In addition to Aptible or another host, you`re probably using a number of third-party application and workflow services to create your products and run your business. You can use z.B. Twilio to send SMS, mailgun for transactional emails, mixpanel for analysis, AWS RDS for your database, Papertrail for logging, Slack for internal communications, Gmail for email, etc. Some of these suppliers will sign BAAS, others will not. The rules are more differentiated, but in the real world, if you process identifiable patient data for any reason, most insured companies (health care providers, insurance companies, pharmacies, self-insured employers, etc.). Consider yourself a business partner and get you to sign a BAA. At Aptible, we get a lot of questions about hipaa Business Associate Agreements or BAAs. This article explains some of the key concepts that cloud-hosted software development organizations should know about BAAs. If you hire a subcontractor and the contractor comes into contact with a PHI, you must execute a BAA between the two of you. The data protection rule stipulates that all counterparty contractors must consent to restrictions identical to those of the original counterparty. BAAs both respect HIPAA rules and create a relationship of responsibility between the two parties.

If one party violates a BAA and reveals the PHI, it has the other legal status. If there is no BAA or incomplete, or if the agreement is ruthlessly violated, both employees may find themselves in the crosshairs of the Department of Health Services and Human Resources, the Civil Rights Office and perhaps even the Department of Justice. Unlike most contracts, a HIPAA counterparty agreement does not necessarily protect a covered company from financial penalties for violations of the PHI. When an insured company does not receive assurance that a counterparty is able to work in a HIPAA-compliant framework before entering into a contract and then violates the PHI, the covered entity may be considered responsible for the infringement. The BAA model provided here (tk-Link to pdf) is widespread. Any effective use of such an agreement requires adaptation to the specific needs of the organization.

Posted in Uncategorized