Although they are internationally based, business associates working for US-based companies are subject to HIPAA’s regulation, just like domestic business associates. These regulations include:
This rule sets standards for how PHI should be used and disclosed, ensuring that PHI is accessed and shared only as necessary for international business associates. They must also guarantee that individuals' health information rights, such as obtaining and reviewing their health records, are respected.
This rule requires business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (ePHI). For an international company, this might involve using secure communication channels, providing data encryption, implementing access controls and audit trails, and regularly evaluating security practices to manage potential risks and vulnerabilities.
Under this rule, business associates must report any breach of unsecured PHI to the covered entity they serve and, in certain circumstances, to the affected individuals and the U.S. Department of Health and Human Services (HHS). This notification must occur without unreasonable delay and in no case later than 60 days following the discovery of the breach.
See also: Do international companies have to abide by HIPAA?
Research the potential business associate's history with HIPAA compliance. Ask for references or case studies demonstrating their compliance with past clients or projects.
Request to see their written HIPAA compliance policies and procedures. Ensure they have up-to-date and comprehensive policies covering the Privacy, Security, and Breach Notification Rules.
Draft or review a BAA that explicitly outlines the responsibilities and expectations regarding PHI. Ensure the agreement includes terms about how PHI will be used, safeguarded, and disclosed.
Verify their process for detecting, reporting, and responding to PHI breaches. Review whether they have a clear protocol for notifying you in the event of a breach.
Have designated contacts within the organization for HIPAA-related inquiries and issues. Ensure that they use HIPAA compliant email to provide additional protection.
See also: What does it mean to be a business associate?