A counterparty agreement may authorize a counterparty to make the use and disclosure of PHI that the covered entity is authorized to do itself in accordance with the HIPAA data protection rule. See 45 C.F.R. 164.504 (e). In addition, the data protection rule allows a counterparty to enter into an agreement authorizing a consideration (for example). B an EO) to: (1) Phi for the proper management and management of the counterparty in accordance with the 45 C.F.R. and (2) to provide data aggregation services in relation to the health activities of the covered institutions for which it has entered into agreements. In most cases, the authorized uses and advertisements established by a counterparty agreement vary depending on the functions or services that the counterparty must provide to the entity concerned. Similarly, the counterparty agreement between a covered entity and an HIO E depends on a number of factors, such as. B.dem the purpose of the electronic exchange of information that the HIO is supposed to manage, the specific functions or services that the E HIO must perform for the covered entity and any other legal obligation that an HIO may have with regard to the PHI. For example, counterparty agreements between covered companies and an IMO may authorize the HIO: c) the accounting of data.

Business Associate undertakes to maintain the documentation of the information necessary to provide a presentation of the PHI data in accordance with 45 C.R. 164.528 and to provide this information at the request of the insured unit of the insured unit, so that the unit concerned can respond to a person`s request. This accounting is limited to data provided in the six (6) years prior to the request (excluding information provided prior to the date of compliance with the data protection rule). This accounting is also limited to information provided in the three (3) years prior to the application (without any indication prior to the date of compliance with the data protection rule), as the purpose of this accounting is to authorize the insured unit to respond to a request for payment of PHI data through an electronic health protocol. , as the term is defined in Section 13400 of HITECH, made to perform treatment, payment and health care operations as intended in 45 C.F.R. No. 164,506. Notwithstanding the above, such accounting should only be kept to the extent that the counterparty holds the PHI. When an individual requests information directly from Business Associate, Business Associate forwards the request and disclosure file to the covered unit within 15 business days of receiving the person`s request.

The covered unit is responsible for preparing and making accounting available to the individual. Unless legally binding, Business Associate will not make a tally of its information directly available to an individual. HHS confirmed that the «management and management» exception does not apply to data extraction for the counterparty`s own needs: even in situations where HIPAA would allow the use of PHI, a covered company may, voluntarily or not, limit the prerogative to use the PHI without the patient`s permission by agreeing differently with the patient.

Category : Sin categoría