[Option 2 – Refer to an underlying service contract, for example.B. “to the extent necessary to provide the services defined in the service agreement.”] OCR`s investigation showed that ACH never entered into a counterparty agreement with the person providing billing medical services for ACH, as requested by HIPAA, and did not adopt a directive requiring counterparty agreements until April 2014. Although in service since 2005, ACH had not conducted a risk analysis prior to 2014, nor had it implemented any security measures or other HIPAA written guidelines or procedures[i]. . . .