General provision. The data protection rule requires that a covered entity receive satisfactory assurances from its counterparty that the counterparty adequately protects the protected health information it receives or creates on behalf of the entity concerned. Satisfactory assurances must be made in writing, either in the form of a contract or other agreement between the covered entity and the counterparty. This form applies only to the agreement between a counterparty and an insured company. Counterparties must enter into separate BAAs with their subcontractors. A lawyer may modify this form to meet the subcontractor`s BAA requirements or design a separate BAA subcontractor. The BAA defers the legal risk of the insured unit to the counterparty. A company that signs the BAA and is not a ”business associate” remains subject to contractual liability, disclosure restrictions, compliance fees and penalties for non-compliance – risks that can be discussed with a lawyer. Transitional provisions for existing contracts. Covered companies (excluding small health plans) that have entered into an existing contract (or other written agreement) with consideration prior to October 15, 2002 may continue to work under this contract beyond April 14, 2003 until an additional year, unless the contract is extended or amended before April 14, 2003. This transitional period applies only to written contracts or other written agreements. Oral contracts or other agreements are not eligible for the transitional period. As part of these contracts with their counterparts, covered companies that are entitled to enter into contracts may continue to work with their counterparties until April 14, 2004 or until the renewal or modification of the contract, depending on whether the date is earlier, whether or not the contract meets the existing contractual requirements of Rule 45 CFR 164.502 (e) and 164,504 (e).
A covered company must also comply with the data protection rule, for example. B only provide authorized information to the counterparty and allow individuals to exercise their rights in accordance with the rule. See 45 CFR 164.532 (d) and (e). [Option 1 – if the counterparty is to return or destroy all protected health information after the termination of the contract] In practice, business partners must train their staff under HIPAA rules.