1. Entities that do not create, receive, receive or transmit PHI. If you want to avoid counterparty obligations, the safest thing to do is to make sure that you are not dealing with PHI on behalf of a hedged company or a counterparty of a hedged company. Accidental receipt or random access to PHI outside of your contractual business obligations does not trigger obligations for counterparties. The OCR said that once hedged companies, counterparties and counterparty subcontractors have identified their relationship, it is necessary to ensure that third parties protect the PHI they receive. A signed agreement certifies that the BA knows that it must manage PHI safely. Counterparty agreements are not optional! HIPAA requires you to sign the BAA with your partner before sharing a PHI with them. This will help you avoid a privacy violation and penalties for failing to have a BAA. As regards what it means to have `routine access` to [PHI] in order to determine which types of data transmission services are counterparties to simple channels, such a provision will be specific to the facts, depending on the type of services provided and the extent to which the undertaking needs access to [PHI] in order to provide the service to the undertaking concerned. The exception conducted is narrow and is intended to exclude only companies that offer pure courier services, such as the U.S. Postal Service or the United Parcel Service and its electronic equivalents, such as Internet Service Providers (ISPs) that provide data transmission services.