Exceptions to the Business Associate Standard. The data protection rule contains the following exceptions to the Business Associate standard. See 45 CFR 164.502 (e). In these cases, an insured company is not required to enter into a counterparty contract or other written agreement until protected health information can be disclosed to the individual or legal person. Matching contracts. The contract of a covered company or any other written agreement with its counterparty contains the elements covered in paragraph 45 CFR 164.504 (e). The contract must, for example. B Describe the authorized and necessary use of health information protected by the counterparty; provide that the counterparty will not continue to use or disclose protected health information, with the exception of the contract or the law; and require the counterpart to adopt appropriate security measures to prevent the use or disclosure of protected health information that is not provided for by the contract. If a covered entity is aware of a significant violation or violation by the counterparty of the contract or agreement, the covered entity is required to take appropriate steps to correct the violation or terminate the violation and if such measures are inconclusive, to terminate the contract or agreement.
If termination of the contract or agreement is not possible, a covered company is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Please consult our standard contract for business partners. A counterparty is a natural or legal person who creates, receives, manages or transmits PHOs in the name (or interest) of an insured business (directly or through another counterparty) in order to perform the secure functions or transactions of the covered entity. Subcontractors are essentially required to meet the same HIPAA requirements when it comes to accessing and using protected health information. And like trading partners, they are responsible for all sanctions for breaches of this contract. 2. the implementation and compliance of valid counterparty agreements. Companies that are counterparties are obligated to execute and execute in accordance with written counterparty agreements that essentially require that the counterparty respect PHI`s privacy; Limit the use or disclosure of PHI by the counterparty for purposes approved by the entity concerned; and help covered companies respond to individual requests for their PHI.19 The OCR has published on its website a standard language for counterparty agreements: www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html. HIPAA data protection, security and damage notification rules now apply to covered businesses (for example).
B health care providers and health plans) and their business partners. a “counterparty” is, as a rule, a person or organization that, as part of the management of benefits, creates, receives, manages or transmits protected health information on behalf of the company concerned (for example). B advisor); management, billing, coding, transcription or marketing; IT entrepreneurs Data storage or document destruction companies Companies or data sellers who regularly access PIS; Third-party directors; Private Health Record Vendors; 1 With very limited exceptions, a subcontractor or other unit created, received, managed or transmitted by PHI on behalf of a counterparty is a subcontractor or other unit.