We proposed to refer to “health information organization” in the NPRM and not to “health information exchange organization” as used in the legislation, because we assume that “health information organization” is the generally accepted term to describe an organization that oversees and regulates the sharing of health-related information between organizations. The Act also makes specific reference to regional health information organizations; However, we did not believe that the inclusion of the term in the definition of “trading partner” was necessary, as a regional health information organization is simply a health information organization that regulates the sharing of health information between organizations in a defined geographic area. 9. Respond immediately to violations or violations. The confidentiality rule does not impose specific requirements on trading partners to mitigate violations, unlike many trading partner agreements. Even if not required by a rule or contract, business partners want to respond immediately to actual or potential breaches to reduce unauthorized access to PII and reduce the risk of HIPAA penalties. Acting quickly can minimize or negate the risk that data has been compromised, allowing the relevant company or business partner to report breaches against the person or HHS itself. Also, as explained above, a business partner can completely avoid HIPAA penalties if they don`t act intentionally and correct the violation within 30 days.38 Contractors who work exclusively for your business, people with other customers, and employees hired through a company are not business partners. However, your company is liable if one of these people violates the PSI. Comment: A number of commentators continued to express concerns about the perceived responsibility of a covered entity for the actions of its trading partner. Some commentators have called for clarification that a targeted company is not responsible or obligated to monitor the actions of its business partners. It was also suggested that this wording should be explicitly included in the regulatory text of the rule.

One commenter recommended that the rule state that business partners are directly responsible for their own breach of the privacy rule. Another commenter urged the ministry to remove an affected entity`s obligation to mitigate adverse effects caused by a business partner`s inappropriate use or disclosure of protected health information. A personal health record provider may offer personal health records directly to individuals and may also offer personal health records on behalf of covered businesses. In such cases, the personal health record provider is only subject to HIPAA as a business partner with respect to personal health records offered to individuals on behalf of the covered companies. Several commenters requested clarification on when personal health record providers would be considered business partners. For example, commenters asked whether personal health record providers would be business partners if they provided the personal health record in collaboration with the entity, whether the personal health record was linked to a covered entity`s electronic health record, or whether the individual`s personal health record was offered independently. including scenarios. In the final rule, we reorganize the list of examples of functions or activities that trading partners can perform. We place part of the proposed list in the part of the definition that deals with when a person performs functions or activities for or on behalf of a covered entity. We place other parts of the list in the part of the definition that specifies services that lead to a business partnership relationship, as explained above. We have also expanded the examples to provide additional guidance and answer questions from commentators.

Commenters generally supported the inclusion of health information organizations, personal health record providers and similar entities in the definition of “trading partners.” However, commentators have sought various clarifications, as will be discussed below. In the final rule, we amend the definition of “business partner” to clarify the circumstances in which a person acts as a business partner of a captured entity.