We also add to the final rule a language that states that the mere fact that two covered institutions participate in organized health care does not make any of the covered companies a consideration of the other covered entity. The fact that entities participate in shared health operations or other common activities, or pursue common goals through a common activity, does not mean that one party performs a function or activity on behalf of the other party (or provides a specific benefit for or for the other party). The proposed extension of the rules to subcontractors was intended to prevent the protection of the privacy and security of protected health information from falling into disrepair only because a function is performed by a company that is a subcontractor and not by a company with a direct relationship to a covered company. Authorizing such a data protection and security breach could allow trading partners to avoid liability under paragraphs 13401 and 13404 of the Act. In addition, the direct application to subcontractors of HIPAA`s data protection and security requirements ensures that the data protection and security of HIPAA rules is extended, beyond covered companies, to entities that produce or receive protected health information so that the relevant agency can carry out its health missions. That is why we have proposed that downstream companies that work on instruction or on behalf of a counterparty and deal with protected health information should also be required to comply with existing data protection and security rules in the same way as the main counterpart and also be held accountable for violations. With respect to statements between covered organizations participating in an organized health care agreement, the department states that no matching contract is required as long as disclosure relates to the common activities of the OHCA. It is extremely important to stress that OHCA`s goal is exclusively to respect HIPAA. Each component remains responsible for its own actions. In other words, separate units, a separate risk.
Answer: The Department does not consider that there is a conflict between the data protection rule and the retention obligations of the Bank Secrecy Act, or that the data protection rule would prevent a financial institution that is a counterparty to an insured company from complying with the Bank Secrecy Act.