Section



[Code of Federal Regulations]
[Title 45, Volume 1]
[Revised as of October 1, 2004]
From the U.S. Government Printing Office via GPO Access
[CITE: 45CFR164.532]

[Page 782-783]
 
                        TITLE 45--PUBLIC WELFARE
 
                    SUBTITLE A--DEPARTMENT OF HEALTH
                         AND HUMAN SERVICES
 
PART 164_SECURITY AND PRIVACY--Table of Contents
 
    Subpart E_Privacy of Individually Identifiable Health Information
 
Sec. 164.532  Transition provisions.

    (a) Standard: Effect of prior authorizations. Notwithstanding 
Sec. Sec. 164.508 and 164.512(i), a covered entity may use or disclose 
protected health information, consistent with paragraphs (b) and (c) of 
this section, pursuant to an authorization or other express legal 
permission obtained from an individual permitting the use or disclosure 
of protected health information, informed consent of the individual to 
participate in research, or a waiver of informed consent by an IRB.
    (b) Implementation specification: Effect of prior authorization for 
purposes other than research. Notwithstanding any provisions in Sec. 
164.508, a covered entity may use or disclose protected health 
information that it created or received prior to the applicable 
compliance date of this subpart pursuant to an authorization or other 
express legal permission obtained from an individual prior to the 
applicable compliance date of this subpart, provided that the 
authorization or other express legal permission specifically permits 
such use or disclosure and there is no agreed-to restriction in 
accordance with Sec. 164.522(a).
    (c) Implementation specification: Effect of prior permission for 
research. Notwithstanding any provisions in Sec. Sec. 164.508 and 
164.512(i), a covered entity may, to the extent allowed by one of the 
following permissions, use or disclose, for research, protected health 
information that it created or received either before or after the 
applicable compliance date of this subpart, provided that there is no 
agreed-to restriction in accordance with Sec. 164.522(a), and the 
covered entity has obtained, prior to the applicable compliance date, 
either:
    (1) An authorization or other express legal permission from an 
individual to use or disclose protected health information for the 
research;
    (2) The informed consent of the individual to participate in the 
research; or
    (3) A waiver, by an IRB, of informed consent for the research, in 
accordance with 7 CFR 1c.116(d), 10 CFR 745.116(d), 14 CFR 1230.116(d), 
15 CFR 27.116(d), 16 CFR 1028.116(d), 21 CFR 50.24, 22 CFR 225.116(d), 
24 CFR 60.116(d), 28 CFR 46.116(d), 32 CFR 219.116(d), 34 CFR 97.116(d), 
38 CFR 16.116(d), 40 CFR 26.116(d), 45 CFR 46.116(d), 45 CFR 690.116(d), 
or 49 CFR 11.116(d), provided that a covered entity must obtain 
authorization in accordance with Sec. 164.508 if, after the compliance 
date, informed consent is sought from an individual participating in the 
research.
    (d) Standard: Effect of prior contracts or other arrangements with 
business associates. Notwithstanding any other provisions of this 
subpart, a covered entity, other than a small health plan, may disclose 
protected health information to a business associate and may allow a 
business associate to create, receive, or use protected health 
information on its behalf pursuant to a written contract or other 
written arrangement with such business associate that does not comply 
with Sec. Sec. 164.502(e) and 164.504(e) consistent with the 
requirements, and only for such time, set forth in paragraph (e) of this 
section.
    (e) Implementation specification: Deemed compliance-- (1) 
Qualification. Notwithstanding other sections of this subpart, a covered 
entity, other than a

[[Page 783]]

small health plan, is deemed to be in compliance with the documentation 
and contract requirements of Sec. Sec. 164.502(e) and 164.504(e), with 
respect to a particular business associate relationship, for the time 
period set forth in paragraph (e)(2) of this section, if:
    (i) Prior to October 15, 2002, such covered entity has entered into 
and is operating pursuant to a written contract or other written 
arrangement with a business associate for such business associate to 
perform functions or activities or provide services that make the entity 
a business associate; and
    (ii) The contract or other arrangement is not renewed or modified 
from October 15, 2002, until the compliance date set forth in Sec. 
164.534.
    (2) Limited deemed compliance period. A prior contract or other 
arrangement that meets the qualification requirements in paragraph (e) 
of this section, shall be deemed compliant until the earlier of:
    (i) The date such contract or other arrangement is renewed or 
modified on or after the compliance date set forth in Sec. 164.534; or
    (ii) April 14, 2004.
    (3) Covered entity responsibilities. Nothing in this section shall 
alter the requirements of a covered entity to comply with part 160, 
subpart C of this subchapter and Sec. Sec. 164.524, 164.526, 164.528, 
and 164.530(f) with respect to protected health information held by a 
business associate.

[65 FR 82802, Dec. 28, 2000, as amended at 67 FR 53272, Aug. 14, 2002]