[Code of Federal Regulations]
[Title 45, Volume 1]
[Revised as of October 1, 2001]
From the U.S. Government Printing Office via GPO Access
[CITE: 45CFR164.504]
[Page 691-696]
TITLE 45--PUBLIC WELFARE
SUBTITLE A--DEPARTMENT OF HEALTH
AND HUMAN SERVICES
PART 164--SECURITY AND PRIVACY--Table of Contents
Subpart E--Privacy of Individually Identifiable Health Information
Sec. 164.504 Uses and disclosures: Organizational requirements.
(a) Definitions. As used in this section:
Common control exists if an entity has the power, directly or
indirectly, significantly to influence or direct the actions or policies
of another entity.
Common ownership exists if an entity or entities possess an
ownership or equity interest of 5 percent or more in another entity.
Health care component has the following meaning:
(1) Components of a covered entity that perform covered functions
are part of the health care component.
(2) Another component of the covered entity is part of the entity's
health care component to the extent that:
(i) It performs, with respect to a component that performs covered
functions, activities that would make such other component a business
associate of the component that performs covered functions if the two
components were separate legal entities; and
[[Page 692]]
(ii) The activities involve the use or disclosure of protected
health information that such other component creates or receives from or
on behalf of the component that performs covered functions.
Hybrid entity means a single legal entity that is a covered entity
and whose covered functions are not its primary functions.
Plan administration functions means administration functions
performed by the plan sponsor of a group health plan on behalf of the
group health plan and excludes functions performed by the plan sponsor
in connection with any other benefit or benefit plan of the plan
sponsor.
Summary health information means information, that may be
individually identifiable health information, and:
(1) That summarizes the claims history, claims expenses, or type of
claims experienced by individuals for whom a plan sponsor has provided
health benefits under a group health plan; and
(2) From which the information described at Sec. 164.514(b)(2)(i)
has been deleted, except that the geographic information described in
Sec. 164.514(b)(2)(i)(B) need only be aggregated to the level of a five
digit zip code.
(b) Standard: Health care component. If a covered entity is a hybrid
entity, the requirements of this subpart, other than the requirements of
this section, apply only to the health care component(s) of the entity,
as specified in this section.
(c)(1) Implementation specification: Application of other
provisions. In applying a provision of this subpart, other than this
section, to a hybrid entity:
(i) A reference in such provision to a ``covered entity'' refers to
a health care component of the covered entity;
(ii) A reference in such provision to a ``health plan,'' ``covered
health care provider,'' or ``health care clearinghouse'' refers to a
health care component of the covered entity if such health care
component performs the functions of a health plan, covered health care
provider, or health care clearinghouse, as applicable; and
(iii) A reference in such provision to ``protected health
information'' refers to protected health information that is created or
received by or on behalf of the health care component of the covered
entity.
(2) Implementation specifications: Safeguard requirements. The
covered entity that is a hybrid entity must ensure that a health care
component of the entity complies with the applicable requirements of
this subpart. In particular, and without limiting this requirement, such
covered entity must ensure that:
(i) Its health care component does not disclose protected health
information to another component of the covered entity in circumstances
in which this subpart would prohibit such disclosure if the health care
component and the other component were separate and distinct legal
entities;
(ii) A component that is described by paragraph (2)(i) of the
definition of health care component in this section does not use or
disclose protected health information that is within paragraph (2)(ii)
of such definition for purposes of its activities other than those
described by paragraph (2)(i) of such definition in a way prohibited by
this subpart; and
(iii) If a person performs duties for both the health care component
in the capacity of a member of the workforce of such component and for
another component of the entity in the same capacity with respect to
that component, such workforce member must not use or disclose protected
health information created or received in the course of or incident to
the member's work for the health care component in a way prohibited by
this subpart.
(3) Implementation specifications: Responsibilities of the covered
entity. A covered entity that is a hybrid entity has the following
responsibilities:
(i) For purposes of subpart C of part 160 of this subchapter,
pertaining to compliance and enforcement, the covered entity has the
responsibility to comply with this subpart.
(ii) The covered entity has the responsibility for complying with
Sec. 164.530(i), pertaining to the implementation of policies and
procedures to ensure compliance with this subpart, including the
safeguard requirements in paragraph (c)(2) of this section.
(iii) The covered entity is responsible for designating the
components that
[[Page 693]]
are part of one or more health care components of the covered entity and
documenting the designation as required by Sec. 164.530(j).
(d)(1) Standard: Affiliated covered entities. Legally separate
covered entities that are affiliated may designate themselves as a
single covered entity for purposes of this subpart.
(2) Implementation specifications: Requirements for designation of
an affiliated covered entity. (i) Legally separate covered entities may
designate themselves (including any health care component of such
covered entity) as a single affiliated covered entity, for purposes of
this subpart, if all of the covered entities designated are under common
ownership or control.
(ii) The designation of an affiliated covered entity must be
documented and the documentation maintained as required by
Sec. 164.530(j).
(3) Implementation specifications: Safeguard requirements. An
affiliated covered entity must ensure that:
(i) The affiliated covered entity's use and disclosure of protected
health information comply with the applicable requirements of this
subpart; and
(ii) If the affiliated covered entity combines the functions of a
health plan, health care provider, or health care clearinghouse, the
affiliated covered entity complies with paragraph (g) of this section.
(e)(1) Standard: Business associate contracts. (i) The contract or
other arrangement between the covered entity and the business associate
required by Sec. 164.502(e)(2) must meet the requirements of paragraph
(e)(2) or (e)(3) of this section, as applicable.
(ii) A covered entity is not in compliance with the standards in
Sec. 164.502(e) and paragraph (e) of this section, if the covered entity
knew of a pattern of activity or practice of the business associate that
constituted a material breach or violation of the business associate's
obligation under the contract or other arrangement, unless the covered
entity took reasonable steps to cure the breach or end the violation, as
applicable, and, if such steps were unsuccessful:
(A) Terminated the contract or arrangement, if feasible; or
(B) If termination is not feasible, reported the problem to the
Secretary.
(2) Implementation specifications: Business associate contracts. A
contract between the covered entity and a business associate must:
(i) Establish the permitted and required uses and disclosures of
such information by the business associate. The contract may not
authorize the business associate to use or further disclose the
information in a manner that would violate the requirements of this
subpart, if done by the covered entity, except that:
(A) The contract may permit the business associate to use and
disclose protected health information for the proper management and
administration of the business associate, as provided in paragraph
(e)(4) of this section; and
(B) The contract may permit the business associate to provide data
aggregation services relating to the health care operations of the
covered entity.
(ii) Provide that the business associate will:
(A) Not use or further disclose the information other than as
permitted or required by the contract or as required by law;
(B) Use appropriate safeguards to prevent use or disclosure of the
information other than as provided for by its contract;
(C) Report to the covered entity any use or disclosure of the
information not provided for by its contract of which it becomes aware;
(D) Ensure that any agents, including a subcontractor, to whom it
provides protected health information received from, or created or
received by the business associate on behalf of, the covered entity
agrees to the same restrictions and conditions that apply to the
business associate with respect to such information;
(E) Make available protected health information in accordance with
Sec. 164.524;
(F) Make available protected health information for amendment and
incorporate any amendments to protected health information in accordance
with Sec. 164.526;
[[Page 694]]
(G) Make available the information required to provide an accounting
of disclosures in accordance with Sec. 164.528;
(H) Make its internal practices, books, and records relating to the
use and disclosure of protected health information received from, or
created or received by the business associate on behalf of, the covered
entity available to the Secretary for purposes of determining the
covered entity's compliance with this subpart; and
(I) At termination of the contract, if feasible, return or destroy
all protected health information received from, or created or received
by the business associate on behalf of, the covered entity that the
business associate still maintains in any form and retain no copies of
such information or, if such return or destruction is not feasible,
extend the protections of the contract to the information and limit
further uses and disclosures to those purposes that make the return or
destruction of the information infeasible.
(iii) Authorize termination of the contract by the covered entity,
if the covered entity determines that the business associate has
violated a material term of the contract.
(3) Implementation specifications: Other arrangements. (i) If a
covered entity and its business associate are both governmental
entities:
(A) The covered entity may comply with paragraph (e) of this section
by entering into a memorandum of understanding with the business
associate that contains terms that accomplish the objectives of
paragraph (e)(2) of this section.
(B) The covered entity may comply with paragraph (e) of this
section, if other law (including regulations adopted by the covered
entity or its business associate) contains requirements applicable to
the business associate that accomplish the objectives of paragraph
(e)(2) of this section.
(ii) If a business associate is required by law to perform a
function or activity on behalf of a covered entity or to provide a
service described in the definition of business associate in
Sec. 160.103 of this subchapter to a covered entity, such covered entity
may disclose protected health information to the business associate to
the extent necessary to comply with the legal mandate without meeting
the requirements of this paragraph (e), provided that the covered entity
attempts in good faith to obtain satisfactory assurances as required by
paragraph (e)(3)(i) of this section, and, if such attempt fails,
documents the attempt and the reasons that such assurances cannot be
obtained.
(iii) The covered entity may omit from its other arrangements the
termination authorization required by paragraph (e)(2)(iii) of this
section, if such authorization is inconsistent with the statutory
obligations of the covered entity or its business associate.
(4) Implementation specifications: Other requirements for contracts
and other arrangements. (i) The contract or other arrangement between
the covered entity and the business associate may permit the business
associate to use the information received by the business associate in
its capacity as a business associate to the covered entity, if
necessary:
(A) For the proper management and administration of the business
associate; or
(B) To carry out the legal responsibilities of the business
associate.
(ii) The contract or other arrangement between the covered entity
and the business associate may permit the business associate to disclose
the information received by the business associate in its capacity as a
business associate for the purposes described in paragraph (e)(4)(i) of
this section, if:
(A) The disclosure is required by law; or
(B)(1) The business associate obtains reasonable assurances from the
person to whom the information is disclosed that it will be held
confidentially and used or further disclosed only as required by law or
for the purpose for which it was disclosed to the person; and
(2) The person notifies the business associate of any instances of
which it is aware in which the confidentiality of the information has
been breached.
(f)(1) Standard: Requirements for group health plans. (i) Except as
provided under paragraph (f)(1)(ii) of this section or as otherwise
authorized under Sec. 164.508, a group health plan, in order
[[Page 695]]
to disclose protected health information to the plan sponsor or to
provide for or permit the disclosure of protected health information to
the plan sponsor by a health insurance issuer or HMO with respect to the
group health plan, must ensure that the plan documents restrict uses and
discloses of such information by the plan sponsor consistent with the
requirements of this subpart.
(ii) The group health plan, or a health insurance issuer or HMO with
respect to the group health plan, may disclose summary health
information to the plan sponsor, if the plan sponsor requests the
summary health information for the purpose of :
(A) Obtaining premium bids from health plans for providing health
insurance coverage under the group health plan; or
(B) Modifying, amending, or terminating the group health plan.
(2) Implementation specifications: Requirements for plan documents.
The plan documents of the group health plan must be amended to
incorporate provisions to:
(i) Establish the permitted and required uses and disclosures of
such information by the plan sponsor, provided that such permitted and
required uses and disclosures may not be inconsistent with this subpart.
(ii) Provide that the group health plan will disclose protected
health information to the plan sponsor only upon receipt of a
certification by the plan sponsor that the plan documents have been
amended to incorporate the following provisions and that the plan
sponsor agrees to:
(A) Not use or further disclose the information other than as
permitted or required by the plan documents or as required by law;
(B) Ensure that any agents, including a subcontractor, to whom it
provides protected health information received from the group health
plan agree to the same restrictions and conditions that apply to the
plan sponsor with respect to such information;
(C) Not use or disclose the information for employment-related
actions and decisions or in connection with any other benefit or
employee benefit plan of the plan sponsor;
(D) Report to the group health plan any use or disclosure of the
information that is inconsistent with the uses or disclosures provided
for of which it becomes aware;
(E) Make available protected health information in accordance with
Sec. 164.524;
(F) Make available protected health information for amendment and
incorporate any amendments to protected health information in accordance
with Sec. 164.526;
(G) Make available the information required to provide an accounting
of disclosures in accordance with Sec. 164.528;
(H) Make its internal practices, books, and records relating to the
use and disclosure of protected health information received from the
group health plan available to the Secretary for purposes of determining
compliance by the group health plan with this subpart;
(I) If feasible, return or destroy all protected health information
received from the group health plan that the sponsor still maintains in
any form and retain no copies of such information when no longer needed
for the purpose for which disclosure was made, except that, if such
return or destruction is not feasible, limit further uses and
disclosures to those purposes that make the return or destruction of the
information infeasible; and
(J) Ensure that the adequate separation required in paragraph
(f)(2)(iii) of this section is established.
(iii) Provide for adequate separation between the group health plan
and the plan sponsor. The plan documents must:
(A) Describe those employees or classes of employees or other
persons under the control of the plan sponsor to be given access to the
protected health information to be disclosed, provided that any employee
or person who receives protected health information relating to payment
under, health care operations of, or other matters pertaining to the
group health plan in the ordinary course of business must be included in
such description;
(B) Restrict the access to and use by such employees and other
persons described in paragraph (f)(2)(iii)(A) of this section to the
plan administration
[[Page 696]]
functions that the plan sponsor performs for the group health plan; and
(C) Provide an effective mechanism for resolving any issues of
noncompliance by persons described in paragraph (f)(2)(iii)(A) of this
section with the plan document provisions required by this paragraph.
(3) Implementation specifications: Uses and disclosures. A group
health plan may:
(i) Disclose protected health information to a plan sponsor to carry
out plan administration functions that the plan sponsor performs only
consistent with the provisions of paragraph (f)(2) of this section;
(ii) Not permit a health insurance issuer or HMO with respect to the
group health plan to disclose protected health information to the plan
sponsor except as permitted by this paragraph;
(iii) Not disclose and may not permit a health insurance issuer or
HMO to disclose protected health information to a plan sponsor as
otherwise permitted by this paragraph unless a statement required by
Sec. 164.520(b)(1)(iii)(C) is included in the appropriate notice; and
(iv) Not disclose protected health information to the plan sponsor for
the purpose of employment-related actions or decisions or in connection
with any other benefit or employee benefit plan of the plan sponsor.
(g) Standard: Requirements for a covered entity with multiple
covered functions. (1) A covered entity that performs multiple covered
functions that would make the entity any combination of a health plan, a
covered health care provider, and a health care clearinghouse, must
comply with the standards, requirements, and implementation
specifications of this subpart, as applicable to the health plan, health
care provider, or health care clearinghouse covered functions performed.
(2) A covered entity that performs multiple covered functions may
use or disclose the protected health information of individuals who
receive the covered entity's health plan or health care provider
services, but not both, only for purposes related to the appropriate
function being performed.