A HIPC Counterparty Agreement (BAA) is a written contract detailing both the responsibilities of the covered entity and the counterparty with respect to confidential and personally identifiable health information – and is legally different from a confidentiality agreement. In order to maintain HIPC compliance, all covered companies and counterparties must comply with HIPC data protection standards as well as security and breach notification rules. HIPAA rules allow affected companies, third parties, or other persons or companies (known as business partners) to disclose protected health information (PHI) in order to help the affected company perform its health functions. (f) [Optional] The counterparty may disclose protected health information for the proper management and management of the counterparty or to fulfil the counterparty`s legal obligations, provided that the disclosures are required by law or that the counterparty receives reasonable assurances from the person to whom the information is disclosed that the information remains confidential and that it is only used at that time or remain open shall be disclosed to the person for the purposes for which it was used and the person shall inform the counterparty of all cases of which he is aware and in which the confidentiality of the information has been breached. `counterparty` means any natural or legal person who is not a member of the staff of a classified entity, who performs functions or activities on behalf of a classified entity or who provides the classified entity with certain services which involve the counterparty`s access to protected health information. A “business partner” is also a subcontractor who creates, receives, maintains or transmits protected health information on behalf of another counterparty. Typically, HIPC rules require companies and covered counterparties to enter into contracts with their counterparties to ensure that counterparties adequately protect protected health information. The counterparty agreement shall also aim to clarify and, where appropriate, limit the use and disclosure of health information protected by the counterparty on the basis of the relationship between the parties and the activities or services performed by the counterparty. A counterparty may only use or disclose protected health information if its counterparty agreement permits or requires it or if required to do so by law. A counterparty is directly liable in accordance with HIPC rules and is subject to civil and, in some cases, criminal penalties, for the use and disclosure of protected health information that is not permitted by its contract or imposed by law. A counterparty is also directly liable and subject to civil penalties if it has failed to protect electronically protected health information in accordance with the HIPC security rule.
WHEREAS the Parties wish to define the conditions under which counterparties may use or disclose PHI, which allows the covered company to meet the applicable requirements of HIPAA`s data protection and security rules and the HITECH requirements applicable to counterparties. . . .