Question: Our medical practice uses backup data entucing the storage of Google Cloud [or Amazon Web Service]. They say they are HIPAA compliant. Do we still need an agreement with Google [or AWS]? From award-winning HIPAA training to contracts and agreements, we can meet your requirements so that you have protected your business. The HHS Office for Civil Rights (OCR) has released a new fact sheet that contains a clear list of all provisions that allow a trading partner to be held directly responsible for meeting certain requirements of the HIPC Data Protection, Security, Violations and Enforcement Act 2009. In 2013, the OCR adopted, under the power of the HITECH Act, a final rule identifying, among other things, the provisions of the HIPAA rules that apply directly to trading partners and which are directly responsible for counterparties. The counterparty`s power to use or disclose POs derives from the authority of the registered entity. The registered company may only use the patient`s PHI for specific purposes, without the patient`s permission, for example. B for its own treatment, payment or health care of the insured company. (45 C.F.R. 164.502). HIPAA allows covered companies to share POs with counterparties to help the covered company perform activities authorized on behalf of or on behalf of the covered company, but with very limited exceptions, the same limits apply to the covered business, for example. B without the patient`s written permission, the information can only be used for the treatment of the covered company. , payment, exploitation of health or any other authorized use.
(Id.) The counterparty agreement (“BAA”) between the covered entity and the counterparty must indicate the authorized uses of PHI. 45 C.F.R. 164.502 (e) notes that the OCR clarified this uncertainty by publishing the fact sheet and listed 10 provisions of the HIPAA rules for which counterparties may be directly responsible. The OCR is therefore entitled to take enforcement action against counterparties only for the following requirements and prohibitions: Ask them instead to sign a confidentiality agreement. We insert these points into the confidentiality agreements we offer to our customers: De-Identification. Although HIPAA limits the use of PHI by the business partner for its own purposes, BAA may authorize the business partner to deidentify PHI on behalf of the insured company`s customer. (cf. 45 C.F.R. 164.502 (d)). After identification, the information is no longer protected by HIPAA and, unless agreements between the parties or other laws limit it, the counterparty may use the unidentified information for its own purposes without violating HIPAA.
The OCR has published the following FAQ on this issue: There are many more business partners than there are covered companies in the health sector. The size and complexity of health care means that the PHI is located in many locations, locally and off-site, to and from addresses, electronically and by mail. A hospital, health plan or doctor`s office has several providers who help them provide services. The healthcare sector depends on outsourcing important activities, from billing to collections to data storage. The most comprehensive source of information about HIPAA is the HHS website. However, since HHS cannot cover all possible relationships between a covered company and a counterparty, some of this information may be difficult to track and interpretable. For specific advice on specific circumstances, it is recommended to ask for professional hipaa compliance assistance. HIPAA`s partners are making headlines, and not in a good way.