Answer: We agree that protected health information should only be used by counterparties for the purposes of the counterparty contract. We address the problem of data extraction by requiring that the counterparty contract explicitly identify the uses or disclosures that the business partner is authorized to make with protected health information. With the exception of information relating to data aggregation and counterparty management, the counterparty contract cannot authorize any use or disclosure that the entity concerned cannot make itself. Therefore, the data mining by the counterparty constitutes, for purposes not specified in the contract, an infringement and a reason for termination of the contract by the company concerned. A counterparty agreement may authorize a counterparty to make the use and disclosure of PHI that the covered entity is authorized to do itself in accordance with the HIPAA data protection rule. See 45 C.F.R. 164.504 (e). In addition, the data protection rule allows a counterparty to enter into an agreement authorizing a consideration (for example). B an EO) to: (1) Phi for the proper management and management of the counterparty in accordance with the 45 C.F.R. and (2) to provide data aggregation services in relation to the health activities of the covered institutions for which it has entered into agreements. In most cases, the authorized uses and advertisements established by a counterparty agreement vary depending on the functions or services that the counterparty must provide to the entity concerned.

Similarly, the counterparty agreement between a covered entity and an HIO E depends on a number of factors, such as. B.dem the purpose of the electronic exchange of information that the HIO is supposed to manage, the specific functions or services that the E HIO must perform for the covered entity and any other legal obligation that an HIO may have with regard to the PHI. For example, counterparty agreements between covered companies and an IMO may allow the HIO to avoid unnecessary counterparty agreements. Unfortunately, many covered companies or counterparties seek matching agreements out of ignorance or precaution, even if these agreements are not technically necessary. Entities should avoid the execution of unnecessary counterparty agreements. they submit to contractual commitments that they would not have, but to the agreement, including compliance costs, which do not otherwise apply; Restrictions on the use of disclosure; and damage in case of non-compliance. In addition, by implementing unnecessary counterparty agreements, the entity may improperly admit that it is a trading partner and thus expose itself to HIPAA penalties for non-compliance. To avoid such situations, companies that are asked to execute unnecessary counterparty agreements may consider reacting as follows: Ask them instead to sign a confidentiality agreement. We include these points in the confidentiality agreements we offer our customers: avoid the requirements of business partners. Given the cost of compliance and penalties for violations, companies may want to avoid becoming a “counterpart” or executing matching agreements if possible.