Professional Documents
Culture Documents
HIPAA
HIPAA
45 CFR, Section (i) “Business associate” (1) Except as provided in paragraph (4) of this
160.103 definition, business associate means, with respect to a covered entity, a person
who: (i) On behalf of such covered entity or of an organized health care
arrangement (as defined in this section) in which the covered entity
participates, but other than in the capacity of a member of the workforce of
such covered entity or arrangement, creates, receives, maintains, or transmits
protected health information for a function or activity regulated by this
subchapter, including claims processing or administration, data analysis,
processing or administration, utilization review, quality assurance, patient
safety activities listed at 42 CFR 3.20, billing, benefit management, practice
management, and repricing; or (ii) Provides, other than in the capacity of a
member of the workforce of such covered entity, legal, actuarial, accounting,
consulting, data aggregation (as defined in Section 164.501 of this
subchapter), management, administrative, accreditation, or financial services
to or for such covered entity, or to or for an organized health care arrangement
in which the covered entity participates, where the provision of the service
involves the disclosure of protected health information from such covered
entity or arrangement, or from another business associate of such covered
entity or arrangement, to the person. (2) A covered entity may be a business
associate of another covered entity. (3) Business associate includes: (i) A
Health Information Organization, E-prescribing Gateway, or other person that
provides data transmission services with respect to protected health
information to a covered entity and that requires access on a routine basis to
such protected health information. (ii) A person that offers a personal health
record to one or more individuals on behalf of a covered entity. (iii) A
subcontractor that creates, receives, maintains, or transmits protected health
information on behalf of the business associate. (4) Business associate does
not include: (i) A health care provider, with respect to disclosures by a covered
entity to the health care provider concerning the treatment of the individual.
(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a
health insurance issuer or HMO with respect to a group health plan) to the
plan sponsor, to the extent that the requirements of § 164.504(f) of this
subchapter apply and are met. (iii) A government agency, with respect to
determining eligibility for, or enrollment in, a government health plan that
provides public benefits and is administered by another government agency, or
collecting protected health information for such purposes, to the extent such
activities are authorized by law. (iv) A covered entity participating in an
organized health care arrangement that performs a function or activity as
described by paragraph (1)(i) of this definition for or on behalf of such
organized health care arrangement, or that provides a service as described in
paragraph (1)(ii) of this definition to or for such organized health care
arrangement by virtue of such activities or services.
(ii) “Covered entity” means: (1) A health plan. (2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic
form in connection with a transaction covered by this subchapter.
(iii) “Disclosure” means the release, transfer, provision of access to, or divulging
in any manner of information outside the entity holding the information.
(iv) “Health care” means care, services, or supplies related to the health of an
individual. Health care includes, but is not limited to, the following: (1)
Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative
care, and counseling, service, assessment, or procedure with respect to the
physical or mental condition, or functional status, of an individual or that
affects the structure or function of the body; and (2) Sale or dispensing of a
drug, device, equipment, or other item in accordance with a prescription.
(3) A health care provider who transmits any health information in electronic
form in connection with a transaction covered by this subchapter.
(a) Use security measures that best allow for compliance with the standards
and implementation specifications in § 164.306.
(c) Consider the costs of security measures relative to the potential risks.
Section 164.308 (i) A covered entity or business associate must in accordance with section
(Administrative 164.306 implement the following standards:
Safeguards)
Standard
Implementation
(b) Risk Analysis (Required): Conduct an accurate and thorough risk analysis of
potential risks to ePHI.
(d) Sanction Policy (Required): Develop and apply sanctions against workforce
members for non-compliance with security policies.
Standard
(g) Workforce Security: Implement policies and procedures so that all members
of the workforce have appropriate access to ePHI.
Implementation
Standard
Implementation
Standard
Implementation Specification
Standard
Implementation specification
Standard
(v) Contingency Plan: establish and implement policies and procedures for
responding to an emergency or other occurrence such as fire, vandalism,
system failure, and natural disaster that damages systems that contain ePHI.
(x) Disaster Recovery Plan (Required): establish procedures to restore lost data.
(z) Testing and Revision Procedures (Addressable): periodically test and update
contingency plans.
Standard
Section 164.310 (i) Maintenance Records (Addressable): Implement policies and procedures to
(Physical document repairs and modifications to the security-related physical
Safeguards) components of a facility (e.g., hardware, walls, doors, locks).
(a) Disposal (Required): Develop and enforce policies and procedures for
the proper disposal of ePHI and the hardware or electronic media on
which it is stored.
(iv) Group Health Plans (Required): Group health plans must ensure
their plan documents enforce safeguards for ePHI handled by plan
sponsors, except under specified exceptions.
(i) Adopt Policies and Procedures: Implement reasonable and appropriate policies
and procedures to comply with the standards and requirements of this subpart,
considering factors specified in § 164.306(b)(2).
Documentation Standards
(iii) Maintain Written Records: Keep all policies and required actions, activities, or
assessments documented in written (including electronic) form.
(iv) Retention Period: Retain all required documentation for 6 years from the date
of creation or when it was last in effect, whichever is later.
Subpart E (i) A covered entity or business associate may not use or disclose protected health
164.502 information except as permitted or required by this subpart or by subpart c of
Uses and Part 160.
disclosures of
protected health (ii) Permitted Uses and Disclosures by Covered Entities:
information:
General rules (a) To the individual directly.
(b) When the Secretary of Health and Human Services under Subpart C of
Part 160 requires it to investigate or determine compliance.
(b) Not to use or disclose PHI in ways that would violate the covered
entity’s rules if performed by the covered entity, except as specifically
allowed in the contract.
(a) General Rule: When using, disclosing, or requesting PHI from another
covered entity or business associate, it is mandatory to limit the
information to the minimum necessary to achieve the intended purpose.
(b) Exceptions:
(a) Creating De-Identified Data: PHI may be used or disclosed to create de-
identified information, which can be done either by the covered entity
itself or via a business associate.
(b) De-Identified Data Use and Disclosure: Information that meets de-
identification standards per § 164.514(a) and (b) is no longer considered
PHI and is exempt from the requirements of this subpart.
(f) Abuse, Neglect, Endangerment Situations: A covered entity may opt not
to treat a person as a personal representative if there is a reasonable belief
of potential harm to the individual by doing so.
(h) Consistency with Notice: A covered entity must not use or disclose PHI in
a way that is inconsistent with its notice of privacy practices as required
by Section 164.520. Specific statements related to particular activities
must be included in the notice if the entity engages in those activities.