As Business Associate Agreement in particular in the provision of services or technologies to a covered company (for example. B a hospital) or a business partner other than the subcontractor (for example. B a PaaS provider like Datica), counterparties process, process, transfer or interact in some way with protected electronic health information (e-PHI) of these companies. With this PHI access, all business partners must sign a Business Associate Agreement (BAA). The BAA is a legal contract that describes how the business partner joins HIPAA, as well as the responsibilities and risks it assumes. Transitional provisions for existing contracts. Covered companies (excluding small health plans) that have entered into an existing contract (or other written agreement) with consideration prior to October 15, 2002 may continue to work under this contract beyond April 14, 2003 until an additional year, unless the contract is extended or amended before April 14, 2003. This transitional period applies only to written contracts or other written agreements. Oral contracts or other agreements are not eligible for the transitional period.

As part of these contracts with their counterparts, covered companies that are entitled to enter into contracts may continue to work with their counterparties until April 14, 2004 or until the renewal or modification of the contract, depending on whether the date is earlier, whether or not the contract meets the existing contractual requirements of Rule 45 CFR 164.502 (e) and 164,504 (e). A covered company must also comply with the data protection rule, for example. B only provide authorized information to the counterparty and allow individuals to exercise their rights in accordance with the rule. See 45 CFR 164.532 (d) and (e). 2.2 Consideration activity. Business Associate may: (a) in accordance with the restrictions and requirements of the HIPAA rules, the protected health information in its possession, use and disclose it for its proper administration and administration, and fulfill all present or future legal responsibilities of the counterparty; b) identifying PHIs to deidentify and using or disclosing information ended in accordance with HIPAA rules, and (c) use of the company`s aggregated data covered in combination with aggregated data from other seized companies, that Business Associate has its ability as a business partner with other seized companies to generate analysis, reports, policies, best practices and other materials that do not identify the registered unit. In addition to the provisions required by HIPAA, some may include additional safeguards.