Shred It Business Associate Agreement

We have experience in creating business partnership agreements to help you implement and execute compliant, secure and responsible procedures while getting the most out of your equipment. We offer on-site data destruction with our secure mobile shredding truck as well as plant-based shredding and data erasure services. We also offer a transparent audit trail of the chain of custody, from the pick-up location to the final disposition. Dropbox or other cloud storage providers (CSPs)? Yes. According to, when a covered entity engages a CSP to “create, receive, maintain, or transmit ePHI (e.B. to process and/or store ePHI),” the CSP is a HIPAA business partner on its behalf. This is true even though the CSP only processes and stores encrypted ePHI and does not have an encryption key for the data. ( Thus, if a covered entity uses any type of CSP, whether it is Dropbox to store documents or a complete electronic health record system, the covered entity and the CSP must enter a BAA, even if the data is encrypted and cannot be accessed by the CSP. This is because while encryption helps protect the confidentiality of ePHI, it does nothing to ensure the integrity and availability of IHP, and the security rule requires that the confidentiality, integrity, and availability of IHP be protected by appropriate measures.

HIPAA requires that covered companies only work with business partners who provide comprehensive IHP protection. These assurances must be made in writing in the form of a contract or other agreement between the entity concerned and the BA.1 Make sure your employees know what is expected of them. Never store sensitive papers outside closed containers. Never store sealed containers outside your building. Let someone accompany you with the shredding service between your desk and your truck. As part of your HIPAA Business Partnership Agreement, your customers can request to see these procedures during an audit. From award-winning HIPAA training to contracts and agreements, we can meet your needs so you can protect your business. They offer a solid 9-minute video on the certification process. My favorite part is that NAID performs random and unannounced audits of shredding services as part of certification. An important note, however, is that NAID certification is by location, not by company.

Be sure to confirm the certification of the website that will perform your shredding, not just from the company. HIPAA requires BAAs between covered companies and business partners. However, HIPAA has begun to examine not only whether there really is a BAA in place between a BA and a covered company, but also whether the AB actually ab`s are complying with the agreements. Trade partnership agreements have clear expectations that the business partners you work with must meet HIPAA`s IHP protection requirements. HIPAA compliance is reason enough for you to enter into agreements with your ABAs. In addition, it is important to know that HIPAA audits are increasing in number and are aimed at small procedures and organizations. If there is no BAA, it can result in penalties, including fines, which can be especially problematic for small businesses with limited resources. They offer a solid 9-minute video on the certification process. My favorite part is that NAID performs random and unannounced audits of shredding services as part of certification.

However, an important point is that NAID certification is based on the location of the company and not on the company. The number and scope of HIPAA audits have recently changed. In 2016, HIPAA launched Phase 2 of the audit program, which includes both covered entities and business partners, and there are fewer on-site audits. Instead, “office audits” are performed, which include requests for a list of all business partners of the covered companies. During Phase 1 of the audits, the Office of Civil Rights (OCR) only asked covered entities to provide a list of business partner contracts. In Phase 2, OCR not only reviews BAAs, but also verifies BAAs to determine if they are actually HIPAA compliant. Covered companies must ensure that they understand when a BAA is required and execute such agreements so that, in the event of an audit, they can provide the requested documentation and demonstrate compliance with the relevant provisions of HIPAA. Shredding is not a complete destruction of paper – someone who is properly motivated can always reassemble the parts. If the paper is sent to an external recycler after shredding, how do the shredding services know what is going on there? They should have a plan to look at all the suppliers they work with, or better yet, they should do the recycling in their own facility.

“The business partner will shred the paper files by picking them up every Friday at 13:00.m. placed in a secure sealed container approved by [name of covered company or upstream business partner] and transported in a secure and locked vehicle approved by [name of covered company or upstream business partner] to the safe location of the business partner and shredded with a Cummins Allison high security particle cut commercial paper shredder which is the last national national commercial paper shredder Security is complies with the agency`s specifications and Ministry of Defense standards for the secure destruction of top-secret documents, communications security and sensitive information on paper. Shredding must take place within one hour (1) of receipt of the records at the business partner`s location, and the business partner must complete the certificate of destruction attached to this business partnership agreement in Appendix A. The business partner agrees that [name of the covered company or upstream business partner] may verify all parts of the shredding operations. Any deviation from these standards must be approved by the security officer [name of the covered entity or upstream business partner]. NAID (National Association for Information Destruction) certifies that shredding services really know what they are doing. It is completely voluntary; Shredding services don`t need to have NAID certification, but it`s a quick way for you to achieve a level of convenience that shredding services take privacy and confidentiality seriously. In order to avoid liability for infringement by business partners, business partnership agreements cannot specify how the business partner provides the service to or on behalf of the company concerned, except in general terms. The agreement does not stipulate that the covered entity can exercise the right to control the conduct of the business partner, even if it does not do so at the beginning. As part of your compliance with your HIPAA (or state GLBA and privacy laws), you can not only trust that your shredder service is doing everything right. You have to be sure. These six tips will help you evaluate your current shredding service or choose a new one.

But let`s be honest. Running a business without the help of third parties is difficult, if not impossible. Hiring outside help when you need extra hands or have special needs often makes economic sense. Once the covered companies, business partners and subcontractors of the business partners have identified their relationship with each other, it is important to ensure that third parties protect the PSR they receive. A signed agreement certifies that the BA knows that it must manage PSR safely. Lawyers who provide services to the covered business? Yes, if the lawyer has access to PSR. If you hire a lawyer to provide services that do not include access to PSRs, such as setting .B a business unit, drafting contracts, or reviewing forms, a BAA is not required. However, if you have hired a lawyer to defend against professional misconduct or licensing and the lawyer has access to PSR as part of the complaint, a BAA must be in place. The BAA should provide that the lawyer and all agents performing functions to assist the lawyer, such as paralegals, investigators, other legal counsel, etc., protect the privacy and security of PHI. .