(2) Implementation specifications: counterparty contracts. A contract between the insured company and a counterparty must: (a) Individual right of copying or inspection. To the extent that Business Associate or its agents or subcontractors manage PHI in a designated registration package, Business Associate will send this request in writing to the covered unit within 15 business days if a person requests direct access to the business partner. The covered entity is responsible for any decision regarding the granting or denial of a person`s PHI application, and business associate will not make such decisions. Unless required by law, only the covered entity, in accordance with such a requirement, will release the PHI to an individual and be responsible for it. (65. V.R. 82644). Similarly, THE OCR FAQs confirm that a business partner cannot use PHI for its own marketing purposes: data aggregation.
Business Associate has the right, for data aggregation, to use, disclose and combine PHI, created or received by Business Associate on behalf of Covered Entity by Business Associate, with protected health information, as long as this is authorized by HIPAA rules. in the sense of 45 C.R. 160.103 received by the counterparty in its capacity as counterparty to other covered companies, in order to enable the analysis of the health care data of the companies concerned, the « business associates » and « covered entities » having the meaning given to them in 45 C.R.R.160.103. Answer: We agree that protected health information should only be used by counterparties for the purposes of the counterparty contract. We address the problem of data extraction by requiring that the counterparty contract explicitly identify the uses or disclosures that the business partner is authorized to make with protected health information. With the exception of information relating to data aggregation and counterparty management, the counterparty contract cannot authorize any use or disclosure that the entity concerned cannot make itself. Therefore, the data mining by the counterparty constitutes, for purposes not specified in the contract, an infringement and a reason for termination of the contract by the company concerned. Can a HEALTH Information Organization (HIO), which works as a business partner in a HIPAA covered unit, decrypt information and use it for its own purposes? De-identified information. Business Associate may identify all PIs created or received by Business Associate at any location under this Agreement and use all of this unidentified data in accordance with HIPAA de-identification requirements.
disclosure of health information protected by a company or counterparty concerned, provided that the entity or covered counterparty receives, directly or indirectly, compensation from the beneficiary or on behalf of the beneficiary of the protected health information in exchange for protected health information. (i) the definition of the uses and protected health information authorized and necessary by the counterparty. The contract must not allow the counterparty to use or disclose the information in a manner that would be contrary to the requirements of the hipa data protection rule when implemented by the covered entity, except: NOTE: NOTE: The Office of Legal Affairs recommends this contract/indication of « protected health information » (PHI) that will be disclosed to companies and contains a specific explanation of how PHI is used and who is being transferred. All agreements/contracts must be verified by the Legal Office. The Legal Office can be contacted by email (210) 567-2020 to help you answer questions. Comment: One commentator recommended that the business contract focus specifically on the issue of data extraction, as there is increasing dissemination within and outside of health.