Migrating Customers from Iron Mountain to NCC would be a good opportunity for Iron Mountain customers to review their current agreements and determine (a) if they are still needed or (b) if they are still fit for purpose. For many organizations, legacy on-premises software may have been phased out or moved to a SaaS model hosted on AWS, Microsoft Azure, or GCP. These applications are best suited to a SaaS escrow solution to ensure continuity in the event of software vendor bankruptcy or other critical failures. Business Partner Agreements Your organization`s collective health plan is required to enter into a contractual agreement with all your business partners that defines how the business partner may use and disclose PSR, how it secures PSR, and other rights and obligations that the parties have under the rules. [3] The Department of Health and Human Services (DHHS) provided a sample of the contractual language of the business partners. Among other things, the contract must include language that addresses the parties` liabilities if insecure PHI is used or disclosed inappropriately (a “breach”). Your organization has limited time to investigate and respond to a breach. In practice, it is the employer (as a plan sponsor) who must obtain the contract for all business partners in the plan, but business partners will often provide the employer with their version of this contract without being asked. It is in the commercial interest of each party to use a standardized contract to facilitate administration, rather than having to comply with the obligations of contracts from different sources, so that there is a natural tension between the parties, each preferring its own contracts. The requirements of a business partner agreement are fairly standardized, but it`s not uncommon for the contract to be more favorable to the drafting party or to include additional terms of the contract that go beyond the requirements of the rules, so it`s important to have this reviewed by your legal counsel. Finally, increased awareness of software fiduciary is always welcome in an industry that operates in the background of many software licensing agreements or saas. News of the sale of Iron Mountain to CNC was widely reported in the mainstream media, including articles in The Times, Business Wire and Nasdaq.com that undoubtedly refined Software Escrow`s profile for the business community at large.

Last week, Iron Mountain Incorporated (NYSE: IRM) signed an agreement to sell its intellectual property management (“IPM”) business to NCC Group (“NCC”), a UK-based software trust company. All IPM assets will be sold to NCC for gross proceeds of $220 million, or approximately $165 million after taxes and fees, subject to adjustments. From what I`ve heard from our customers, Iron Mountain has been strong in providing a traditional source code escrow account, but has been slow to develop its SaaS escrow options. This gives NCC the opportunity to try to transition its newly acquired Iron Mountain customers to its Escrow as a Service (EaaS) offering. From the perspective of the global fiduciary software industry, I think this will be positive as it will raise awareness of SaaS escrow options to a wider audience. Many customers who have already used more traditional services may not yet be aware of the availability of SaaS escrow solutions such as Escrow London`s SaaS continuity solution hosted on AWS, Azure or GCP, with more than 90 days of live business continuity in case escrow is triggered. This op-ed examines the opportunities and challenges that arise for other competing software trust providers and companies that use software escrow accounts in their businesses. The strange case of stop-loss, the rules state that stop-loss carriers are not trading partners of a collective health plan if the stop-loss policy insures the plan itself. The rules are less clear as to the most likely scenario where the stop loss policy directly insures the employer or plan sponsor. In practice, stop-loss carriers are often reluctant to be treated as business partners and are often excluded.

We recommend that employers enter into strong non-disclosure agreements with stop-loss carriers that are not treated as business partners. Rapidly summarized entities are the main stakeholders in the provision and payment of health care, but they often work with other organizations to get help. Many of these organizations must contact Protected Health Information (PHI) to support the covered entity. Remember that PSRs are as follows: After receiving a quote for services, submit an iBuy purchase requisition form or standing order with reference to the offer number and contract number listed below. The respective point of purchase processes the request and places an order. [2] A third party that only transmits PHI without accessing or storing it may qualify for an exception as a simple information channel. Escrow London is headquartered in London, UK, with physical offices in Atlanta, USA and Sydney, Australia. Escrow London specializes in creating SaaS Continuity escrow solutions in addition to the standard source code escrow service. Contact Escrow London to find out more about our innovative solutions. What is a business partner? In the context of the group health plan, HIPAA defines a business partner as a third party that requires PHI to perform a function or service on behalf of a group health plan. In other words, a third party who helps develop your health plan, but needs IHP to do so.

The third-party provider may create, receive, store, or transmit PSRs in this role[2], but it must be “sticky” in at least one of these ways to be considered a business partner. Many of HIPAA`s privacy and security requirements apply directly to business partners. Many will say that it seems that competition in the fiduciary software market has been reduced by the removal of the optional Iron Mountain. However, I would now say that this creates an opportunity for software providers (developers) and end users (beneficiaries) to look for other software trust providers that may have more innovative or customized solutions to offer. For more information about records and information management issues, contact RIMSgroup@uillinois.edu. These are your business partners, and you must maintain the current business partner contracts with each of them. Don`t forget to make this an implementation step when you add a new provider who will be a business partner to your healthcare plans. There is no doubt that Iron Mountain has a strong brand awareness for trust in software in the U.S. market. The acquisition of Iron Mountain`s software escrow assets by a UK company could further raise awareness in the US market of other UK software trust providers such as Escrow London, which also have a physical presence in the US.

Services not authorized for purchase under the Agreement include: This article is the second in a two-part series that examines whether and how the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules (the “Rules”) apply to different legal entities. The first part dealt with the companies covered and appeared in our October 2018 newsletter. This article discusses the business partners of covered companies that are self-insured group health insurance plans. [1] COBRA AdministratorsIf a COBRA administrator only receives login and logout information from the employer (as a plan sponsor), the information received is not PSR and the COBRA administrator is not technically a business partner of the group health plan. . . .