(45 C.F.R. § 164.501, highlighted only here). According to the Regulation, the counterparty may aggregate the PHI only for the health activities of the covered undertaking, and not for the counterparty`s own needs. The HHS commentary explains the object and scope of the exception: conclusion. PHI in the hands of the counterparty remains protected. The general rule remains that a business partner may not use the PHI for its own purposes without the patient`s permission. In order to use PHI for its own purposes, the counterparty must ensure that the BAA authorizes the use, authorizes the counterparty to use the IHP to perform a function on behalf of the covered entity, or uses it under the relatively limited „management and administration“ exception, or the counterparty secures the patient`s authorization. Recognition of HIPC obligations and other provisions relating to the implementation of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C§ 1320(d) („HIPAA“). The Parties acknowledge that federal rules regarding the privacy of identifiable health information require relevant companies to comply with the data protection standards adopted by the U.S. Department of Health as amended from time to time, 45 C.F.R. Parts 160 and 164, Subsections A and E („the Data Protection Rule“) and the security standards adopted by the U.S.
Department of Health as of that they can be modified. From time to time, 45 C.F.R. Parts 160, 162 and 164, Subdivision C („the Safety Rule“). Together, the data protection rule and the security rule are referred to as „HIPAA rules.“ HIPAA rules and all applicable state privacy laws require Covered Entity to have a counterparty that receives confidential information in connection with the provision of services on behalf of the covering entity comply with certain obligations regarding the confidentiality of health information. . . .