The definition of a trading partner is quite simple. According to the Department of Health and Human Services is a business partner: www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.htmlsearchsecurity.techtarget.com/definition/business-associatewww.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-regulations-affect-business-associates__www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html For individuals and organizations that work in health professions, here you will find a brief information article by Julie L. Hamlet and Ray H. Littleton, from our health law group, on counterparty agreements and the need to consult your lawyer to verify in order to avoid consequences. Failure to conclude, if necessary, HIPC-compliant counterparty arrangements can result in severe penalties against both covered companies and counterparties. A HIPC counterparty agreement is a contract between a HIPC entity and a supplier that is used by that entity. A unit covered by the HIPC is typically a health care provider, health plan or health care clearing house that conducts transactions electronically. A supplier to a HIPC entity that needs to receive protected health information (IHP) to perform tasks on behalf of the covered entity is designated as a counterparty (BA) under the HIPC. A provider is also considered BA when the PHI electronic services (ePHI) pass through its systems as part of the services provided.
A counterparty agreement signed by the HIPC must be obtained from the covered entity before a counterparty can contact PHI or ePHI. The problem for many covered companies is that they are not always sure who a HIPC counterparty agreement applies. The Department of Health & Human Services defines a counterparty as „a natural or legal person who performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or that provides services to a covered entity.“ The contract should provide that the BA (or subcontractor) must take appropriate administrative, technical and physical security measures to ensure the confidentiality, integrity and availability of the ePHI and meet the requirements of the HIPC security rule. . . .