`counterparty` means any natural or legal person who is not a member of the staff of a classified entity, who performs functions or activities on behalf of a classified entity or who provides the classified entity with certain services which involve the counterparty`s access to protected health information. A “business partner” is also a subcontractor who creates, receives, maintains or transmits protected health information on behalf of another counterparty. Typically, HIPC rules require companies and covered counterparties to enter into contracts with their counterparties to ensure that counterparties adequately protect protected health information. The counterparty agreement shall also aim to clarify and, where appropriate, limit the use and disclosure of health information protected by the counterparty on the basis of the relationship between the parties and the activities or services performed by the counterparty. A counterparty may only use or disclose protected health information if its counterparty agreement permits or requires it or if required to do so by law. A counterparty is directly liable in accordance with HIPC rules and is subject to civil and, in some cases, criminal penalties, for the use and disclosure of protected health information that is not permitted by its contract or imposed by law. A counterparty is also directly liable and subject to civil penalties if it has failed to protect electronically protected health information in accordance with the HIPC security rule. The counterparty shall authorize the termination of this Agreement by the covered entity if the covered entity finds that the counterparty has breached a material provision of the agreement [and that the counterparty has not cured or terminated the breach within the period specified by the covered entity]. . . .