Business Associate Agreement Vs Data Use Agreement

avoid unnecessary counterpart arrangements. Unfortunately, many covered companies or counterparties request counterparty agreements out of ignorance or caution, even if these agreements are not technically necessary. companies should avoid implementing unnecessary counterpart arrangements; this may be subject to contractual obligations that they would not have without the agreement, including compliance fees that otherwise do not apply; restrictions on the use of information disclosure; and damages for non-compliance. In addition, by implementing unnecessary counterparty arrangements, the entity may inappropriately admit that it is a counterparty, exposing it to penalties for non-compliance with the HIPC. In order to avoid such situations, undertakings invited to conclude unnecessary counterparty agreements may react in the following way: avoid counterparty obligations. Given compliance costs and non-compliance penalties, companies may wish to avoid becoming a “counterparty” or executing counterparty agreements where possible. The following individuals are not business partners and may correctly object to the execution of a counterparty agreement: If a Stanford researcher is the recipient of a limited set of data from a non-Stanford source, the Stanford researcher may be asked to sign the other party`s DUA. In this case, the Stanford researcher should consult with the relevant contract office to determine whether it is largely compliant with the Stanford DUA. (OCR Business Associate Guidance, available in www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html). This derogation applies only to the extent that the healthcare provider uses the PHI for therapeutic purposes; it would not apply if the healthcare provider uses the information to perform other functions on behalf of the covered company. “For example, a hospital may benefit from the services of another healthcare provider to support the training of medical students at the hospital. In this case, a counterpart contract would be required before the hospital could provide access to the healthcare provider. “(OCR FAQ).

However, even in this example, the hospital and the physician would not need a counterpart agreement if they were members of an OHCA. As regards what it means to have `routine access` to [PHI] in order to determine which types of data transmission services are counterparties to simple channels, such a provision will be specific to the facts, depending on the type of services provided and the extent to which the undertaking needs access to [PHI] in order to provide the service to the undertaking concerned. The exception conducted is narrow and is only intended to exclude companies that provide simple courier services, such as the United States. Postal Service or United Parcel Service and its electronic equivalents, such as.B. Internet Service Providers (ISPs), which offer pure data transmission services. . . .