(A) the contract may allow the counterparty to use and disclose protected health information for the proper management and management of the counterparty covered in paragraph (4) of this section; and a matching contract is not required with persons or entities whose functions, activities or services do not involve the use or disclosure of [PHI] and for whom access to [PHI] by these individuals would be incidental, if at all. [For example], the services that clean the offices or facilities of an insured company are not business partners, as the work they do for covered businesses does not involve the use or disclosure of [PHI] and any disclosure of [PHI] to janitorial staff in the performance of their duties (as can occur when emptying garbage cans) is limited in nature, presents itself as a by-product of their services. (OCR Frequently Asked Questions (“FAQ”), available at www.hhs.gov/ocr/privacy/hipaa/faq/index.html). Similarly, “the simple sale or provision of software to a registered business does not result in a business relationship if the seller does not have access to the [PHI] of the registered business.” (Id.) Companies wishing to avoid counterparty obligations may wish to include in their service contracts a provision confirming that phi is not required to perform its functions and that their customers, who are registered companies or counterparties, do not make available to the company POs (or, as explained below, unencrypted POs) without the prior approval of the entity. (FAQ OCR). Although classifying as a staff member would help contractors circumvent counterparty obligations, covered companies may refuse to classify contractors as staff, as this may indicate that the contractor is acting as an agent of the target company, exposing the covered company to additional liability for the contractor`s actions. (see 45 CFR 160.402 (c); 78 FR 5581. 4. Condition of the matching agreement. If the covered entity continues to insist on a counterparty agreement, the counterparty or subcontractor could minimize its commitment by conditioning a counterparty agreement on the entity`s counterparty status as consideration, i.e.
it assumes responsibility if and to the extent that it is a counterparty within the meaning of HIPAA. While this is an imperfect solution, it could at least allow the company to avoid regulatory sanctions if it is really not a trading partner.