[Optional] The covered entity cannot ask the counterparty to use or disclose protected health information in a manner that would not be authorized under Part E of 45 CFR Part 164 if this is done by an insured company. [include an exception if the counterparty uses or discloses protected health information and the agreement contains provisions relating to data aggregation, management and management, as well as the legal responsibilities of the counterparty.] (a) counterparties. “counterparty” generally has the same meaning as the term “counterpart” for 45 CFR 160.103 and means, with respect to the party in this agreement, the party to the agreement [insert the name of the consideration]. Each party in the chain is legally and contractually obligated to protect the PHI and manage it to the same extent as the obligations of the company covered at the top of the chain. Therefore. B, if a covered company is a hospital and that hospital has a 24-hour injury report, each link (or business partner) of that chain must also report the injury report 24 hours a day in its BAAs. [Option 2 – Reference to an underlying service agreement, z.B.” “as necessary to provide the services defined in the service agreement.”] After the end of this agreement for some reason, Business Associate is returned to covered companies [or, if agreed by covered companies, destroying] any health information protected by companies covered, or created, maintained, or received by trading partners on behalf of the covered entity that the counterparty still manages in any form. The counterparty must not keep copies of the protected health information. When an organization is active in the health sector, whether as a provider, organization, consultant, provider or in any other function, it is very likely that HIPAA will apply to internal operations and relationships with other parties. As everyone knows, the party providing the service is a business partner when a relationship is established with a party providing services for or on behalf of an insured business (i.e., a health care provider, a public health plan or a health clearing house). Once a party is a trading partner, a business association agreement (BAA) is required. Indeed, the BAA is not only necessary, but mandatory and must be present before protected health information is disclosed.
HHS can monitor AABs and subcontractors to verify HIPAA compliance, not just covered companies. This means that organizations must have a Trade Association Agreement (BAA) for all three levels in order to meet HIPAA requirements.