«BAA» is an acronym for the Business Associate Agreement, a branch concept for what HIPAA rules call a «Business Associate Contract.» Same thing. Unlike most contracts, a HIPAA counterparty agreement does not necessarily exempt a company covered by financial penalties for violations of the PHI. When an insured company does not receive «satisfactory assurance» that a BA complies with HIPAA prior to the conclusion of the contract and a subsequent violation of the PHI occurs, the entity concerned may be considered responsible for the infringement. HIPAA requires insured entities to cooperate only with trading partners that guarantee full protection of the PHI. These assurances must take the form of a contract or other agreement between the insured company and BA.1 [The agreement could also provide: that the counterparty may transmit the protected health information to another counterparty of the company insured at the time of termination and/or add conditions relating to the obligations of a counterparty in order to obtain destruction or guarantee the destruction of protected health information created, received or managed by subcontractors.] www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlsearchsecurity.techtarget.com/definition/business-associatewww.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html The counterparty contract guarantees that there is a conservatory guard chain for PHI. A seller of a business covered by HIPAA must enter into a contract with the covered company and a subcontractor used by a counterparty is also required to enter into a contract of this type. A subcontractor is a consideration for consideration and is not covered by the ba/covered enterprise contract. A separate contract must be signed before access to PHI is granted. The chain can be longer and further away from the covered entity that transmits the ePHI, the greater the potential for violations of the HIPAA business association agreement.

Covered companies may be fined for not entering into a HIPAA counterparty agreement or for entering into an incomplete agreement – while HITECH 78 FR 5574 AAS are required to comply with the HIPAA safety rule, even if no HIPAA counterparty agreement is reached. In the event of a violation or non-compliance with a BAA by a counterparty/subcontractor, the covered unit must take appropriate measures to remedy the infringement or terminate the infringement. «If such measures fail, they must terminate the contract or agreement,» HHS explains. «If termination of the contract or agreement is not possible, a covered entity is required to report the issue to the HHS Office for Civil Rights.» 1 [Option 2 – Reference to an underlying service agreement, z.B.» «as necessary to provide the services defined in the service agreement.»] At Aptible, we get a lot of questions about hipaa Business Associate Agreements or BAAs. This article explains some of the key concepts that cloud-hosted software development organizations should know about BAAs.