Transitional provisions for existing contracts. Covered companies (with the exception of small health plans) that entered into an existing contract (or other written agreement) with counterparty before October 15, 2002 may continue to work for up to an additional year beyond the compliance date of April 14, 2003, unless the contract is renewed or amended before April 14, 2003. 2003. This transitional period applies only to written contracts or other written agreements. Oral contracts or other arrangements are not eligible for the transition period. Entities covered by eligible contracts may, under such contracts, enter into an agreement with their counterparties until April 14, 2004, or until the renewal or modification of the contract, whichever is earlier, whether or not the contract meets the applicable contractual requirements under 45 CFR 164.502 (e) and 164.504 (e). Otherwise, a data subject entity must comply with the data protection rule, for example.B. only make permitted advertisements towards the counterparty and allow individuals to exercise their rights in accordance with the rule. See 45 CFR 164.532 (d) and (e). The definition of a trading partner is quite simple. It`s anyone you contract with who processes your protected health information (PHI) for any reason. A striking example: in a famous HIPAA case, a clinic commissioned a supplier to convert its X-ray films into digital form and recover money from the films.

They were unable to sign a BAA and were hit by the OCR with an order for payment of $US 750,000. Things have become much more confusing as the HITECH HIPAA Omnibus rule in 2013 expanded the simpler definition of business partners to something called a subcontractor. Subcontractors, such as a software developer or hosting providers, are typically service or technology organizations that provide additional services to counterparties that provide services to covered businesses. According to the law, the HIPC data protection rule only applies to covered companies – health plans, clearing houses for healthcare and certain healthcare providers. However, most health care providers and health plans do not perform all of their health activities and functions themselves. Instead, they often use the services of a large number of other people or companies. The data protection rule allows covered providers and health plans to disclose protected health information to these „counterparties“ when suppliers or plans receive satisfactory assurances that the counterparty uses the information only for the purposes for which it was mandated by the covered entity, protects the information from abuse and helps the covered company to meet some of the obligations of the covered company, in accordance with r to comply with the data protection rule. The undertakings concerned may disclose protected health information to an undertaking acting in its capacity as counterparty only to assist the entity concerned in the performance of its health functions, for the use or for purposes independent of the counterparty, unless this is necessary for the proper management and management of the counterparty. Exceptions to the Business Associate Standard.

The confidentiality rule contains the following exceptions to the counterparty standard. See 45 CFR 164.502(s). In such situations, an undertaking concerned shall not be required to conclude a counterparty contract or any other written agreement before protected health information can be transmitted to the natural or legal person. . . .