Section






[Code of Federal Regulations]

[Title 45, Volume 1]

[Revised as of October 1, 2006]

From the U.S. Government Printing Office via GPO Access

[CITE: 45CFR164.532]



[Page 792-793]

 

                        TITLE 45--PUBLIC WELFARE

 

                    SUBTITLE A--DEPARTMENT OF HEALTH

                           AND HUMAN SERVICES

 

PART 164_SECURITY AND PRIVACY--Table of Contents

 

    Subpart E_Privacy of Individually Identifiable Health Information

 

Sec.  164.532  Transition provisions.



    (a) Standard: Effect of prior authorizations. Notwithstanding 

Sec. Sec.  164.508 and 164.512(i), a covered entity may use or disclose 

protected health information, consistent with paragraphs (b) and (c) of 

this section, pursuant to an authorization or other express legal 

permission obtained from an individual permitting the use or disclosure 

of protected health information, informed consent of the individual to 

participate in research, or a waiver of informed consent by an IRB.

    (b) Implementation specification: Effect of prior authorization for 

purposes other than research. Notwithstanding any provisions in Sec.  

164.508, a covered entity may use or disclose protected health 

information that it created or received prior to the applicable 

compliance date of this subpart pursuant to an authorization or other 

express legal permission obtained from an individual prior to the 

applicable compliance date of this subpart, provided that the 

authorization or other express legal permission specifically permits 

such use or disclosure and there is no agreed-to restriction in 

accordance with Sec.  164.522(a).

    (c) Implementation specification: Effect of prior permission for 

research. Notwithstanding any provisions in Sec. Sec.  164.508 and 

164.512(i), a covered entity may, to the extent allowed by one of the 

following permissions, use or disclose, for research, protected health 

information that it created or received either before or after the 

applicable compliance date of this subpart, provided that



[[Page 793]]



there is no agreed-to restriction in accordance with Sec.  164.522(a), 

and the covered entity has obtained, prior to the applicable compliance 

date, either:

    (1) An authorization or other express legal permission from an 

individual to use or disclose protected health information for the 

research;

    (2) The informed consent of the individual to participate in the 

research; or

    (3) A waiver, by an IRB, of informed consent for the research, in 

accordance with 7 CFR 1c.116(d), 10 CFR 745.116(d), 14 CFR 1230.116(d), 

15 CFR 27.116(d), 16 CFR 1028.116(d), 21 CFR 50.24, 22 CFR 225.116(d), 

24 CFR 60.116(d), 28 CFR 46.116(d), 32 CFR 219.116(d), 34 CFR 97.116(d), 

38 CFR 16.116(d), 40 CFR 26.116(d), 45 CFR 46.116(d), 45 CFR 690.116(d), 

or 49 CFR 11.116(d), provided that a covered entity must obtain 

authorization in accordance with Sec.  164.508 if, after the compliance 

date, informed consent is sought from an individual participating in the 

research.

    (d) Standard: Effect of prior contracts or other arrangements with 

business associates. Notwithstanding any other provisions of this 

subpart, a covered entity, other than a small health plan, may disclose 

protected health information to a business associate and may allow a 

business associate to create, receive, or use protected health 

information on its behalf pursuant to a written contract or other 

written arrangement with such business associate that does not comply 

with Sec. Sec.  164.502(e) and 164.504(e) consistent with the 

requirements, and only for such time, set forth in paragraph (e) of this 

section.

    (e) Implementation specification: Deemed compliance--(1) 

Qualification. Notwithstanding other sections of this subpart, a covered 

entity, other than a small health plan, is deemed to be in compliance 

with the documentation and contract requirements of Sec. Sec.  

164.502(e) and 164.504(e), with respect to a particular business 

associate relationship, for the time period set forth in paragraph 

(e)(2) of this section, if:

    (i) Prior to October 15, 2002, such covered entity has entered into 

and is operating pursuant to a written contract or other written 

arrangement with a business associate for such business associate to 

perform functions or activities or provide services that make the entity 

a business associate; and

    (ii) The contract or other arrangement is not renewed or modified 

from October 15, 2002, until the compliance date set forth in Sec.  

164.534.

    (2) Limited deemed compliance period. A prior contract or other 

arrangement that meets the qualification requirements in paragraph (e) 

of this section, shall be deemed compliant until the earlier of:

    (i) The date such contract or other arrangement is renewed or 

modified on or after the compliance date set forth in Sec.  164.534; or

    (ii) April 14, 2004.

    (3) Covered entity responsibilities. Nothing in this section shall 

alter the requirements of a covered entity to comply with part 160, 

subpart C of this subchapter and Sec. Sec.  164.524, 164.526, 164.528, 

and 164.530(f) with respect to protected health information held by a 

business associate.



[65 FR 82802, Dec. 28, 2000, as amended at 67 FR 53272, Aug. 14, 2002]