2.2 Safety precautions. Business Associate is committed to implementing and implementing appropriate administrative, physical and technical security measures to prevent the use or disclosure of PPHs; and (b) to adequately protect the confidentiality, integrity and availability of the ePHI that creates, receives, manages or transmits business associate on behalf of the insured entity. These security measures include a written information security directive, a security incident response plan, regular safety awareness training and confidentiality/non-disclosure agreements with independent subcontractors and consultants with whom Business Associate has delegated tasks under this AGENCY. The contract should provide that the BA (or subcontractor) must take appropriate administrative, technical and physical security measures to ensure the confidentiality, integrity and availability of ePHI and meet the requirements of the HIPAA security rule. Some of these measures may be indicated in the BAA or left to the BA`s discretion. The BAA should also include authorized uses and disclosures of PHI to meet the requirements of the HIPAA data protection rule. In case people who do not have access to the PHI for advertising information, such. B as the internal violation or cyberattack, access PHI, the business partner is required to inform the entity concerned of the violation and may be required to send notifications to persons whose PHI has been compromised. The timing and reporting responsibilities should be detailed in the agreement. Encryption of all ePHI stored or transferred by a business partner is an important protection, but encryption alone is not enough to ensure HIPAA compliance.
Physical security measures must also be put in place to ensure that unauthorized persons cannot access ePHI, and administrative security measures must be put in place and written guidelines and procedures must be developed and maintained. CONSIDERING that the entity concerned has obliged the counterparty to provide specific services for or for hedging entities that are described and defined in one or more separate agreements for services between the parties, order forms and/or work declarations (a “service agreement”) package, and that they may use or disclose, in conjunction with those services, certain individual health information protected by data protection and data protection rules; and all covered companies that intend to share protected health information with a third-party provider must establish a HIPAA-compliant counterparty agreement before declaring themselves ready to conduct joint transactions.