The contract should provide that the BA (or subcontractor) must take appropriate administrative, technical and physical security measures to ensure the confidentiality, integrity and availability of the ePHI and meet the requirements of the HIPC security rule. Some of these measures may be recorded in the BAA or may be left to ba`s discretion. The BAA should also include permitted uses and advertisements of IHP in order to meet the requirements of the HIPC Data Protection Rule. In case of access to IHP by persons who do not have the right to consult the information, for example. B in the event of an internal infringement or cyber-attack, the counterparty is obliged to inform the undertaking concerned of the infringement and possibly to send notifications to persons whose IHP has been compromised. The timing and responsibilities of notifications should be set out in the agreement. The functions and activities of counterparties include: claims management or management; data analysis, processing or management; verification of use; quality assurance; settlement of accounts; performance management; practice management; and reassessment. the counterparty services are: legal; actuarial; accounting; counselling; data aggregation; management; from an administrative point of view; accreditation; and financially. See the definition of “consideration” in 45 CFR 160.103. (b) Termination for No Cause. The counterparty shall authorize the termination of this Agreement by the Covered Entity if the Covered Entity finds that the Counterparty has breached an essential provision of the Agreement [and that the Counterparty has not cured or terminated the Breach within the period specified by the Covered Entity]. [A language in parentheses may be added if the undertaking concerned wishes to give the counterparty the opportunity to remedy a breach or breach of contract prior to termination for an indispensable reason.] Exceptions to the Business Associate Standard. The confidentiality rule contains the following exceptions to the counterparty standard.
See 45 CFR 164.502(s). In such situations, the entity concerned shall not be required to enter into a counterparty contract or any other written agreement before the protected health information can be transmitted to the natural or legal person. Covered companies may be fined if they have not entered into a HIPAA counterparty agreement or an incomplete agreement – although HITECH § 78 EN 5574 provides that BAs are required to comply with the HIPC security rule, even if no HIPAA counterparty agreement is executed. This document contains examples of counterparty agreements that make it easier for companies and covered counterparties to meet counterparty contract requirements. While these examples of provisions have been drafted for the purposes of the contract between a classified entity and its counterparty, the language may be adapted for the purposes of the contract between a counterparty and a subcontractor. `Counterparty` means a natural or legal person who is not a member of the staff of a registered undertaking, who carries out functions or activities on behalf of a classified entity or who provides the classified entity with certain services which involve the counterparty`s access to protected health information. . . .