Section






[Code of Federal Regulations]

[Title 45, Volume 1]

[Revised as of October 1, 2006]

From the U.S. Government Printing Office via GPO Access

[CITE: 45CFR164.105]



[Page 741-743]

 

                        TITLE 45--PUBLIC WELFARE

 

                    SUBTITLE A--DEPARTMENT OF HEALTH

                           AND HUMAN SERVICES

 

PART 164_SECURITY AND PRIVACY--Table of Contents

 

                      Subpart A_General Provisions

 

Sec.  164.105  Organizational requirements.



    (a)(1) Standard: Health care component. If a covered entity is a 

hybrid entity, the requirements of subparts C and E of this part, other 

than the requirements of this section, Sec.  164.314, and Sec.  164.504, 

apply only to the health care component(s) of the entity, as specified 

in this section.

    (2) Implementation specifications:

    (i) Application of other provisions. In applying a provision of 

subparts C and E of this part, other than the requirements of this 

section, Sec.  164.314, and Sec.  164.504, to a hybrid entity:

    (A) A reference in such provision to a ``covered entity'' refers to 

a health care component of the covered entity;

    (B) A reference in such provision to a ``health plan,'' ``covered 

health care provider,'' or ``health care clearinghouse,'' refers to a 

health care component of the covered entity if such health care 

component performs the



[[Page 742]]



functions of a health plan, health care provider, or health care 

clearinghouse, as applicable;

    (C) A reference in such provision to ``protected health 

information'' refers to protected health information that is created or 

received by or on behalf of the health care component of the covered 

entity; and

    (D) A reference in such provision to ``electronic protected health 

information'' refers to electronic protected health information that is 

created, received, maintained, or transmitted by or on behalf of the 

health care component of the covered entity.

    (ii) Safeguard requirements. The covered entity that is a hybrid 

entity must ensure that a health care component of the entity complies 

with the applicable requirements of this section and subparts C and E of 

this part. In particular, and without limiting this requirement, such 

covered entity must ensure that:

    (A) Its health care component does not disclose protected health 

information to another component of the covered entity in circumstances 

in which subpart E of this part would prohibit such disclosure if the 

health care component and the other component were separate and distinct 

legal entities;

    (B) Its health care component protects electronic protected health 

information with respect to another component of the covered entity to 

the same extent that it would be required under subpart C of this part 

to protect such information if the health care component and the other 

component were separate and distinct legal entities;

    (C) A component that is described by paragraph (a)(2)(iii)(C)(2) of 

this section does not use or disclose protected health information that 

it creates or receives from or on behalf of the health care component in 

a way prohibited by subpart E of this part;

    (D) A component that is described by paragraph (a)(2)(iii)(C)(2) of 

this section that creates, receives, maintains, or transmits electronic 

protected health information on behalf of the health care component is 

in compliance with subpart C of this part; and

    (E) If a person performs duties for both the health care component 

in the capacity of a member of the workforce of such component and for 

another component of the entity in the same capacity with respect to 

that component, such workforce member must not use or disclose protected 

health information created or received in the course of or incident to 

the member's work for the health care component in a way prohibited by 

subpart E of this part.

    (iii) Responsibilities of the covered entity. A covered entity that 

is a hybrid entity has the following responsibilities:

    (A) For purposes of subpart C of part 160 of this subchapter, 

pertaining to compliance and enforcement, the covered entity has the 

responsibility of complying with subpart E of this part.

    (B) The covered entity is responsible for complying with Sec.  

164.316(a) and Sec.  164.530(i), pertaining to the implementation of 

policies and procedures to ensure compliance with applicable 

requirements of this section and subparts C and E of this part, 

including the safeguard requirements in paragraph (a)(2)(ii) of this 

section.

    (C) The covered entity is responsible for designating the components 

that are part of one or more health care components of the covered 

entity and documenting the designation in accordance with paragraph (c) 

of this section, provided that, if the covered entity designates a 

health care component or components, it must include any component that 

would meet the definition of covered entity if it were a separate legal 

entity. Health care component(s) also may include a component only to 

the extent that it performs:

    (1) Covered functions; or

    (2) Activities that would make such component a business associate 

of a component that performs covered functions if the two components 

were separate legal entities.

    (b)(1) Standard: Affiliated covered entities. Legally separate 

covered entities that are affiliated may designate themselves as a 

single covered entity for purposes of subparts C and E of this part.

    (1) Implementation specifications:

    (i) Requirements for designation of an affiliated covered entity. 

(A) Legally separate covered entities may designate themselves 

(including any health care



[[Page 743]]



component of such covered entity) as a single affiliated covered entity, 

for purposes of subparts C and E of this part, if all of the covered 

entities designated are under common ownership or control.

    (B) The designation of an affiliated covered entity must be 

documented and the documentation maintained as required by paragraph (c) 

of this section.

    (ii) Safeguard requirements. An affiliated covered entity must 

ensure that:

    (A) The affiliated covered entity's creation, receipt, maintenance, 

or transmission of electronic protected health information complies with 

the applicable requirements of subpart C of this part;

    (B) The affiliated covered entity's use and disclosure of protected 

health information comply with the applicable requirements of subpart E 

of this part; and

    (C) If the affiliated covered entity combines the functions of a 

health plan, health care provider, or health care clearinghouse, the 

affiliated covered entity complies with Sec.  164.308(a)(4)(ii)(A) and 

Sec.  164.504(g), as applicable.

    (c)(1) Standard: Documentation. A covered entity must maintain a 

written or electronic record of a designation as required by paragraphs 

(a) or (b) of this section.

    (2) Implementation specification: Retention period. A covered entity 

must retain the documentation as required by paragraph (c)(1) of this 

section for 6 years from the date of its creation or the date when it 

last was in effect, whichever is later.



[68 FR 8375, Feb. 20, 2003]