HIPAA allows business partners to obtain health information when such authority is issued within the BAA. This provision is an example of granting such powers. Most of the companies surveyed do not allow counterparties to use unidentified data for commercial purposes, or they wish to have access to searches with unidentified data. Consider discussing alternatives with a lawyer who can review the provision. d) make sure, if, in accordance with 45 CFR 164.502 (e) (1) (ii) and 164.308 (b) (2), all subcontractors who produce, receive, maintain or transmit protected health information on behalf of the counterparty accept the same restrictions, conditions and requirements that apply to the counterparty with respect to this information; Trading partners must also comply with other federal and regional data protection laws, which are stricter than HIPAA. A lawyer can advise on existing laws and the compliance obligations that flow from them. 2.7 Subcontractors. Business Associate will require its subcontractors to provide, through a written agreement, sufficient assurance for compliance with the same obligations, limitations and conditions of data protection and security with respect to PPH and ePHI as those applicable to Business Associate through this BAA. Business Associate may forward PHI to other Covered Entity business partners without requiring the written agreement described here. Considerations may help explain the relationship between BAA and the underlying agreements between the parties.

Consider asking a lawyer to verify the accuracy of the recitals and all the underlying agreements. [The parties may add additional features with respect to the counterparty`s obligations to notify an infringement, such as, for example. B, a stricter period for the counterparty to report a possible violation to the entity concerned, and/or whether the counterparty will deal with injury notifications to individuals, the HHS Office for Civil Rights (OCR) and possibly the media on behalf of the company concerned.] OCR`s investigation showed that ACH never entered into a matching agreement with the person providing medical billing services to ACH, as requested by HIPAA, and that it did not adopt a directive requiring matching contracts until April 2014.