You need to be able to identify your employee classification before you know what HIPAA requires. According to the definition of the Health Information Portability and Accountability Act (HIPAA), a business partner is any organization or person that works in relation to a covered entity or provides services that generate, process or divid protected health information (PHI) on health.2 As part of compliance with your HIPAA agreement (or the glba law and data protection) , you can`t just trust the fact that your shredding service does everything right. You have to be safe. These six tips will help you evaluate your current grinding service or select a new one. It`s like playing with fire when there are no BAAs; You might be lucky, but you can easily get burned. There are three possible outcomes: as a HIPAA business partner or covered entity, you can count on shredding services to make it easy to destroy electronic papers and media safely. But how do you know what they do with your newspaper? In addition, NAID requires the use of a cutting grinding process that reduces the paper to a tiny particle size. Together, all of these requirements significantly reduce the risk of data protection for PIs. “[A] a person or corporation that is not a member of the staff of a covered company, performs functions or activities on behalf of a covered company, or provides certain services that include consideration of protected health information. A [BA] is also a subcontractor that creates, receives, manages or transmits protected health information on behalf of another [BA].” “The facilities covered are defined in HIPAA rules as (1) health plans, (2) health care compensation rooms and (3) health care providers that electronically transmit health information in transactions for which HHS has adopted standards. In general, these transactions involve billing and payment of insurance services or coverage. For those types of employees who are not business partners, Total HIPAA recommends that if the “collaborator” is a contractor who works exclusively for your company or an individual contractor with other customers, you cannot expect the person to generate privacy and security policies and procedures such as a BA or ARS.
There is no need to ask them to sign a BAA or a BAA subcontractor because they do not have the compliance infrastructure required by HIPAA. No, they don`t fall apart. Once the BAAs are in place, they are valid, unless the regulatory rules are changed. The last change in requirements occurred in 2013, when HHS updated its HITECH requirements. HHS has given 18 months for the updating and implementation of BAAs. However, some institutions may not have met this change, so it is important to check all active BAAs. If they were developed after September 2013 and contain the revised new hitech requirements, they should be in good condition. To be effective, the BAA must be signed and dated by both the counterparty and the covered entity.