[Login]

Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers

Analysis by the AHIMA Policy and Government Relations Team

Uses and Disclosures: Organizational Requirements

Hybrid Entities

Standard/Specification: Healthcare Component
The discussion in this part of the Rule (§164.504) notes that except for where it is specifically noted, when dealing with a hybrid entity [see Definitions], the requirements of the Rule only apply to the healthcare component(s) of the entity. The discussion also notes that "a reference in such provision(s) to PHI refers to PHI that is created or received by or on behalf of the healthcare component of the covered entity.

Specification: Application of other Provisions
The Rule goes into some detail to note that terms like "covered entity," "health plan," "covered health care provider," and "clearinghouse" when used with requirements, specifications, and the like, apply to the covered component of the hybrid entity should it be performing the functions of such as defined in the Rule.

Specification: Safeguard Requirements
"The covered entity that is a hybrid entity must ensure that a health care component of the entity complies with the applicable requirements of..[this Rule]." In addition, such a covered entity must ensure that:

  • Its healthcare component does not disclose PHI to another component where the Rule would prohibit such a disclosure(s) if the healthcare component and the other component were separate and distinct legal entities.

  • A component performing covered functions, defined in this Rule, that would make it a business associate if it were a separate and distinct legal entity, does not disclose PHI to other non-healthcare components.
  • If a person performs duties for both the healthcare component, as a member of its workforce, and for a non-healthcare component, such a person must not use or disclose PHI created or received in the course of or incident to the member’s work for the healthcare component in a way prohibited by the Rule.

{Given today’s healthcare industry, the requirements on hybrid entities will require ongoing attention as the organization reorganizes and as personnel come and go from the "covered" part of the entity. The primary attention of the Rule is to PHI, and while the Rule recognizes that some components of PHI might reside outside the "covered" part of the entity, such an organization must be very careful with regard to any PHI essentially created or received in the "covered" area to ensure that PHI does not cross the line to the non-"covered" part of the entity. This issue will be addressed by the standards below.}

Standard: Affiliated Covered Entities

Section 164.504(d)) indicates that "Legally separate covered entities that are affiliated may designate themselves as a single covered entity for purposes of..[this Rule]."

Specifications: Requirements for Designation of an Affiliated Covered Entity
Legally separate covered entities may designate themselves (including any healthcare component of such covered entity) as a single affiliated covered entity for purposes of this Rule, if all of the covered entities designated are under common ownership or control. The designation of an affiliated covered entity must be documented and the documentation maintained as required [see Documentation below and under Administrative Requirements ].

Specifications: Safeguard Requirements
An affiliated covered entity must ensure that its use and disclosure of PHI complies with the applicable requirements of the Rule, and if it combines the functions of a health plan, healthcare provider, or healthcare clearinghouse, it must also comply with the Rule’s "Requirements for A Covered Entity with Multiple Covered Functions."

{Covered entities should examine all components of this Rule before deciding whether they should utilize the concept permitted here for affiliation. As you will see in reading the sections on Consents, Authorizations, and Notices, while affiliation might make sense for fulfilling some of the requirement, it might make it very difficult for complying with others. Each requirement should be reviewed to determine if affiliation will or will not work in your situation.}

Standard: Business Associate Contracts

The Rule states (§164.504(e)) that the contract or other arrangement between the covered entity and an entity defined as a business associate by this Rule must also meet the requirements of this Rule. (Also see Business Associate and Disclosures to Business Associate)

A covered entity is not in compliance if it "knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation as applicable, and if such steps were unsuccessful:

  • Terminated the contract or arrangement, if feasible; or
  • If termination is not feasible, reported the problem to the Secretary."

Specification: Business Associate Contract
A contract between the covered entity and a business associate must:

  • Establish the permitted and required uses and disclosures of such information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of...[Rule} if done by the covered entity, except that the contract may permit the business to:
    • Use and disclose PHI for the proper management and administration of the business associate.
    • Provide data aggregation services relating to the healthcare operations of the covered entity.
  • Provide that the business associate will:
    • Not use or further disclose the information other than as permitted or required by the contract or as required by law;
    • Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
    • Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;
    • Ensure that any agents, including a subcontractor, to whom it provides PHI received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information;
    • Make available PHI in accordance with the Rule’s requirements for "Access of Individuals to PHI;"
    • Make available PHI for amendment and incorporate any amendments to PHI in accordance with the Rule’s requirements for "Amendment of PHI;"
    • Make available the information required to provide an accounting of disclosures in accordance with the Rule’s requirements for "Accounting of Disclosures of PHI;"
    • Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf or, the covered entity available to the Secretary for purposes of determining the covered entity’s compliance with this [Rule]; and
    • Termination of the contract, if feasible, return or destroy all PHI received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information, or, if such return or destruction is not feasible, to extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
  • Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

Specifications: Other Arrangements

  • If a covered entity and its business associate are both governmental entities:
    • The covered entity may comply with the requirements for a business associate contract by entering into a memorandum of understanding with the business associate that contains the same terms that accomplish the objectives in the contract language required above.
    • The covered entity may comply with the business associate contract requirements, if other law (including regulations adopted by the covered entity or its business associates) contains requirements applicable to the business associate that accomplish the objectives in the contract language required above.
  • If a business is required by law to perform a function or activity on behalf of a covered entity, or to provide a service described in the [Rule’s] definition of business associate to a covered entity, such covered entity may disclose PHI to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this section on business associate contracts, provided that the covered entity attempts in good faith to obtain satisfactory assurances that appropriate safeguards have been instituted [similar to those required by this Rule], and if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained.
  • The covered entity may omit from its other arrangements the termination authorization required by this [Rule], if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate.

Specifications: Other Requirements for Contracts and Other Arrangements

  • The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the information received by the business associate in its capacity as a business associate to the covered entity, if necessary for the proper management and administration of the business associate, or to carry out the legal responsibilities of the business associate.

  • The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the information received by the business associate in its capacity as a business associate for the purposes noted in the previous paragraph if the disclosure is required by law; or
    • The business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and
    • The person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached.

Standard: Requirements for Group Health Plans

  • A group health plan, in order to disclose PHI to the plan sponsor or to provide for or permit the disclosure of PHI to the plans sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of this [Rule].

  • The group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose summary health information to the plan sponsor, if the plan sponsor requests the summary health information for the purpose of:
    • Obtaining premium bids from health plans for providing health insurance coverage under the group health plan; or
    • Modifying, amending, or terminating the group health plan.

Specifications: Requirements for Plan Documents

The plan documents of the group health plan must be amended to incorporate provisions to:

  • Establish the permitted and required uses and disclosures of such information by the plan sponsor, provided that such permitted and required uses and disclosures may not be inconsistent with this [Rule].

  • Provide that the group health plan will disclose PHI to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to:
    • Not use or further disclose the information other than as permitted or required by the plan documents or as required by law;
    • Ensure that any agents, including a subcontractor, to whom it provides PHI received from the group health plan agree to the same restrictions and conditions that apply to the plan sponsor with respect to such information;
    • Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan or the plan sponsor;
    • Report to the group health plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for which it becomes aware;
    • Make available PHI in accordance with the Rule’s "Rights to Request Privacy Protection for PHI;"
    • Make available PHI for amendment and incorporate any amendments to PHI in accordance with the Rule’s "Amendment of PHI;"
    • Make available the information required to provide an accounting of disclosures in accordance with the Rule’s "Accounting of PHI;"
    • Make its internal practices, books, and records relating to the use and disclosure of PHI received from the group health plan available to the Secretary for purposes of determining compliance by the group health plan with this Rule;
    • If feasible, return or destroy all PHI received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosure to those purposes that make the return or destruction of the information infeasible; and
    • Ensure that the adequate separation required between the group health plan and the plan sponsor as required in this Rule exists (see immediately below).
  • Provide for adequate separation between the group health plan and the plan sponsor. The plan documents must:
    • Describe those employees or classes of employees or other persons under the control of the plan sponsor to be given access to the PHI to be disclosed, provided that any employee or person who receives PHI relating to payment under, healthcare operations of, or other matters pertaining to the group health plan in the ordinary course of business must be included in such description;
    • Restrict the access to and use by such employees and other persons, described in the previous paragraph, to the plan administration functions that the plan sponsor performs for the group health plan; and
    • Provide an effective mechanism for resolving any issues of noncompliance by such persons with the plan document provisions required by [the Rule].

Specifications: Uses and Disclosures
A group health plan may:

  • Disclose PHI to a plan sponsor to carry out plan administration functions that the plan sponsor performs only consistent with the requirements for plan documents noted above;

  • Not permit a health insurance issuer or HMO with respect to the group health plan to disclose PHI to the plan sponsor except as permitted by the Rule;

  • Not disclose and may not permit a health insurance issuer or HMO to disclose PHI to a plan sponsor as otherwise permitted by this paragraph, unless a statement required by the Rule’s "Notice of Privacy for PHI" is included in the appropriate notice; and

  • Not disclose PHI to the plan sponsor for the purpose of employment-related actions or decisions in connection with any other benefit or employee benefit plan of the plan sponsor.

Standard: Requirements for a Covered Entity with Multiple Covered Functions

  • A covered entity that performs multiple covered functions that would make the entity any combination of a health plan, a covered healthcare provider, and a healthcare clearinghouse, must comply with the standards, requirements, and implementation specifications of this [Rule], as applicable to the health plan, healthcare provider, or healthcare clearinghouse covered functions that are performed.

  • A covered entity that performs multiple covered functions may use or disclose the PHI of individuals who receive the covered entity'’ health plan or healthcare provider services, but not both, only for purposes related to the appropriate function being performed
Go to next section, Consent for Use or Disclosures to Carry Out Treatment, Payment, or Health Care Operations.

Go to previous section, Uses and Disclosures of De-Identified Protected Health Information.

Go to document index.