(i) If a covered company and its counterpart are the two agencies of the state: A company concerned can provide protected health information without the written permission of the person, as in . 164,508 describes, or the possibility for the person to accept or oppose, as stated in . 164.510, use or disclose in the situations described in this section, subject to the applicable requirements of this section. If the company concerned is required in this section to inform the person of an authorized use or disclosure in this section, or if the person may consent to the use or disclosure, the information of the company concerned and the consent of the person may be given orally. (FAQ OCR). Although classifying as a staff member would help contractors circumvent counterparty obligations, covered companies may refuse to classify contractors as staff, as this may indicate that the contractor is acting as an agent of the target company, exposing the covered company to additional liability for the contractor`s actions. (see 45 CFR 160.402 (c); 78 FR 5581. (B) A covered company, which is a limited recipient of the data set and violates a data usage agreement, violates the standards, implementation specifications and requirements of the paragraph (e) of this section. j) Standard: Disclosure by whistleblowers and victims of workers` crime – (1) disclosure by informants.

A covered business is not considered a violation of the requirements of this party when a member of staff or a counterparty discloses protected health information, provided that: (OCR Business Associate Guidance, available from www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html). This exemption applies only to the extent that the health care provider uses the PPH for treatment purposes; it would not apply if the health care provider uses the information to perform other functions on behalf of the company concerned. „For example, a hospital may benefit from the services of another health care provider to assist in the training of medical students in the hospital. In this case, a matching contract would be required before the hospital could allow the health care provider access to [PHI]. (OCR FAQ). But even in this example, the hospital and the doctor would not need a business agreement if they were members of an OHCA. Avoid unnecessary counterparty agreements. Unfortunately, many covered companies or counterparties seek matching agreements out of ignorance or precaution, even if these agreements are not technically necessary. Entities should avoid the execution of unnecessary counterparty agreements. they submit to contractual commitments that they would not have, but to the agreement, including compliance costs, which do not otherwise apply; Restrictions on the use of disclosure; and damage in case of non-compliance. In addition, by implementing unnecessary counterparty agreements, the entity may improperly admit that it is a trading partner and thus expose itself to HIPAA penalties for non-compliance. To avoid such situations, companies that are invited to implement unnecessary matching agreements may consider reacting as follows: (f) Fundraising Communication – (1) Standard: Uses and Disclosures for Fundraising. Subject to the conditions of paragraph (f) (2) of this section, a company concerned may use the following protected health information for the purpose of fundraising for its own benefit or disclose it to a counterparty or institutional foundation, without an authorization being subject to the requirements of the .

164.508 corresponds: HIPAA data protection rules now apply to both companies concerned (for example. B, health care providers and health plans) than to their business partners.