The counterparty agreement guarantees the use of a retention chain for PIS. A seller of a business covered by HIPAA must enter into a contract with the covered company and a subcontractor used by a counterparty is also required to enter into a contract of this type. A subcontractor is a consideration for consideration and is not covered by the ba/covered enterprise contract. A separate contract must be signed before access to PHI is granted. The chain can be longer and further away from the covered entity that transmits the ePHI, the greater the potential for violations of the HIPAA business association agreement. “[A] a person or corporation that is not a member of the staff of a covered company, performs functions or activities on behalf of a covered company, or provides certain services that include consideration of protected health information. A [BA] is also a subcontractor that creates, receives, manages or transmits protected health information on behalf of another [BA].” 2. A counterparty may authorize a subcontractor consideration to produce, receive, maintain or transmit electronically protected health information on its behalf only if the counterparty receives satisfactory assurances in accordance with Section 164.314, period a), that the subcontractor adequately protects the information” [ii] U. Department of Health and Human Services (HHS.gov, Health Information Privacy). Available under www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ccdh/index.html (a) Business Associate. “counterparty” generally has the same meaning as the term “counterpart” for 45 CFR 160.103 and means, with respect to the party in this agreement, the party to the agreement [insert the name of the consideration]. Each party in the chain is legally and contractually obligated to protect the PHI and manage it to the same extent as the obligations of the company covered at the top of the chain.

Therefore. B, if a covered company is a hospital and that hospital has a 24-hour injury report, each link (or business partner) of that chain must also report the injury report 24 hours a day in its BAAs. “1. A covered entity may only permit a counterparty to produce, receive, maintain or transmit electronically protected health information on behalf of the section 164.314 (a) entity if the entity covered by Section 164.314, point a), receives satisfactory assurances that the counterparty adequately protects the information. A covered entity is not required to obtain such satisfactory assurances from a counterparty that is a subcontractor. There are a few exceptions to the requirement to sign a counterparty agreement. These include specialists to whom a hospital refers a patient and transmits the patient`s medical card for treatment, laboratories to which a physician discloses a patient`s PPH for treatment, and the disclosure of PHI to a health plan sponsor, such as an employer, through a collective health plan. It became much more disturbing when the hitech HIPAA Omnibus Rule expanded in 2013 the simple previous definition of the business partner to the so-called subcontractor. Subcontractors, such as a software developer or host, are typically service or technology organizations that provide additional services to partners that provide services to covered businesses. A “counterparty” is a person or organization (with another entity of a covered entity) that performs certain functions or activities on behalf of a covered entity or provides certain services involving consideration access to PHI.