Some of them have adopted a «Better Safe than-Sorry» approach to address their definition problems and have entered into agreements with all the companies with which they have business relationships, whether they were necessary or not. Recent studies funded by the California Healthcare Foundation have shown that many companies have refused to unnecessarily enter into agreements with other covered companies and have also entered into agreements with providers who did not have access to PHI and would probably never do so. In one case, a covered company required its landscaper to sign a DE LIPPA counterparty agreement. A health insurance issuer is an insurance company (such as Anthem), an insurance service, or an insurance organization (including an ORGANIZATION) that is licensed for insurance business in a state and is subject to the law of the state that governs insurance. A health insurance issuer is not a hipAA-defined group health plan. The counterparty agreement ensures that there is a custody chain for PHI. A supplier of a HIPC enterprise must enter into a contract with the covered entity and a subcontractor engaged by a counterparty is also required to enter into such a contract. A subcontractor is a business partner of a counterparty and is not covered by the BA/Covered Entity contract. Before allowing access to PHI, a separate contract must be signed.

The chain can be long and the further ePHI is from the covered entity, the greater the potential for breach of the HIPC counterparty agreement. Exception: Employers with fully insured health insurance are generally not required to purchase HIPAA BAAS. For more information, see our previous FAST on this subject: (78 FR 5574). These «reasonable assurances» can be obtained through a limited confidentiality agreement; a full counterparty agreement is not required. (J) In the event of termination of the contract, to return or destroy, to the extent possible, all protected health information received or produced by the counterparty by the counterparty on behalf of the covered business that the counterparty still maintains in any form whatsoever, and do not keep copies of such information or, if such return or destruction is not possible, to extend the protection of the contract to information and to limit uses and disclosures to those purposes that make it impossible to return or destroy the information.