A covered company may use or disclose protected health information, provided that it is informed in advance of the use or disclosure and has the opportunity to accept use or disclosure in accordance with the applicable requirements of this section, prohibit or restrict it. The company concerned may inform and request orally from the person the person`s oral consent or objection to an authorized use or disclosure in this section. Exceptions to the Business Associate Standard. The data protection rule contains the following exceptions to the Business Associate standard. See 45 CFR 164.502 (e). In these cases, an insured company is not required to enter into a counterparty contract or other written agreement until protected health information can be disclosed to the individual or legal person. b) Standard: minimum necessary – the minimum required applies. When using or displaying protected health information or requiring protected health information from another company or covered counterparty, a company or covered counterparty must make reasonable efforts to limit the protected health information to the minimum necessary to meet the purpose of use, disclosure or requirement. (A) describe staff members or categories of workers or others under the control of the plan sponsor in order to have access to protected health information to be shared, provided that any worker or person who receives protected health information on payments or other issues related to the group`s health plan as part of normal operations is included in this description; 5. Institutions acting on their behalf or on behalf of the patient. The counterparty requirements apply only to companies performing a PHI function on behalf of a covered entity or its counterparty. The entities that process POs for their own purposes are not trading partners. For example, “[a] provider who presents a right to a health plan and health plan that assesses and pays the debt acts in its own name as a secure entity and not as a “business partner” of the other.” (OCR Business Associate Guidance).
Similarly, a bank or financial institution is not a counterparty to an insured business when it “processes financial transactions managed by consumers by debit, credit or other payment card, when it conducts checks, initiates or processes electronic money transfers, or performs other activities that facilitate or directly transfer funds for the payment of health or health premiums”; In such cases, “the financial institution provides its clients with its banking or other ordinary financial transaction services; it does not perform any function or activity for or on behalf of the insured company” and is not a consideration. (Id.; 78 FR 5575; 65 FR 82476). Researchers are not business partners of covered companies, even if the researcher is tasked by the covered unit to carry out research. (78 FR 5575). “When a physician or other claimant has the privilege of the staff of an institution, neither party is a consideration based exclusively on human resource privileges, as neither party demonstrates duties or activities on behalf of the other person.” (65 en 82476). Covered companies that provide phi for the health activities of another insured company are not trading partners of the other. (65 en 82476). Finally, a company that provides services on behalf of the patient is not on behalf of the health care provider, is not a business partner (for example. B a lawyer who requests health information to represent the patient or a company that collects and interprets data on behalf of a patient).
(C) A parent, legal guardian or any other person acting at Loco parentis agrees to a confidentiality agreement between an insured care provider and the minor with respect to such care.