The Department of Health and Human Services for Civil Rights (HHS/OCR) can impose hefty fines and remedial measures if you do not have a BAA with your AADs. In addition, if HHS/OCR monitors your organization, you must be able to provide your matching agreements and prove that you have performed due diligence with your AAS. To be simple, a business partner is a person or organization that interacts with PHI through a covered entity or other business partner. (OCR Frequently Asked Questions (“FAQ”), available at Similarly, “the simple sale or provision of software to a registered business does not result in a business relationship if the seller does not have access to the [PHI] of the registered business.” (Id.) Companies wishing to avoid counterparty obligations may wish to include in their service contracts a provision confirming that phi is not required to perform its functions and that their customers, who are registered companies or counterparties, do not make available to the company POs (or, as explained below, unencrypted POs) without the prior approval of the entity. Counterparts who violate HIPAA may be fined between $100 and more than $50,000 per violation. CFR 160.404). If the violation is the result of intentional negligence, the Office of Civil Rights (“OCR”) must impose a fine of at least $10,000 per violation. (Id.) If the trading partner has intentionally issued and does not correct the violation within 30 days, the OCR must impose a fine of at least $50,000 per violation. (Id.) A single offence can result in many offences. For example, the loss of a laptop containing hundreds of PHI patients can represent hundreds of offenses.

Similarly, every day when a covered company or counterparty does not implement a necessary directive is a separate offence. CFR 160.406). In addition to regulatory sanctions, counterparties that do not comply with counterparty agreements may also be held liable for contractual damages and/or compensation requirements in the counterparty agreement.