The definition also states that a counterparty may be a covered entity and that counterparties exclude a person who is part of the staff of the covered enterprise. As a general rule, under that provision, acts relating to a person`s protected health information performed by a counterparty are considered to be acts of the classified entity for the purposes of this Rule, although the entity concerned is not subject to sanctions under that rule unless it has knowledge of the illegal activity and does not take the necessary measures; to repair faults. For example, where a counterparty manages the medical records or claims system of a covered company, the company concerned is presumed to have protected health information and the company concerned must ensure that the persons who are the subject of the information can have access to it under article 164.524. Answer: As explained below, a subcontractor that produces, receives, maintains, or transmits protected health information on behalf of a counterparty, including with respect to personal health record functions, is a counterparty to the HIPC and is therefore subject to the PPTEA`s infringement notification rule and not the FTC`s. The analysis of whether a subcontractor is acting on behalf of a counterparty is the same analysis as above in determining whether a counterparty is acting on behalf of a covered entity. In accordance with the law, we have proposed to amend the definition of «business partners» to explicitly designate these persons as business partners. In particular, we proposed to include in the definition: (1) a health information organisation, an eprescribing gateway or another person providing data transmission services concerning protected health information to a relevant unit and requiring regular access to such protected health information; and (2) a person offering a personal medical record to one or more persons on behalf of a covered organization. As to what it means to have «routine access» to protected health information in order to determine which types of data transmission services are counterparties to simple channels, such a provision will be specific to the facts, depending on the type of services provided and the extent to which the company needs access to protected health information to provide the service to the company concerned. The exception conducted is narrow and is only intended to exclude companies that provide simple courier services, such as the United States. Postal Service or United Parcel Service and its electronic equivalents, such as. B Internet Service Providers (ISPs), which offer data transmission services. As mentioned in the previous instructions, a conduit carries information, but does not access it, except by chance or rarely, if this is necessary for the provision of the transport service or as required by other laws. For example, a telecommunications company may have occasional and random access to protected health information when it verifies that data transmitted over its network is reaching its intended destination.
Such occasional and random access to protected health information would not qualify the company as a business partner. In contrast, an entity that needs access to protected health information to perform a service for a covered entity, for example.B. a health information organization that manages the exchange of protected health information through a network on behalf of entities collected through the use of data lessor services for its subscribers (and other services) is not considered a channel and is therefore not excluded from the definition of counterparty. . .