However, as a business partner, the PSC remains responsible, in accordance with the safety rule, for the implementation of other appropriate and appropriate controls to limit access to information systems that ensure the maintenance of ePHI customers. For example, even if the parties have agreed that the client is responsible for authenticating access to ePHI, the PSC may continue to be required to implement appropriate internal controls to ensure that access is allowed to the management tools that manage the resources important to the operation of its information systems (. B for example, storage, storage, network interface, CPUs). For example, a CSP that is a counterparty must, as part of its risk analysis and risk management process, consider and address the risks of a malicious actor with unauthorized access to its system`s management tools, which could affect the operation of the system and compromise the confidentiality, integrity and availability of the client`s ePHI. The PSC should also take into account the risks associated with the use of unpatched or obsolete administrative instruments. The PSC and the client must certify in writing, in the BAA or other documents, the compliance of each party with the requirements of the security rule. In addition, an BAA must include provisions requiring the counterparty to make PIS available, among other things, in order for the company concerned to comply with its obligations to grant individuals their rights to access, modify and receive the accounting of certain PHI information, in accordance with 45 CFR s 164.504 (e) (e) (e) (e) (e) ]. The ADM between a viewless PSC and a covered business or associated client should describe how the unsightly PSC will meet these obligations – for example, a PSC in the BAA may agree that it makes the ePHI available to the customer to include the changes the person wants in ePHI, but only the customer will make these changes. In addition, a PSC that meets the definition of a counterparty – that is, a PSC that creates, receives, manages or transmits PHI on behalf of an insured company or other counterparty – must comply with all applicable provisions of HIPAA rules, whether it has performed a BAA with the company that operates its services. See 78 Fed.
Reg. 5565, 5598 (January 25, 2013). The OCR recognizes, however, that there may be circumstances in which a PSC does not have real or constructive knowledge, whether a company or other counterparty uses its services to create, receive, manage or transfer ePHI. HIPAA rules provide a positive defence in cases where a PSC takes steps to correct violations within 30 days (or an additional time that the OCR can determine due to the nature and extent of non-compliance) of the period during which it knew or should have been aware of the violation (for example. B to the point where the CSP knows or should have known that a covered company or business partner has ePHI in its cloud).