|
§
164.504 Uses and disclosures: organizational requirements.
(a)
Definitions. As used in this section:
Common
control exists if an entity has the power, directly or
indirectly, significantly to influence or direct the actions or policies of
another entity.
Common
ownership exists if an entity or entities possess an
ownership or equity interest of 5 percent or more in another entity.
Health
care component has the following meaning:
(1)
Components of a covered entity that perform covered functions are part of the
health care component.
(2)
Another component of the covered entity is part of the entity’s health care
component to the extent that:
(i)
It performs, with respect to a component that performs covered
functions,
activities that would make such other component a business associate of the
component that performs covered functions if the two components were separate
legal entities; and
(ii)
The activities involve the use or disclosure of
protected health information
that such other component creates or receives from or on behalf of the component
that performs covered functions.
Hybrid
entity means a single legal entity that is a covered
entity and whose covered functions are not its primary functions.
Plan
administration functions means administration
functions performed by the plan sponsor of a
group health plan on behalf of the
group health plan and excludes functions performed by the plan sponsor in
connection with any other benefit or benefit plan of the plan
sponsor.
Summary
health information means information, that may be
individually identifiable health information, and:
(1)
That summarizes the claims history, claims expenses, or type of claims
experienced by individuals for whom a plan sponsor has provided health benefits
under a group health
plan; and
(2)
From which the information described at § 164.514(b)(2)(i) has been deleted,
except that the geographic information described in § 164.514(b)(2)(i)(B) need
only be aggregated to the level of a five digit zip code.
(b)
Standard: health care component. If a covered entity is a
hybrid entity,
the requirements of this subpart, other than the requirements of this section,
apply only to the health care component(s) of the entity, as specified in this
section.
(c)(1)
Implementation specification: application of other provisions. In
applying a provision of this subpart, other than this section, to a hybrid
entity:
(i)
A reference in such provision to a "covered entity" refers to a
health
care component of the covered
entity;
(ii)
A reference in such provision to a "health
plan," "covered health
care provider," or "health care clearinghouse" refers to a
health
care component of the covered entity if such
health care component performs the
functions of a health plan, covered health care
provider, or health care
clearinghouse, as applicable; and
(iii)
A reference in such provision to "protected health information" refers
to protected health information that is created or received by or on behalf of
the health care component of the covered
entity.
(2)
Implementation specifications: safeguard requirements. The covered entity
that is a hybrid entity must ensure that a health care component of the entity
complies with the applicable requirements of this subpart. In particular, and
without limiting this requirement, such covered entity must ensure that:
(i)
Its health care component does not disclose protected health information to
another component of the covered entity in circumstances in which this subpart
would prohibit such disclosure if the health care component and the other
component were separate and distinct legal entities;
(ii)
A component that is described by paragraph (2)(i) of the definition of health
care component in this section does not use or disclose protected health
information that is within paragraph (2)(ii) of such definition for purposes of
its activities other than those described by paragraph (2)(i) of such definition
in a way prohibited by this subpart; and
(iii)
If a person performs duties for both the health care component in the capacity
of a member of the workforce of such component and for another component of the
entity in the same capacity with respect to that component, such workforce
member must not use or disclose protected health information created or received
in the course of or incident to the member’s work for the health care
component in a way prohibited by this subpart.
(3)
Implementation specifications: responsibilities of the covered
entity. A
covered entity that is a hybrid entity has the following responsibilities:
(i)
For purposes of subpart C of part 160 of this subchapter, pertaining to
compliance and enforcement, the covered entity has the responsibility to comply
with this subpart.
(ii)
The covered entity has the responsibility for complying with § 164.530(i),
pertaining to the implementation of policies and procedures to ensure compliance
with this subpart, including the safeguard requirements in paragraph (c)(2) of
this section.
(iii)
The covered entity is responsible for designating the components that are part
of one or more health care components of the covered entity and documenting the
designation as required by § 164.530(j).
(d)(1)
Standard: affiliated covered entities. Legally separate covered entities
that are affiliated may designate themselves as a single covered entity for
purposes of this subpart.
(2)
Implementation specifications: requirements for designation of an affiliated
covered entity. (i) Legally separate covered entities may designate
themselves (including any health care component of such covered
entity) as a
single affiliated covered
entity, for purposes of this subpart, if all of the
covered entities designated are under common ownership or
control.
(ii)
The designation of an affiliated covered entity must be documented and the
documentation maintained as required by § 164.530(j).
(3)
Implementation specifications: safeguard requirements. An affiliated
covered entity must ensure that:
(i)
The affiliated covered entity’s use and disclosure
of protected health
information comply with the applicable requirements of this subpart; and
(ii)
If the affiliated covered entity combines the functions of a
health plan,
health
care provider, or health care
clearinghouse, the affiliated covered entity
complies with paragraph (g) of this section.
(e)(1)
Standard: business associate contracts. (i) The contract or other
arrangement between the covered entity and the business associate required by §
164.502(e)(2) must meet the requirements of paragraph (e)(2) or (e)(3) of this
section, as applicable.
(ii)
A covered entity is not in compliance with the
standards in § 164.502(e) and
paragraph (e) of this section, if the covered entity knew of a pattern of
activity or practice of the business associate that constituted a material
breach or violation of the business associate’s obligation under the contract
or other arrangement, unless the covered entity took reasonable steps to cure
the breach or end the violation, as applicable, and, if such steps were
unsuccessful:
(A)
Terminated the contract or arrangement, if feasible; or
(B)
If termination is not feasible, reported the problem to the Secretary.
(2)
Implementation specifications: business associate contracts. A contract
between the covered entity and a business associate must:
(i)
Establish the permitted and required uses and disclosures of such information by
the business associate. The contract may not authorize the
business associate to
use or further disclose the information in a manner that would violate the
requirements of this subpart, if done by the covered
entity, except that:
(A)
The contract may permit the business associate to use and disclose protected
health information for the proper management and administration of the business
associate, as provided in paragraph (e)(4) of this section; and
(B)
The contract may permit the business associate to provide data aggregation
services relating to the health care operations of the
covered entity.
(ii)
Provide that the business associate will:
(A)
Not use or further disclose the information other than as permitted or required
by the contract or as required by law;
(B)
Use appropriate safeguards to prevent use or disclosure of the information other
than as provided for by its contract;
(C)
Report to the covered entity any use or disclosure of the information not
provided for by its contract of which it becomes aware;
(D)
Ensure that any agents, including a subcontractor, to whom it provides protected
health information received from, or created or received by the business
associate on behalf of, the covered entity agrees to the same restrictions and
conditions that apply to the business associate with respect to such
information;
(E)
Make available protected health information in accordance with § 164.524;
(F)
Make available protected health information for amendment and incorporate any
amendments to protected health information in accordance with §164.526;
(G)
Make available the information required to provide an accounting of disclosures
in accordance with § 164.528;
(H)
Make its internal practices, books, and records relating to the use and
disclosure of protected health information received from, or created or received
by the business associate on behalf of, the
covered entity available to the
Secretary for purposes of determining the covered entity's compliance with this
subpart; and
(I)
At termination of the contract, if feasible, return or destroy all protected
health information received from, or created or received by the business
associate on behalf of, the covered entity that the business associate still
maintains in any form and retain no copies of such information or, if such
return or destruction is not feasible, extend the protections of the contract to
the information and limit further uses and disclosures to those purposes that
make the return or destruction of the information infeasible.
(iii)
Authorize termination of the contract by the covered
entity, if the covered
entity determines that the business associate has violated a material term of
the contract.
(3)
Implementation specifications: other arrangements. (i) If a covered
entity and its business associate are both governmental entities:
(A)
The covered entity may comply with paragraph (e) of this section by entering
into a memorandum of understanding with the business associate that contains
terms that accomplish the objectives of paragraph (e)(2) of this section.
(B)
The covered entity may comply with paragraph (e) of this section, if other law
(including regulations adopted by the covered entity or its business
associate)
contains requirements applicable to the business associate that accomplish the
objectives of paragraph (e)(2) of this section.
(ii)
If a business associate is required by law to perform a function or activity on
behalf of a covered entity or to provide a service described in the definition
of business associate in § 160.103 of this subchapter to a
covered entity, such covered entity may disclose protected health information to the
business associate to the extent necessary to comply with the legal mandate
without meeting the requirements of this paragraph (e), provided that the
covered entity attempts in good faith to obtain satisfactory assurances as
required by paragraph (e)(3)(i) of this section, and, if such attempt fails,
documents the attempt and the reasons that such assurances cannot be obtained.
(iii)
The covered entity may omit from its other arrangements the termination
authorization required by paragraph (e)(2)(iii) of this section, if such
authorization is inconsistent with the statutory obligations of the covered
entity or its business
associate.
(4)
Implementation specifications: other requirements for contracts and other
arrangements. (i) The contract or other arrangement between the covered
entity and the business associate may permit the
business associate to use the
information received by the business associate in its capacity as a
business
associate to the covered
entity, if necessary:
(A)
For the proper management and administration of the business
associate; or
(B)
To carry out the legal responsibilities of the business
associate.
(ii)
The contract or other arrangement between the covered entity and the business
associate may permit the business associate to disclose the information received
by the business associate in its capacity as a
business associate for the
purposes described in paragraph (e)(4)(i) of this section, if:
(A)
The disclosure is required by
law; or
(B)(1)
The business associate obtains reasonable assurances from the person to whom the
information is disclosed that it will be held confidentially and used or further
disclosed only as required by law or for the purpose for which it was disclosed
to the person; and
(2)
The person notifies the business associate of any instances of which it is aware
in which the confidentiality of the information has been breached.
(f)(1)Standard:
requirements for group health
plans. (i) Except as provided under paragraph
(f)(1)(ii) of this section or as otherwise authorized under § 164.508, a group
health plan, in order to disclose protected health information to the plan
sponsor or to provide for or permit the disclosure of
protected health
information to the plan sponsor by a
health insurance issuer or
HMO with respect
to the group health
plan, must ensure that the plan documents restrict uses and
discloses of such information by the plan sponsor consistent with the
requirements of this subpart.
(ii)
The group health plan, or a
health insurance issuer or
HMO with respect to the
group health plan, may disclose summary health information to the plan
sponsor,
if the plan sponsor requests the summary health information for the purpose of :
(A)
Obtaining premium bids from health plans for providing health insurance coverage
under the group health
plan; or
(B)
Modifying, amending, or terminating the group health
plan.
(2)
Implementation specifications: requirements for plan documents. The plan
documents of the group health plan must be amended to incorporate provisions to:
(i)
Establish the permitted and required uses and disclosures of such information by
the plan sponsor, provided that such permitted and required
uses and disclosures
may not be inconsistent with this subpart.
(ii)
Provide that the group health plan will disclose protected health information to
the plan sponsor only upon receipt of a certification by the
plan sponsor that
the plan documents have been amended to incorporate the following provisions and
that the plan sponsor agrees to:
(A)
Not use or further disclose the information other than as permitted or required
by the plan documents or as required by
law;
(B)
Ensure that any agents, including a subcontractor, to whom it provides protected
health information received from the group health plan agree to the same
restrictions and conditions that apply to the plan sponsor with respect to such
information;
(C)
Not use or disclose the information for employment-related actions and decisions
or in connection with any other benefit or employee benefit plan of the plan
sponsor;
(D)
Report to the group health plan any use or disclosure of the information that is
inconsistent with the uses or disclosures provided for of which it becomes
aware;
(E)
Make available protected health information in accordance with § 164.524;
(F)
Make available protected health information for amendment and incorporate any
amendments to protected health information in accordance with §164.526;
(G)
Make available the information required to provide an accounting of disclosures
in accordance with § 164.528;
(H)
Make its internal practices, books, and records relating to the use and
disclosure of protected health information received from the
group health plan
available to the Secretary for purposes of determining compliance by the group
health plan with this subpart;
(I)
If feasible, return or destroy all protected health information received from
the group health plan that the sponsor still maintains in any form and retain no
copies of such information when no longer needed for the purpose for which
disclosure was made, except that, if such return or destruction is not feasible,
limit further uses and disclosures to those purposes that make the return or
destruction of the information infeasible; and
(J)
Ensure that the adequate separation required in paragraph (f)(2)(iii) of this
section is established.
(iii)
Provide for adequate separation between the group health plan and the plan
sponsor. The plan documents must:
(A)
Describe those employees or classes of employees or other persons under the
control of the plan sponsor to be given access to the
protected health
information to be disclosed, provided that any employee or person who receives
protected health information relating to payment under, health care operations
of, or other matters pertaining to the group health plan in the ordinary course
of business must be included in such description;
(B)
Restrict the access to and use by such employees and other persons described in
paragraph (f)(2)(iii)(A) of this section to the plan administration functions
that the plan sponsor performs for the group health
plan; and
(C)
Provide an effective mechanism for resolving any issues of noncompliance by
persons described in paragraph (f)(2)(iii)(A) of this section with the plan
document provisions required by this paragraph.
(3)
Implementation specifications: uses and disclosures. A
group health plan
may:
(i)
Disclose protected health information to a plan sponsor to carry out
plan
administration functions that the plan sponsor performs only consistent with the
provisions of paragraph (f)(2) of this section;
(ii)
Not permit a health insurance issuer or
HMO with respect to the group health
plan to disclose protected health information to the plan sponsor except as
permitted by this paragraph;
(iii)
Not disclose and may not permit a health insurance issuer or
HMO to disclose
protected health information to a plan sponsor as otherwise permitted by this
paragraph unless a statement required by § 164.520(b)(1)(iii)(C) is included in
the appropriate notice; and
(iv)
Not disclose protected health information to the plan sponsor for the purpose of
employment-related actions or decisions or in connection with any other benefit
or employee benefit plan of the plan sponsor.
(g)
Standard: requirements for a covered entity with multiple covered
functions.
(1)
A covered entity that performs multiple covered functions that would make the
entity any combination of a health
plan, a covered health care
provider, and a
health care clearinghouse, must comply with the standards, requirements, and
implementation specifications of this subpart, as applicable to the health
plan,
health care provider, or health care clearinghouse covered functions performed.
(2)
A covered entity that performs multiple covered functions may
use or disclose
the protected health information of individuals who receive the
covered entity’s
health plan or health care provider services, but not both, only for purposes
related to the appropriate function being performed.
|
