o Ensure that all subcontractors who produce, receive, maintain or transfer protected health information on behalf of the counterparty accept the same restrictions and conditions as those applicable to the counterparty with respect to such information; According to the law, the HIPC data protection rule only applies to covered companies – health plans, clearing houses for healthcare and certain healthcare providers. However, most health care providers and health plans do not perform all of their health activities and functions themselves. Instead, they often use the services of a large number of other people or companies. The data protection rule allows covered providers and health plans to disclose protected health information to these „counterparties“ when suppliers or plans receive satisfactory assurances that the counterparty uses the information only for the purposes for which it was mandated by the covered entity, protects the information from abuse and helps the covered company to meet some of the obligations of the covered company, in accordance with r to comply with the data protection rule. The undertakings concerned may disclose protected health information to an undertaking acting in its capacity as counterparty only to assist the entity concerned in the performance of its health functions, for the use or for purposes independent of the counterparty, unless this is necessary for the proper management and management of the counterparty. Exceptions to the Business Associate Standard. In addition, counterparties must enter into agreements with subcontractors with a counterparty that creates, receives, maintains or transmits protected health information on behalf of another counterparty. A counterparty to a subcontractor must meet the same requirements as those applicable to contracts or other agreements between a covered entity and a counterparty. General provision. The data protection rule requires that a covered entity receive satisfactory assurances from its counterparty that the counterparty adequately protects the protected health information it receives or produces on behalf of the covered entity.

Satisfactory assurances must be made in writing, whether in the form of a contract or other agreement between the covered entity and the counterparty.