Historically, when BAA terms or other contractual terms conflicted with rights possible under #HIPAA, BAA terms have been deemed to hold.
E.g., famously, even though a clearinghouse is a HIPAA CE & has all the rights and obligations of a CE...
Cures presumes information sharing for permitted purposes & calls information blocking practices that inhibit such sharing.
So what happens when obligations under Cures conflict with BAA or other contractual terms?
To keep this simple, when a *patient* requests patient access rights of an HIE or a Clearinghouse, but the BAA by which data were received allows only specific actions, which do not include patient access the Actor has a choice between:
(a) Denying the request in accordance with the BAA but in contravention of Cures & enabling regulation, & being subject to information blocking penalties OR
(b) Responding to the request, supporting Cures, but potentially violating contractual obligations
It could be argued that Congress preempts private contractual law here -- that the plain intent of Congress that the nation's interest in exchange, access & use for EHI is so compelling that when private contracts conflict, the anti-infoblocking interest rules.
But this has never been adjudicated, Congress didn't explicitly preempt, and the rulemaking is silent on this issue *except* through not contemplating contractual adherence as one of the allowed exceptions.
It's a puzzle.