Avoid unnecessary counterparty agreements. Unfortunately, many covered companies or counterparties seek matching agreements out of ignorance or precaution, even if these agreements are not technically necessary. Entities should avoid the execution of unnecessary counterparty agreements. they submit to contractual commitments that they would not have, but to the agreement, including compliance costs, which do not otherwise apply; Restrictions on the use of disclosure; and damage in case of non-compliance. In addition, by implementing unnecessary counterparty agreements, the entity may improperly admit that it is a trading partner and thus expose itself to HIPAA penalties for non-compliance. To avoid such situations, companies that are invited to implement unnecessary counterparty agreements may consider reacting as follows: a relevant entity may not allow a counterparty to produce, receive, maintain or transmit protected health information online on behalf of the company concerned only if the covered entity receives satisfactory assurances through a counterparty agreement that the counterparty will properly protect the information. A counterparty agreement must include the elements indicated in paragraph 45 CFR 164.504 (e) and listed below: a matching contract is not required with persons or entities whose functions, activities or services do not involve the use or disclosure of [PHI] and for which access to [PHI] by these individuals would be incidental. [For example], the services that clean the offices or facilities of an insured company are not business partners, since the work they do for the covered companies does not involve the use or disclosure of [PHI] and any disclosure of [PHI] to janitorial staff involved in the performance of their duties (as can be done when garbage cans are emptied) is limited in nature. as a by-product of their janitorial obligations, it was not reasonably possible to prevent them. What is a business associate? “counterparty”: a person or organization that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered company or that provide services to a covered business; An insured company staff member is not a business partner.
A covered health care provider, health plan or health care clearinghouse may be a counterpart to another insured company. The data protection rule lists some of the functions or activities and related services that make an individual or organization a business partner when the activity or service involves the use or disclosure of protected health information. The types of functions or activities that can make an individual or organization a counterpart include payment or health transactions, as well as other functions or activities governed by administrative simplification rules. 5. If the counterparty uses subcontractors or other entities to provide services to the registered business in which PHI is involved, you enter into matching agreements with the subcontractors. (45 CFR 164.314 (a) and 164,504 (e)). Association business requirements. In general, a company that is a “business associate” under HIPAA must do this: conclusion and caution. I hope that companies that are not HIPAA`s “business partners” will avoid the status of a trading partner and the commitments associated with it. On the other hand, if a company is truly a “counterpart” under the regulations, it cannot evade regulatory liability by avoiding a counterparty agreement.
“[A person or entity] is a consideration when the person or entity meets the definition of “consideration,” even if a company or insured counterparty is not outside the required counterparty contract with the person or entity.” (78 FR 5574).