Matching contracts. The contract of a covered company or any other written agreement with its counterparty contains the elements covered in paragraph 45 CFR 164.504 (e). The contract must, for example. B Describe the authorized and necessary use of health information protected by the counterparty; provide that the counterparty will not continue to use or disclose protected health information, with the exception of the contract or the law; and require the counterpart to adopt appropriate security measures to prevent the use or disclosure of protected health information that is not provided for by the contract. If a covered entity is aware of a significant violation or violation by the counterparty of the contract or agreement, the covered entity is required to take appropriate steps to correct the violation or terminate the violation and if such measures are inconclusive, to terminate the contract or agreement. If termination of the contract or agreement is not possible, a covered company is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Please consult our standard contract for business partners. (OCR Guidance at www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.pdf). In the context of the health information organization (“HIO”), the OCR published the following FAQ: (Emphasis added). Thus, HIPAA identifies two exceptions in which the counterparty can use PHI for its own purposes without the patient`s permission: (1) for the implementation of data aggregation services and (2) for the management and management of the counterparty. (65.B 82505-06).
An OHO may only use or disclose protected health information (PHI) as a consideration in accordance with its matching agreement with the covered entity. See 45 C.F.R. 164.504 (e). The process of deidentifying PHI is a use of PHI. Therefore, a PHI HIO can only deidentify on behalf of an insured company, as long as the counterparty agreement authorizes the HIO to do so. However, once the PHI has been identified in accordance with the HIPAA data protection rule, it is no longer PHI and can therefore be used and disclosed by the covered unit or the HIO for any purpose (subject to other applicable laws). [The parties may add additional features with respect to the counterparty`s obligations to notify an infringement, such as, for example. B, a stricter period for the counterparty to report a possible violation to the entity concerned, and/or whether the counterparty will deal with injury notifications to individuals, the HHS Office for Civil Rights (OCR) and possibly the media on behalf of the company concerned.] (A) the contract may allow the counterparty to use and disclose protected health information for the proper management and management of the counterparty covered in paragraph (4) of this section; and, in particular, provides for the communication of HHS that, during the duration of notFALL in public health, it will not take coercive measures for the uses and reporting of counterparties to public health and health surveillance activities during the duration of notFALL in the field of public health of COVID-19, if the counterparty follows these parameters (65 F.R. 82644). Similarly, the OCR`s frequent questions confirm, that a counterparty cannot use PHI for its own marketing purposes: [option 2 – if the agreement authorizes the trading partner to use or disclose protected health information for its own management and management, or to fulfill its legal responsibilities, and that the trading partner must retain protected health information for these purposes after the termination of the contract] the counterparties may use the protected health information of an insured company (PHI) for its own purposes.
z.B. for product development, data aggregation, marketing, etc.