Is A Business Associate Agreement Required Between Two Covered Entities

The data protection rule treats all organisations that offer accreditation services to covered companies in the same way. The Department was not persuaded by the comments that accreditation bodies acting under the authority of a government agency should be treated differently under the rule and exempted from the conditions applicable to other such relationships. However, the department understands concerns about charges related to the requirements of the counterparty contract. The Ministry clarifies that the rules applicable to counterparties can be fulfilled by standard or standard forms of contracts that may require little or no modification for each entity covered. As an alternative to the counterparty agreement, these final amendments allow a covered company to disclose a limited set of protected health information, including direct identifiers, for accreditation and other health purposes subject to a data use agreement. See § 164.514 (e). Answer: As explained below, a subcontractor that produces, receives, maintains, or transmits protected health information on behalf of a counterparty, including with respect to personal health record functions, is a counterparty to the HIPC and is therefore subject to the PPTEA`s infringement notification rule and not the FTC`s. The analysis of whether a subcontractor is acting on behalf of a counterparty is the same analysis as above in determining whether a counterparty is acting on behalf of a covered entity. 3) offer to implement an appropriate confidentiality agreement. Instead of a counterparty agreement, the counterparty or subcontractor may propose to enter into an appropriate confidentiality agreement that protects the covered entity, while avoiding the full liability or regulatory liabilities of a counterparty agreement. Answer: The department does not change the rule in this regard.

The data protection rule must not interfere with the privilege of a lawyer. The ministry also does not believe that it will be necessary for the secretary to have access to privileged material to resolve a complaint or investigate a breach of the confidentiality rule. However, the Department does not consider it appropriate to exempt lawyers from the requirements imposed on business partners.