Business Associate Agreement Laboratory
Counterparts who violate HIPAA may be fined between $100 and more than $50,000 per violation. CFR 160.404). If the violation is the result of intentional negligence, the Office of Civil Rights («OCR») must impose a fine of at least $10,000 per violation. (Id.) If the trading partner has intentionally issued and does not correct the violation within 30 days, the OCR must impose a fine of at least $50,000 per violation. (Id.) A single offence can result in many offences. For example, the loss of a laptop containing hundreds of PHI patients can represent hundreds of offenses. Similarly, every day when a covered company or counterparty does not implement a necessary directive is a separate offence. CFR 160.406). In addition to regulatory sanctions, counterparties that do not comply with counterparty agreements may also be held liable for contractual damages and/or compensation requirements in the counterparty agreement. Below are examples of service providers who are sometimes trading partners, depending on the underlying relationships, whether or not they have access to PHI and the relevant functions: avoid unnecessary counterparty agreements. Unfortunately, many covered companies or counterparties seek matching agreements out of ignorance or precaution, even if these agreements are not technically necessary. Entities should avoid the execution of unnecessary counterparty agreements.
they submit to contractual commitments that they would not have, but to the agreement, including compliance costs, which do not otherwise apply; Restrictions on the use of disclosure; and damage in case of non-compliance. In addition, by implementing unnecessary counterparty agreements, the entity may improperly admit that it is a trading partner and thus expose itself to HIPAA penalties for non-compliance. To avoid such situations, companies that are invited to enter into unnecessary counterparty agreements may consider reacting as follows: if a service is suspended to work for a covered company whose disclosure of [PHI] is not limited (for example. B routine processing of recordings or grinding documents containing [PHI], this is probably a quid pro quo. However, when this work is done under the direct control of the registered company (for example. B on the premises of the covered company), the data protection rule allows the covered company to treat the service as part of its staff and the covered entity is not required to enter into a counterparty contract with the service.