Association business requirements. In general, a company that is a “business partner” under HIPAA must: “A trading partner is directly responsible under HIPAA rules and is subject to civil and, in some cases, criminal penalties for the use and disclosure of protected health information that is not authorized or provided for by the law of its contract. A partner/subcontractor is also directly responsible and is subject to civil penalties if it does not protect protected health information online in accordance with the HIPAA safety rule.” 4 2. a company`s staff. A company`s staff members are not business partners of the company, including “employees, volunteers, interns and others whose conduct while performing work for an insured company or counterparty is under the direct control of that unit or consideration, whether or not they are paid by the insured unit or by a consideration.” CFR 160.103). In order to avoid counterparties` obligations, contractors may attempt to be classified as staff members of the covered company. The OCR stated that HIPAA requires insured companies to cooperate only with trading partners that guarantee full protection of the PHI. These insurances must take the form of a contract or other agreement between the insured company and BA.1 8. Maybe entities that manage coded PHI. Unlike companies that transfer PHI, companies that have PHIs (for example.
B data storage companies) are generally considered business partners. (45 CFR 160.103; 78 FR 5572). As HHS explained: transitional provisions for existing contracts. Covered companies (excluding small health plans) that have entered into an existing contract (or other written agreement) with consideration prior to October 15, 2002 may continue to work under this contract beyond April 14, 2003 until an additional year, unless the contract is extended or amended before April 14, 2003. This transitional period applies only to written contracts or other written agreements.