Once companies, business partners and covered business partners have identified their relationship, it is important to ensure that third parties protect the POs they receive. A signed agreement proves that the BA knows that they must manage THE PHI. HIPAA requires insured entities to cooperate only with trading partners that guarantee full protection of the PHI. These insurances must take the form of a contract or other agreement between the insured company and BA.1 (78 FR 5574). Even if no matching agreement is required because a company assists the counterparty in its own administrative or administrative functions, HIPAA limits the use or disclosure of PHI by the company: 2. Explain the limits of the liability of the insured company. Some companies or registered counterparties insist that matching agreements be entered into because they mistakenly believe that they are held responsible for hipaa offences committed by the contractor. HIPAA specifies that covered companies or counterparties are only responsible for the activities of their counterparties or subcontractors if the counterparty or subcontractor acts as the representative of the covered entity, i.e. the covered entity has the right to control the activities of the counterparty or subcontractor.
(45 CFR 160.402 (c); 78 FR 5581). The parties can avoid liability by nature by ensuring that any contract between them clearly identifies the counterparty or subcontractor as an independent contractor and not as a representative and that the company concerned does not control the activities or activities of the counterparty or contractor. (78 FR 5581). To this end, an excessively restrictive counterparty agreement may effectively work against the covered entity, since it may suggest an agency relationship or give the covered entity greater control over the contractor`s activities. A Trade Association Agreement (BAA) is a written agreement between an insured company and a business partner (BA) in which BA agrees to take appropriate measures to protect any PHI it receives or creates while providing services to the covered business. The purpose of the BAA is to require AAPs to provide PHI with the same protection of the data protection policy currently in place for covered companies, in order to protect this information from unauthorized disclosure.