www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html Although business partners are directly responsible after HIPAA, much of the risk and responsibility remains with you as a supplier if a business partner cannot access the information provided by your patient. In addition, public control, which is accompanied by violations of patient information, is not what a provider wants. It is therefore important to ensure that your trading partners have identified, verified and entered into HIPAA-compliant counterparty agreements. Health advisors familiar with HIPAA and counterparty agreements can provide additional assistance in the event of problems or other legislative concerns. (a) counterparties. „counterparty“ generally has the same meaning as the term „counterpart“ for 45 CFR 160.103 and means, with respect to the party in this agreement, the party to the agreement [insert the name of the consideration]. HHS can monitor AABs and subcontractors to verify HIPAA compliance, not just covered companies. This means that organizations must have a Trade Association Agreement (BAA) for all three levels in order to meet HIPAA requirements. It is in your best interest to have an agreement, as all three classifications are responsible for the protection of the PHI. d) make sure, if, in accordance with 45 CFR 164.502 (e) (1) (ii) and 164.308 (b) (2), all subcontractors who produce, receive, maintain or transmit protected health information on behalf of the counterparty accept the same restrictions, conditions and requirements that apply to the counterparty with respect to this information; Whether you have the required business associate agreements is clearly a verifiable HHS point.
Each practice should have at least one standard agreement for counterparties, executed by all counterparties. You will certainly not be able to make a compelling argument regarding „good faith“ compliance if you use association business services without agreement.