Several commentators expressed their confusion about the need for matching agreements, as they took into account the direct liability provisions contained in the HITECH Act and the proposed rule. Many of these commentators have suggested that all data protection requirements apply to counterparties, as is the case with the security rule. However, the final rule extends to another health care provider the proposed exemption for the disclosure of health information protected by a covered health care provider. The final rule authorizes such returns without a consideration agreement for all activities covered by the definition of «treatment.» We agree with the commentator that the administrative burden imposed on the obligation of contracts in the privileges of thought would not be compensated by any improvements in privacy resulting from such a requirement. While the exemption for the disclosure of protected health information for treatment may be sufficient to relieve physicians and hospitals of the contractual obligation, we also believe that this regulation does not correspond to the true meaning of «Business Associate» because both the hospital and the physician provide services to the patient and not to each other. Therefore, we also add an exception to the provisions of S. 164.502 (e) (1), which expressly state that a contract is not necessary if the association includes a health care facility and another health care provider with privileges in that institution, if the purpose is to provide for the individual. We have also included other exceptions to Article 164.502 (e) (1) (ii) in the «satisfactory insurance» requirement after . 164.502 (e) (1) (i). We do not require a partnership agreement between group health plans and their plan sponsors, as other requirements, although similar after. 164.504 (f) which are more suited to the specifics of this legal relationship.
We do not require association business agreements between public health plans that provide public services and other agencies that perform certain functions for the health plan, as these rules are generally severely limited by other laws. In the NPRM, we proposed to require a contract between an insured company and a consideration, with the exception of the disclosure of health information protected by a covered company that is a health care provider, to another health care provider for consultation or referral. A covered company would have violated this rule if the company concerned was aware or had reasonablely known of a substantial breach on the part of a counterparty and failed to take appropriate steps to remedy the breach or terminate the contract. In the preamble, we proposed that when a covered company acted as a counterparty to another insured business, the registered company acting as a consideration would also have been liable for the breaches of the regulation. Commentators have asked the division to authorize a single agreement rather than requiring trading partners and trading partners to enter into separate counterparty agreements and agreements. Answer: Although compliance with GLBA requirements does not meet the requirements of HIPAA rules, covered companies may use an agreement to comply with GLBA and hipaa rules. Answer: The department provides the following guidelines in response to commentators. Information provided by a company insured to a researcher for research purposes, as is generally the case, does not require a matching contract. The same is true when the company in question has commissioned the researcher to conduct research on its own behalf, as research is not a covered function or activity.