A business partner is a particular subcategory of vendors in healthcare organizations. Although business partners provide a product or service for the healthcare organization, the relationship between the healthcare organization and this vendor is not a transactional type. Business partners are characterized as having a longer or recurring relationship with the healthcare organization, commonly described in a contract or formal, written obligation. At three or four stations along the treasure hunt clues are accompanied by sweets and treats.
These relationships are particularly of interest when the business partner handles PHI for the healthcare organization. In the United States, a business partner is sometimes called a business associate. These vendors are subject to, like the healthcare organization, industry-specific privacy laws, such as HIPAA. Therefore, it is crucial for the healthcare organization, as well as any business associates, to understand how they must comply with the relevant regulations, even if the vendor does not serve only the healthcare industry.
Consider a data center provider, for example. The provider may serve the healthcare organization by maintaining all of the data storage, providing applications, and performing backup procedures offsite. The provider may also do this for the local public school system, a retail department store, and other non-healthcare clients. In any case, this vendor must maintain its data center according to the appropriate healthcare regulations, such as HIPAA. This would include signing a special contract, such as a business associate agreement (BAA), that specifically outlines the data center provider’s responsibilities and any provisions for noncompliance. You can imagine how complex this can be for a vendor.
Several requirements, with respect to the content of the BAA, follow: The business associate must have appropriate safeguards to prevent use or disclosure of information other than as provided for by its contract. The business associate must report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware. The business associate must ensure that any agents or subcontractors agree to the same restrictions and conditions that apply to the business associate with respect to the individually identifiable health information being processed.
The business associate must also make available protected health information for patient access and amendment, must make any amendment provided to it from the covered entity, and must provide an accounting of disclosures. The business associate must make its internal practices, books, and records relating to the use and disclosure of protected health information available to HHS for purposes of determining the covered entity’s compliance. At termination of the contract, the business associate must return or destroy all protected health information. The contract must also authorize termination of the contract if the business associate is in material violation.