(78 FR 5572, highlighted). Note that the predicted analysis applies to data storage companies that have “access” to the PHI. Unless we receive conflicting instructions from HHS, there is a fairly strong argument that business partner requirements do not apply and should not apply to entities that manage encrypted PIs if the entity does not have the encryption key. The HHS rule for reporting violations assumes that encrypted data is secure. (See OCR`s guide to www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html). Therefore, it would be logical to think that the maintenance of encrypted data without the key should not trigger counterparty obligations. Business contracts are not optional! HIPAA requires you to sign the BAA with your business partner before sharing PHI with them. This will help you avoid a data breach, as well as penalties for not having a BAA on site. Instead, ask them to sign a confidentiality agreement. We include these points in the confidentiality agreements we offer to our customers: for some providers, you only need a Service Level Contract (SLA).
However, for lenders that create, receive, manage or transfer POs on behalf of your organization (“business partners”), you must have an associate agreement next to ALS. Even if your provider can`t view the PHI (z.B because it`s encrypted), you still need a BAA with it. Once companies, business partners and covered business partners have identified their relationship, it is important to ensure that third parties protect the POs they receive. A signed agreement proves that the BA knows that they must manage THE PHI. (OCR Frequently Asked Questions (“FAQ”), available at www.hhs.gov/ocr/privacy/hipaa/faq/index.html). Similarly, “the simple sale or provision of software to a registered business does not result in a business relationship if the seller does not have access to the [PHI] of the registered business.” (Id.) Companies wishing to avoid counterparty obligations may wish to include in their service contracts a provision confirming that phi is not required to perform its functions and that their customers, who are registered companies or counterparties, do not make available to the company POs (or, as explained below, unencrypted POs) without the prior approval of the entity. A business partner should also be drawn to the consequences of non-compliance with HIPAA requirements. The counterparties may be directly sanctioned by the authorities for the supervision of hip-hop offences.