This document contains examples of provisions relating to counterparty agreements that help companies and covered counterparties more easily meet the contract requirements for counterparties. While these standard rules are written for the purpose of the contract between a covered entity and its counterpart, the language may be adapted for the purposes of the contract between a counterparty and a subcontractor. Some covered companies have taken a “safer than sad” approach to addressing their definitional problems, and have entered into agreements with all the companies with which they have business relationships, whether necessary or not. Recent studies funded by the California Healthcare Foundation have shown that many companies unnecessarily enter into agreements with other covered companies and also enter into agreements with suppliers who did not have access to the PHI and would probably never do so. In one case, a covered company asked its landscaper to sign a HIPAA business partnership agreement. For many covered companies, it is not always clear who is subject to a HIPAA business partnership agreement. The Department of Health and Human Services defines a counterparty as “a person or organization that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered company or that provide services to a covered business.” Many creditors do not receive a PHI to perform tasks on behalf of the covered entity, but the ePHI goes through their systems. Many software solutions affect ePHI, which means that the software provider is considered a business partner. There are exceptions for entities that act as lines through which ePHI simply passes (see channel exception), although most cloud software and service providers are not exempt from compliance with HIPAAs and BAAs. (d) counterparties may not use or disclose protected health information in a manner that would be contrary to subsection E of 45 CFR Part 164 if this is done by an insured agency [if the agreement allows the counterparty to use or disclose protected health information for its own management and management and legal responsibilities, or for data aggregation services , in accordance with the optional provisions (e) (then add , with the exception of the specific uses and indications listed below.”] In the event that PHI is accessed under the responsibility of the counterparty by persons who are not authorized to post the information, the counterparty is required to notify the entity concerned of the violation and may be required to send notifications to persons whose PHI has been compromised.