use someone in another country? While it is almost always necessary for a counterparty to sign an agreement with an insured company when an ePHI counterparty creates, receives, maintains or transmits on behalf of the insured company, if it does not offer covered service to the covered company (i.e. a landscaper), the business is not a consideration and no agreement is required. If you have questions about HIPAA requirements that apply to a business partner or would like to help us develop or revise a matching agreement, please contact us. Find our contact details below. [Option 2 – where the agreement authorizes the counterparty to use or disclose protected health information for its own management and administration, or to exercise its legal obligations, and the counterparty must retain protected health information for such purposes after the termination of the contract] A “counterpart” is a person or organization other than a staff member of a covered company that performs functions or activities on behalf of a covered entity or provides certain services to a classified entity that includes consideration access to protected health information. A “business partner” is also a subcontractor that creates, receives, manages or transmits protected health information on behalf of another counterparty.

HIPAA rules generally require covered companies and counterparties to enter into contracts with their trading partners to ensure that counterparties properly protect health information. The counterparty contract is also intended to clarify and, if necessary, limit the use and disclosure permitted by the counterparty of protected health information on the basis of the relationship between the parties and the activities or services of the counterparty. A counterparty may only use or disclose protected health information to the extent that its counterparty contract is authorized or required or required by law. A counterparty is directly responsible under HIPAA rules and is subject to civil and, in some cases, criminal penalties for the use and disclosure of protected health information that is not authorized by the treaty or prescribed by law. A trading partner is also directly responsible and is subject to civil penalties if it does not protect health information protected electronically in accordance with the HIPAA safety rule. Question: We have a regular weekly cleaning service that comes into our office and their crew can observe patients in the waiting room or even accidentally see patient information on the desk or in the trash. Are you a business partner? d) make sure, if, in accordance with 45 CFR 164.502 (e) (1) (ii) and 164.308 (b) (2), all subcontractors who produce, receive, maintain or transmit protected health information on behalf of the counterparty accept the same restrictions, conditions and requirements that apply to the counterparty with respect to this information; Note: If a business partner delegates an activity to another entity, that entity is considered a counterparty to a subcontractor – the same rules apply.