In particular, when they provide services or technologies to a covered company (for example. B a hospital) or another business partner as a subcontractor (. B for example, a PaaS provider such as Datica), counterparties process, process, transfer or interact in some way with protected electronic health information (ePHI) of these companies. With this PHI access, all business partners must sign a Business Associate Agreement (BAA). The BAA is a legal contract that describes how the business partner joins HIPAA, as well as the responsibilities and risks it assumes. The HIPAA Privacy Rule describes the types of entities covered by HIPAA and entities that must comply with HIPAA data security and protection rules. The main categories are clearing houses, covered companies (CEs) and counterparties. The more the subcontractor receives from the covered unit, the more confusion there is as to who is actually a business partner and who must sign a matching contract. Hipaa compliance is complex, and non-compliance can be costly in terms of money and reputation.

As business partners, HIPAA law firms can be held directly responsible for violations of data protection and data protection rules. In addition, there are differentiated issues that need to be addressed, particularly for lawyers in matching contracts, such as integration into legal protection insurance, respect for solicitor-client privilege in the event of a review, and compliance with standard rules of professional conduct. It is therefore important that all lawyers and law firms that conduct transactions with an organization covered by HPIAA seek an experienced data security lawyer to carefully verify and monitor compliance with their HIPAA. Such experts can help lawyers who do not practice in this area understand the data protection, security and notification requirements in place for data protection, security and breach notification, and advise them on how to begin developing a compliance plan in the future. These fundamental steps are absolutely necessary to protect the integrity, safety and reputation of your practice. It`s like a chain that follows the PHI from the first link in the chain, which is the covered entity. The following link would be the trading partner and all their subcontractors (including trading partners) would be the following links. Think of subcontractors as business partners. The BAA follows the direct path of the chain. A covered company is therefore not required to sign an BAA with the subcontractors of its trading partners, but it is the business partner that is. In addition, Kevin maintains a robust practice in the area of data protection, including the development and implementation of privacy policies, terms of use, use of information and social media policies, advice to clients on data protection at work, social media and consumer protection This creates a “chain of trust” from the covered entity and further along with the chain of several levels of trading partners. All are bound by matching contracts in this “chain of trust” to the original company covered by the insurance.

Each party in the chain is legally and contractually obligated to protect the PHI and manage it to the same extent as the obligations of the company covered at the top of the chain. consequently. B, if a covered company is a hospital and that hospital has a 24-hour injury report, each link (or business partner) of that chain must also report the injury report 24 hours a day in its BAAs. The commitments made by companies under HIPAA can be seen as links in a chain of debt. At the highest level, HIPAA`s data protection rules apply to “covered businesses,” such as Z.B, healthcare providers, clearing houses, insurance companies and some health care providers that are at the top of the chain.