9. Not to enter into counterparty agreements with subcontractors who establish or receive PHI on their behalf and not to comply with the specifications for the implementation of such agreements. Answer: No.A provider whose work is not an integral part of your health services and who may stumble upon PHI by chance is not a business partner. However, you need to make sure you follow your own policies to preserve patient privacy and safety – use „safety precautions“ such as locking drawers, covering screens, and shredding information on paper to minimize accidental disclosures. It is in your primary interest to have an agreement, as all three classifications are responsible for the protection of PHI. Direct employees of this organization do not need to sign a BAA, as they are part of your organization and are not considered business partners. This means that they are still covered by HIPAA laws. As an employer, you are responsible for training your employees on how to maintain the integrity and sanctity of protected health information. . . .