There are many examples of counterparty agreements online, but it is important to be careful before using such models, as they may have been designed for another relationship. Each BAA should be adapted to the uniqueness of the relationship between the covered entity and the covered entity concerned. (OCR Business Associate Guidance, available in www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html). This derogation applies only to the extent that the healthcare provider uses the PHI for therapeutic purposes; it would not apply if the healthcare provider uses the information to perform other functions on behalf of the covered company. “For example, a hospital may benefit from the services of another healthcare provider to support the training of medical students at the hospital. In this case, a counterpart contract would be required before the hospital could provide access to the healthcare provider. “(OCR FAQ). However, even in this example, the hospital and the physician would not need a counterpart agreement if they were members of an OHCA. For such disclosures, which are not required by law, [the HIPC] requires that the counterparty receive reasonable assurances from the person to whom the [IHP] is disclosed that it will be kept confidential and used or disclosed only, in accordance with the law or for the purposes for which it was disclosed to the person, and the person shall notify the person of all cases; of which he is informed that the confidentiality of the information has been violated. See § 164.504 (e) (4)(ii) (B).

Counterparty agreements are not optional! HIPAA requires you to sign the BAA with your partner before sharing a PHI with them. This will help you avoid a privacy violation and penalties for failing to have a BAA. 3) offer to implement an appropriate confidentiality agreement. Instead of a counterparty agreement, the counterparty or subcontractor may propose to enter into an appropriate confidentiality agreement that protects the covered entity, while avoiding the full liability or regulatory liabilities of a counterparty agreement. The companies concerned and counterparties may be penalised if they do not conclude a counterparty agreement if necessary and the penalties may be severe. For example, a group of doctors in Florida paid a $500,000 fine for failing to enter into a business agreement with its billing company. Following the illegal publication of PHI on its website, the U.S. Department of Health`s Office for Civil Rights (OCR) sanctioned the group for failing to take appropriate steps to guarantee PHI, including failing to enter into a counterparty agreement with the settlement company. As regards what it means to have `routine access` to [PHI] in order to determine which types of data transmission services are counterparties to simple channels, such a provision will be specific to the facts, depending on the type of services provided and the extent to which the undertaking needs access to [PHI] in order to provide the service to the undertaking concerned.