Answer: Always check your counterparty agreement first to decide on next steps, as notification requirements may be shorter than HIPAA. But also NOTE – “Ransomware” is considered a HIPC violation unless you can prove that this is not the case. And HIPAA requires that you notify the covered company of a violation immediately, but no later than 60 days after discovery. Question: We have a regular weekly cleaning service that comes to our office and their crew may observe patients in the waiting room or even accidentally see patient information on their desk or in the trash. Are you a partner? Answer: No, you are a business partner because PHI is more than a medical diagnosis (or complaint). In particular, outsourcing storage or other services for ePHI abroad may increase information risks and vulnerabilities or be a particular consideration for the applicability of data protection and data security. Covered undertakings (and counterparties, including the CSP) should take these risks into account when implementing the risk analysis and risk management prescribed by the security rule. See 45 CFR § 164.308 (a) (1)(ii) (A) and (a) (1) (ii) (B). For example, when ePHI is maintained in a country where there is an increase in hacking attacks or other documented malware attacks, these risks should be considered and companies should put in place appropriate and appropriate technical security measures to address these threats. Some healthcare organizations rely heavily on offshore suppliers and contractors who manage PHI outside the U.S., Holtzman says. . .