Section



[Code of Federal Regulations]
[Title 45, Volume 1]
[Revised as of October 1, 2007]
From the U.S. Government Printing Office via GPO Access
[CITE: 45CFR164.105]

[Page 733-735]
 
                        TITLE 45--PUBLIC WELFARE
 
                           AND HUMAN SERVICES
 
PART 164_SECURITY AND PRIVACY--Table of Contents
 
                      Subpart A_General Provisions
 
Sec. 164.105  Organizational requirements.

    (a)(1) Standard: Health care component. If a covered entity is a 
hybrid entity, the requirements of subparts C and E of this part, other 
than the requirements of this section, Sec. 164.314, and Sec. 164.504, 
apply only to the health care component(s) of the entity, as specified 
in this section.
    (2) Implementation specifications:
    (i) Application of other provisions. In applying a provision of 
subparts C and E of this part, other than the requirements of this 
section, Sec. 164.314, and Sec. 164.504, to a hybrid entity:
    (A) A reference in such provision to a ``covered entity'' refers to 
a health care component of the covered entity;
    (B) A reference in such provision to a ``health plan,'' ``covered 
health care provider,'' or ``health care clearinghouse,'' refers to a 
health care component of the covered entity if such health care 
component performs the

[[Page 734]]

functions of a health plan, health care provider, or health care 
clearinghouse, as applicable;
    (C) A reference in such provision to ``protected health 
information'' refers to protected health information that is created or 
received by or on behalf of the health care component of the covered 
entity; and
    (D) A reference in such provision to ``electronic protected health 
information'' refers to electronic protected health information that is 
created, received, maintained, or transmitted by or on behalf of the 
health care component of the covered entity.
    (ii) Safeguard requirements. The covered entity that is a hybrid 
entity must ensure that a health care component of the entity complies 
with the applicable requirements of this section and subparts C and E of 
this part. In particular, and without limiting this requirement, such 
covered entity must ensure that:
    (A) Its health care component does not disclose protected health 
information to another component of the covered entity in circumstances 
in which subpart E of this part would prohibit such disclosure if the 
health care component and the other component were separate and distinct 
legal entities;
    (B) Its health care component protects electronic protected health 
information with respect to another component of the covered entity to 
the same extent that it would be required under subpart C of this part 
to protect such information if the health care component and the other 
component were separate and distinct legal entities;
    (C) A component that is described by paragraph (a)(2)(iii)(C)(2) of 
this section does not use or disclose protected health information that 
it creates or receives from or on behalf of the health care component in 
a way prohibited by subpart E of this part;
    (D) A component that is described by paragraph (a)(2)(iii)(C)(2) of 
this section that creates, receives, maintains, or transmits electronic 
protected health information on behalf of the health care component is 
in compliance with subpart C of this part; and
    (E) If a person performs duties for both the health care component 
in the capacity of a member of the workforce of such component and for 
another component of the entity in the same capacity with respect to 
that component, such workforce member must not use or disclose protected 
health information created or received in the course of or incident to 
the member's work for the health care component in a way prohibited by 
subpart E of this part.
    (iii) Responsibilities of the covered entity. A covered entity that 
is a hybrid entity has the following responsibilities:
    (A) For purposes of subpart C of part 160 of this subchapter, 
pertaining to compliance and enforcement, the covered entity has the 
responsibility of complying with subpart E of this part.
    (B) The covered entity is responsible for complying with Sec. 
164.316(a) and Sec. 164.530(i), pertaining to the implementation of 
policies and procedures to ensure compliance with applicable 
requirements of this section and subparts C and E of this part, 
including the safeguard requirements in paragraph (a)(2)(ii) of this 
section.
    (C) The covered entity is responsible for designating the components 
that are part of one or more health care components of the covered 
entity and documenting the designation in accordance with paragraph (c) 
of this section, provided that, if the covered entity designates a 
health care component or components, it must include any component that 
would meet the definition of covered entity if it were a separate legal 
entity. Health care component(s) also may include a component only to 
the extent that it performs:
    (1) Covered functions; or
    (2) Activities that would make such component a business associate 
of a component that performs covered functions if the two components 
were separate legal entities.
    (b)(1) Standard: Affiliated covered entities. Legally separate 
covered entities that are affiliated may designate themselves as a 
single covered entity for purposes of subparts C and E of this part.
    (1) Implementation specifications:
    (i) Requirements for designation of an affiliated covered entity. 
(A) Legally separate covered entities may designate themselves 
(including any health care

[[Page 735]]

component of such covered entity) as a single affiliated covered entity, 
for purposes of subparts C and E of this part, if all of the covered 
entities designated are under common ownership or control.
    (B) The designation of an affiliated covered entity must be 
documented and the documentation maintained as required by paragraph (c) 
of this section.
    (ii) Safeguard requirements. An affiliated covered entity must 
ensure that:
    (A) The affiliated covered entity's creation, receipt, maintenance, 
or transmission of electronic protected health information complies with 
the applicable requirements of subpart C of this part;
    (B) The affiliated covered entity's use and disclosure of protected 
health information comply with the applicable requirements of subpart E 
of this part; and
    (C) If the affiliated covered entity combines the functions of a 
health plan, health care provider, or health care clearinghouse, the 
affiliated covered entity complies with Sec. 164.308(a)(4)(ii)(A) and 
Sec. 164.504(g), as applicable.
    (c)(1) Standard: Documentation. A covered entity must maintain a 
written or electronic record of a designation as required by paragraphs 
(a) or (b) of this section.
    (2) Implementation specification: Retention period. A covered entity 
must retain the documentation as required by paragraph (c)(1) of this 
section for 6 years from the date of its creation or the date when it 
last was in effect, whichever is later.

[68 FR 8375, Feb. 20, 2003]