[Code of Federal Regulations] [Title 45, Volume 1] [Revised as of October 1, 2002] From the U.S. Government Printing Office via GPO Access [CITE: 45CFR164.504] [Page 694-700] TITLE 45--PUBLIC WELFARE AND HUMAN SERVICES PART 164--SECURITY AND PRIVACY--Table of Contents Subpart E--Privacy of Individually Identifiable Health Information Sec. 164.504 Uses and disclosures: Organizational requirements. (a) Definitions. As used in this section: Common control exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity. Common ownership exists if an entity or entities possess an ownership or equity interest of 5 percent or more in another entity. Health care component has the following meaning: (1) Components of a covered entity that perform covered functions are part of the health care component. (2) Another component of the covered entity is part of the entity's health care component to the extent that: (i) It performs, with respect to a component that performs covered functions, activities that would make such other component a business associate of the component that performs covered functions if the two components were separate legal entities; and (ii) The activities involve the use or disclosure of protected health information that such other component creates or receives from or on behalf of the component that performs covered functions. Hybrid entity means a single legal entity that is a covered entity and whose covered functions are not its primary functions. Plan administration functions means administration functions performed by the plan sponsor of a group health plan on behalf of the group health plan and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor. [[Page 695]] Summary health information means information, that may be individually identifiable health information, and: (1) That summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan; and (2) From which the information described at Sec. 164.514(b)(2)(i) has been deleted, except that the geographic information described in Sec. 164.514(b)(2)(i)(B) need only be aggregated to the level of a five digit zip code. (b) Standard: Health care component. If a covered entity is a hybrid entity, the requirements of this subpart, other than the requirements of this section, apply only to the health care component(s) of the entity, as specified in this section. (c)(1) Implementation specification: Application of other provisions. In applying a provision of this subpart, other than this section, to a hybrid entity: (i) A reference in such provision to a ``covered entity'' refers to a health care component of the covered entity; (ii) A reference in such provision to a ``health plan,'' ``covered health care provider,'' or ``health care clearinghouse'' refers to a health care component of the covered entity if such health care component performs the functions of a health plan, covered health care provider, or health care clearinghouse, as applicable; and (iii) A reference in such provision to ``protected health information'' refers to protected health information that is created or received by or on behalf of the health care component of the covered entity. (2) Implementation specifications: Safeguard requirements. The covered entity that is a hybrid entity must ensure that a health care component of the entity complies with the applicable requirements of this subpart. In particular, and without limiting this requirement, such covered entity must ensure that: (i) Its health care component does not disclose protected health information to another component of the covered entity in circumstances in which this subpart would prohibit such disclosure if the health care component and the other component were separate and distinct legal entities; (ii) A component that is described by paragraph (2)(i) of the definition of health care component in this section does not use or disclose protected health information that is within paragraph (2)(ii) of such definition for purposes of its activities other than those described by paragraph (2)(i) of such definition in a way prohibited by this subpart; and (iii) If a person performs duties for both the health care component in the capacity of a member of the workforce of such component and for another component of the entity in the same capacity with respect to that component, such workforce member must not use or disclose protected health information created or received in the course of or incident to the member's work for the health care component in a way prohibited by this subpart. (3) Implementation specifications: Responsibilities of the covered entity. A covered entity that is a hybrid entity has the following responsibilities: (i) For purposes of subpart C of part 160 of this subchapter, pertaining to compliance and enforcement, the covered entity has the responsibility to comply with this subpart. (ii) The covered entity has the responsibility for complying with Sec. 164.530(i), pertaining to the implementation of policies and procedures to ensure compliance with this subpart, including the safeguard requirements in paragraph (c)(2) of this section. (iii) The covered entity is responsible for designating the components that are part of one or more health care components of the covered entity and documenting the designation as required by Sec. 164.530(j). (d)(1) Standard: Affiliated covered entities. Legally separate covered entities that are affiliated may designate themselves as a single covered entity for purposes of this subpart. (2) Implementation specifications: Requirements for designation of an affiliated covered entity. (i) Legally separate covered entities may designate themselves (including any health care component of such covered entity) as a single affiliated covered entity, for purposes of [[Page 696]] this subpart, if all of the covered entities designated are under common ownership or control. (ii) The designation of an affiliated covered entity must be documented and the documentation maintained as required by Sec. 164.530(j). (3) Implementation specifications: Safeguard requirements. An affiliated covered entity must ensure that: (i) The affiliated covered entity's use and disclosure of protected health information comply with the applicable requirements of this subpart; and (ii) If the affiliated covered entity combines the functions of a health plan, health care provider, or health care clearinghouse, the affiliated covered entity complies with paragraph (g) of this section. (e)(1) Standard: Business associate contracts. (i) The contract or other arrangement between the covered entity and the business associate required by Sec. 164.502(e)(2) must meet the requirements of paragraph (e)(2) or (e)(3) of this section, as applicable. (ii) A covered entity is not in compliance with the standards in Sec. 164.502(e) and paragraph (e) of this section, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful: (A) Terminated the contract or arrangement, if feasible; or (B) If termination is not feasible, reported the problem to the Secretary. (2) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of such information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware; (D) Ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information; (E) Make available protected health information in accordance with Sec. 164.524; (F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with Sec. 164.526; (G) Make available the information required to provide an accounting of disclosures in accordance with Sec. 164.528; (H) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance with this subpart; and (I) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity [[Page 697]] that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. (iii) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract. (3) Implementation specifications: Other arrangements. (i) If a covered entity and its business associate are both governmental entities: (A) The covered entity may comply with paragraph (e) of this section by entering into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (e)(2) of this section. (B) The covered entity may comply with paragraph (e) of this section, if other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (e)(2) of this section. (ii) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in Sec. 160.103 of this subchapter to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph (e), provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(3)(i) of this section, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained. (iii) The covered entity may omit from its other arrangements the termination authorization required by paragraph (e)(2)(iii) of this section, if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate. (4) Implementation specifications: Other requirements for contracts and other arrangements. (i) The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the information received by the business associate in its capacity as a business associate to the covered entity, if necessary: (A) For the proper management and administration of the business associate; or (B) To carry out the legal responsibilities of the business associate. (ii) The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if: (A) The disclosure is required by law; or (B)(1) The business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person; and (2) The person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached. (f)(1) Standard: Requirements for group health plans. (i) Except as provided under paragraph (f)(1)(ii) of this section or as otherwise authorized under Sec. 164.508, a group health plan, in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and discloses of such information by the plan sponsor consistent with the requirements of this subpart. (ii) The group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose summary health information to the plan sponsor, if the plan sponsor [[Page 698]] requests the summary health information for the purpose of : (A) Obtaining premium bids from health plans for providing health insurance coverage under the group health plan; or (B) Modifying, amending, or terminating the group health plan. (2) Implementation specifications: Requirements for plan documents. The plan documents of the group health plan must be amended to incorporate provisions to: (i) Establish the permitted and required uses and disclosures of such information by the plan sponsor, provided that such permitted and required uses and disclosures may not be inconsistent with this subpart. (ii) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: (A) Not use or further disclose the information other than as permitted or required by the plan documents or as required by law; (B) Ensure that any agents, including a subcontractor, to whom it provides protected health information received from the group health plan agree to the same restrictions and conditions that apply to the plan sponsor with respect to such information; (C) Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor; (D) Report to the group health plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware; (E) Make available protected health information in accordance with Sec. 164.524; (F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with Sec. 164.526; (G) Make available the information required to provide an accounting of disclosures in accordance with Sec. 164.528; (H) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from the group health plan available to the Secretary for purposes of determining compliance by the group health plan with this subpart; (I) If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and (J) Ensure that the adequate separation required in paragraph (f)(2)(iii) of this section is established. (iii) Provide for adequate separation between the group health plan and the plan sponsor. The plan documents must: (A) Describe those employees or classes of employees or other persons under the control of the plan sponsor to be given access to the protected health information to be disclosed, provided that any employee or person who receives protected health information relating to payment under, health care operations of, or other matters pertaining to the group health plan in the ordinary course of business must be included in such description; (B) Restrict the access to and use by such employees and other persons described in paragraph (f)(2)(iii)(A) of this section to the plan administration functions that the plan sponsor performs for the group health plan; and (C) Provide an effective mechanism for resolving any issues of noncompliance by persons described in paragraph (f)(2)(iii)(A) of this section with the plan document provisions required by this paragraph. (3) Implementation specifications: Uses and disclosures. A group health plan may: (i) Disclose protected health information to a plan sponsor to carry out plan administration functions that the plan sponsor performs only consistent with [[Page 699]] the provisions of paragraph (f)(2) of this section; (ii) Not permit a health insurance issuer or HMO with respect to the group health plan to disclose protected health information to the plan sponsor except as permitted by this paragraph; (iii) Not disclose and may not permit a health insurance issuer or HMO to disclose protected health information to a plan sponsor as otherwise permitted by this paragraph unless a statement required by Sec. 164.520(b)(1)(iii)(C) is included in the appropriate notice; and (iv) Not disclose protected health information to the plan sponsor for the purpose of employment-related actions or decisions or in connection with any other benefit or employee benefit plan of the plan sponsor. (g) Standard: Requirements for a covered entity with multiple covered functions. (1) A covered entity that performs multiple covered functions that would make the entity any combination of a health plan, a covered health care provider, and a health care clearinghouse, must comply with the standards, requirements, and implementation specifications of this subpart, as applicable to the health plan, health care provider, or health care clearinghouse covered functions performed. (2) A covered entity that performs multiple covered functions may use or disclose the protected health information of individuals who receive the covered entity's health plan or health care provider services, but not both, only for purposes related to the appropriate function being performed. Effective Date Note: At 67 FR 53267, Aug. 14, 2002, Sec. 164.504 was amended in paragraph (a), by revising the definitions of ``health care component'' and ``hybrid entity''; revising paragraphs (c)(1)(ii), (c)(2)(ii), (c)(3)(iii), (f)(1)(i), and adding paragraph (f)(1)(iii), effective Oct. 15, 2002. For the convenience of the user, the revised and added text is set forth as follows: Sec. 164.504 Uses and disclosures: Organizational requirements. (a) Definitions. * * * Health care component means a component or combination of components of a hybrid entity designated by the hybrid entity in accordance with paragraph (c)(3)(iii) of this section. Hybrid entity means a single legal entity: (1) That is a covered entity; (2) Whose business activities include both covered and non-covered functions; and (3) That designates health care components in accordance with paragraph (c)(3)(iii) of this section. * * * * * (c)(1) Implementation specification: Application of other provisions. * * * (ii) A reference in such provision to a ``health plan,'' ``covered health care provider,'' or ``health care clearinghouse'' refers to a health care component of the covered entity if such health care component performs the functions of a health plan, health care provider, or health care clearinghouse, as applicable; and * * * * * (2) Implementation specifications: Safeguard requirements. * * * (ii) A component that is described by paragraph (c)(3)(iii)(B) of this section does not use or disclose protected health information that it creates or receives from or on behalf of the health care component in a way prohibited by this subpart; and * * * * * (3) Implementation specifications: Responsibilities of the covered entity. * * * (iii) The covered entity is responsible for designating the components that are part of one or more health care components of the covered entity and documenting the designation as required by Sec. 164.530(j), provided that, if the covered entity designates a health care component or components, it must include any component that would meet the definition of covered entity if it were a separate legal entity. Health care component(s) also may include a component only to the extent that it performs: (A) Covered functions; or (B) Activities that would make such component a business associate of a component that performs covered functions if the two components were separate legal entities. * * * * * (f)(1) Standard: Requirements for group health plans. (i) Except as provided under paragraph (f)(1)(ii) or (iii) of this section or as otherwise authorized under Sec. 164.508, a group health plan, in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and disclosures of such information by the [[Page 700]] plan sponsor consistent with the requirements of this subpart. * * * * * (iii) The group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose to the plan sponsor information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan. * * * * *