AMC/HIPAA Workgroup

66

PRIV.01

Health care component §

164.504(b)

HIPAA Requirement

Standard: health care component. If a covered entity is a hybrid entity, the

requirements of this subpart, other than the requirements of this section, apply

only to the health care component(s) of the entity, as specified in this section.

(c)

(1)

Implementation specification: application of other provisions. In applying

a provision of this subpart, other than this section, to a hybrid entity:

(i) A reference in such provision to a "covered entity" refers to a health care

component of the covered entity;

(ii) A reference in such provision to a "health plan," "covered health care

provider," or "health care clearinghouse" refers to a health care component of

the covered entity if such health care component performs the functions of a

health plan, covered health care provider, or health care clearinghouse, as

applicable; and

(iii) A reference in such provision to "protected health information" refers to

protected health information that is created or received by or on behalf of the

health care component of the covered entity.

(2)

Implementation specifications: safeguard requirements. The covered

entity that is a hybrid entity must ensure that a health care component of the

entity complies with the applicable requirements of this subpart. In particular,

and without limiting this requirement, such covered entity must ensure that:

(i) Its health care component does not disclose protected health information to

another component of the covered entity in circumstances in which this subpart

would prohibit such disclosure if the health care component and the other

component were separate and distinct legal entities;

(ii)

A component that is described by paragraph (2)(i) of the definition of

health care component in this section does not use or disclose protected health

information that is within paragraph (2)(ii) of such definition for purposes of its

activities other than those described by paragraph (2)(i) of such definition in a

way prohibited by this subpart; and

(iii) If a person performs duties for both the health care component in the

capacity of a member of the workforce of such component and for another

component of the entity in the same capacity with respect to that component, such

workforce member must not use or disclose protected health information created

or received in the course of or incident to the member's work for the health care

component in a way prohibited by this subpart.

(3)

Implementation specifications: responsibilities of the covered entity. A

covered entity that is a hybrid entity has the following responsibilities:

(i) For purposes of subpart C of part 160 of this subchapter, pertaining to

compliance and enforcement, the covered entity has the responsibility to comply

with this subpart.

(ii) The covered entity has the responsibility for complying with

§ 164.530(i),

pertaining to the implementation of policies and procedures to ensure compliance

AMC/HIPAA Workgroup

67

with this subpart, including the safeguard requirements in paragraph (c)(2) of

this section.

(iii) The covered entity is responsible for designating the components that are

part of one or more health care components of the covered entity and

documenting the designation as required by

§ 164.530(j).

AMC Explanation of HIPAA Regulation

A hybrid entity is a single legal entity that is a covered entity, but one where its covered

functions are not its primary function. While the HIPAA Privacy regulations classify the entire

hybrid entity as a covered entity, the HIPAA privacy information disclosure and use

requirements apply only to the entity's healthcare components. The hybrid entity is responsible

for designating which of its components are healthcare components, and for ensuring that those

components comply with the HIPAA privacy requirements.

Healthcare components of an entity must treat non-healthcare components of the entity as

separate entities for the purposes of disclosure of protected health information. Individuals who

work for both a healthcare component and other components of the entity must adhere to the

HIPAA privacy information disclosure and use requirements when handling any protected health

information they encounter as part of their duties in the healthcare component.

Key Issues

What are the components of your entity?

Which components are healthcare components?

Do any members of your workforce work for more than one component of your hybrid

entity?

Category I Guidelines-Actions must be taken to address these

If your entity is a hybrid entity, designate which components of your entity are healthcare

components. Document this designation.

Ensure that all healthcare components of your entity comply with HIPAA privacy

requirements.

Identify any individuals who work for both healthcare components and non-healthcare

components of your entity and ensure that they treat protected health information in

accordance with the HIPAA privacy requirements. Make sure this is done on a regular

basis, as workforce members change jobs.

Category II Guidelines-Actions should be taken to address these

Make specialized training available to help workforce members who work for both

healthcare and non-healthcare components be aware of their responsibilities.

Roadblocks

No roadblocks specific to this point.

Comments

None.

AMC/HIPAA Workgroup

68

PRIV.02

Affiliated covered entities §

164.504(d)

HIPAA Requirement

(1) Standard: affiliated covered entities. Legally separate covered entities that are

affiliated may designate themselves as a single covered entity for purposes of this

subpart.

(2) Implementation specifications: requirements for designation of an affiliated

covered entity. (i) Legally separate covered entities may designate themselves

(including any health care component of such covered entity) as a single affiliated

covered entity, for purposes of this subpart, if all of the covered entities

designated are under common ownership or control.

(ii) The designation of an affiliated covered entity must be documented and the

documentation maintained as required by

§ 164.530(j).

(3) Implementation

specifications: safeguard requirements. An affiliated covered

entity must ensure that:

(i) The affiliated covered entity's use and disclosure of protected health

information comply with the applicable requirements of this subpart; and

(ii) If the affiliated covered entity combines the functions of a health plan, health

care provider, or health care clearinghouse, the affiliated covered entity complies

with paragraph (g) of this section.

AMC Explanation of HIPAA Regulation

Several legally separate covered entities under common ownership or control may combine to

form a single affiliated covered entity for the purposes of compliance with HIPAA privacy. If

such an affiliated covered entity is created, the affiliated entity becomes responsible for

compliance of all of its subsidiary entities. The creation of an affiliated covered entity must be

documented.

Key Issues

Is your entity eligible for affiliation under this part of the regulation: does it consist of

multiple legally independent entities under common ownership and control?

Category I Guidelines-Actions must be taken to address these

If an affiliated entity is created, make sure to document its creation according to the

requirements of §164.530(j).

Category II Guidelines-Actions should be taken to address these

Consult your legal staff about whether the creation of an affiliated entity would be

advantageous.

Roadblocks

No roadblocks specific to this point.

AMC/HIPAA Workgroup

69

Comments

None.

AMC/HIPAA Workgroup

70

PRIV.03

Business associate contracts §

164.504(e)(1)

HIPAA Requirement

Standard: business associate contracts. (i) The contract or other arrangement

between the covered entity and the business associate required by

§ 164.502(e)(2)

must meet the requirements of paragraph (e)(2) or (e)(3) of this section, as

applicable.

(ii) A covered entity is not in compliance with the standards in § 164.502(e) and

paragraph (e) of this section, if the covered entity knew of a pattern of activity or

practice of the business associate that constituted a material breach or violation

of the business associate's obligation under the contract or other arrangement,

unless the covered entity took reasonable steps to cure the breach or end the

violation, as applicable, and, if such steps were unsuccessful:

(A) Terminated the contract or arrangement, if feasible; or

(B) If termination is not feasible, reported the problem to the Secretary.

(2) Implementation specifications: business associate contracts. A contract

between the covered entity and a business associate must:

(i) Establish the permitted and required uses and disclosures of such information

by the business associate. The contract may not authorize the business associate

to use or further disclose the information in a manner that would violate the

requirements of this subpart, if done by the covered entity, except that:

(A) The contract may permit the business associate to use and disclose protected

health information for the proper management and administration of the business

associate, as provided in paragraph (e)(4) of this section; and

(B) The contract may permit the business associate to provide data aggregation

services relating to the health care operations of the covered entity.

(ii) Provide that the business associate will:

(A) Not use or further disclose the information other than as permitted or

required by the contract or as required by law;

(B) Use appropriate safeguards to prevent use or disclosure of the information

other than as provided for by its contract; (C) Report to the covered entity any

use or disclosure of the information not provided for by its contract of which it

becomes aware;

(D) Ensure that any agents, including a subcontractor, to whom it provides

protected health information received from, or created or received by the business

associate on behalf of, the covered entity agrees to the same restrictions and

conditions that apply to the business associate with respect to such information;

(E) Make available protected health information in accordance with

§ 164.524

;

(F) Make available protected health information for amendment and incorporate

any amendments to protected health information in accordance with

§164.526

;

(G) Make available the information required to provide an accounting of

disclosures in accordance with

§ 164.528

; (H) Make its internal practices, books,

and records relating to the use and disclosure of protected health information

received from, or created or received by the business associate on behalf of, the

AMC/HIPAA Workgroup

71

covered entity available to the Secretary for purposes of determining the covered

entity's compliance with this subpart; and

(I) At termination of the contract, if feasible, return or destroy all protected health

information received from, or created or received by the business associate on

behalf of, the covered entity that the business associate still maintains in any form

and retain no copies of such information or, if such return or destruction is not

feasible, extend the protections of the contract to the information and limit further

uses and disclosures to those purposes that make the return or destruction of the

information infeasible.

(iii) Authorize termination of the contract by the covered entity, if the covered

entity determines that the business associate has violated a material term of the

contract. (3) Implementation specifications: other arrangements. (i) If a covered

entity and its business associate are both governmental entities:

(A) The covered entity may comply with paragraph (e) of this section by entering

into a memorandum of understanding with the business associate that contains

terms that accomplish the objectives of paragraph (e)(2) of this section.

(B) The covered entity may comply with paragraph (e) of this section, if other law

(including regulations adopted by the covered entity or its business associate)

contains requirements applicable to the business associate that accomplish the

objectives of paragraph (e)(2) of this section. (ii) If a business associate is

required by law to perform a function or activity on behalf of a covered entity or

to provide a service described in the definition of business associate in § 160.103

of this subchapter to a covered entity, such covered entity may disclose protected

health information to the business associate to the extent necessary to comply

with the legal mandate without meeting the requirements of this paragraph (e),

provided that the covered entity attempts in good faith to obtain satisfactory

assurances as required by paragraph (e)(3)(i) of this section, and, if such attempt

fails, documents the attempt and the reasons that such assurances cannot be

obtained.

(iii) The covered entity may omit from its other arrangements the termination

authorization required by paragraph (e)(2)(iii) of this section, if such

authorization is inconsistent with the statutory obligations of the covered entity or

its business associate.

(4) Implementation specifications: other requirements for contracts and other

arrangements. (i) The contract or other arrangement between the covered entity

and the business associate may permit the business associate to use the

information received by the business associate in its capacity as a business

associate to the covered entity, if necessary:

(A) For the proper management and administration of the business associate; or

(B) To carry out the legal responsibilities of the business associate.

(ii) The contract or other arrangement between the covered entity and the

business associate may permit the business associate to disclose the information

received by the business associate in its capacity as a business associate for the

purposes described in paragraph (e)(4)(i) of this section, if:

(A) The disclosure is required by law; or (B)(1) The business associate obtains

reasonable assurances from the person to whom the information is disclosed that

AMC/HIPAA Workgroup

72

it will be held confidentially and used or further disclosed only as required by law

or for the purpose for which it was disclosed to the person; and

(2) The person notifies the business associate of any instances of which it is aware

in which the confidentiality of the information has been breached.

AMC Explanation of HIPAA Regulation

A covered entity is required to ensure that any business associates with whom it shares protected

health information handle that information in compliance with the privacy regulations. Covered

entities must execute agreements requiring their business associates (and all agents or

subcontractors of those business associates) to handle protected health information in accordance

with HIPAA privacy requirements, and to take remedial action if they become aware that a

business associate is not fulfilling its obligations under such an agreement. The regulation

requires that such agreements contain specific terms, including terms requiring that business

associates and their agents report violations of the HIPAA privacy regulations to the covered

entity.

Key Issues

With which persons or organizations is the covered entity required to execute a Chain of

Trust Agreement?

How will security responsibilities and accountabilities be determined, drafted, and

monitored?

What procedure will be followed if another entity refuses to sign a chain of trust

agreement?

How will the risk of a breach of confidentiality or data integrity be distributed among

parties?

What sanctions, other than termination of an agreement, are

reasonable

to protect all

parties?

Category I Guidelines-Actions must be taken to address these

Develop a Chain of Trust Agreement, which must include:

Signatures of contracting parties. The contracts can be free-standing, or can be

incorporated into, or as an addendum to, another contract.

Contract start date, expiration date, and/or review date. A certification audit must be

documented and attached to the agreement.

Definition of Terms and Conditions, which must include conditions for disclosure of

protected health information, data rights of each party, and minimum levels of

security to be maintained.

Procedures for reporting breaches within a designated time frame.

A method of recording breaches. Each party must be able to provide its incident log

for periodic inspection and upon demand.

Penalties for non-compliance (intentional versus unintentional).

Procedures for the retention and/or destruction of data.

Language requiring that subcontractors to the contracting party comply with the

requirements of HIPAA privacy, together with a mutually agreed method for

monitoring such compliance.

AMC/HIPAA Workgroup

73

Category II Guidelines-Actions should be taken to address these

Implement a method to identify all of your entity's contracts.

Develop standard contract terms for HIPAA privacy business associate provisions.

Incorporate HIPAA business associate terms into existing contracts as part of your

contract renewal process.

Roadblocks

Insurance requirements or liquidated damage clauses that institutions might require for

protection of a breach by a business partner may be cost-prohibitive for small business partners,

but termination of the contract is not always an adequate remedy.

Comments

As part of a compliance program, business associates should warrant, and the AMC's purchasing

department should confirm, that the trading partner is not excluded from participation in any

government program. Contracts should also include a statement that the business associate

warrants that any subcontractors or agents are not excluded from participation in any government

programs.

The Chain of Trust Agreement in the Supplement includes language for both the proposed

security and privacy rules, except for the third party beneficiary language.

AMC/HIPAA Workgroup

74

PRIV.04

Requirements for group health plans

§164.504(f)(1)

HIPAA Requirement

Standard: requirements for group health plans.

(i) Except as provided under paragraph (f)(1)(ii) of this section or as otherwise

authorized under

§ 164.508

, a group health plan, in order to disclose protected

health information to the plan sponsor or to provide for or permit the disclosure

of protected health information to the plan sponsor by a health insurance issuer

or HMO with respect to the group health plan, must ensure that the plan

documents restrict uses and discloses of such information by the plan sponsor

consistent with the requirements of this subpart.

(ii) The group health plan, or a health insurance issuer or HMO with respect to

the group health plan, may disclose summary health information to the plan

sponsor, if the plan sponsor requests the summary health information for the

purpose of :

(A) Obtaining premium bids from health plans for providing health insurance

coverage under the group health plan; or

(B) Modifying, amending, or terminating the group health plan.

(2) Implementation specifications: requirements for plan documents. The plan

documents of the group health plan must be amended to incorporate provisions

to:

(i) Establish the permitted and required uses and disclosures of such information

by the plan sponsor, provided that such permitted and required uses and

disclosures may not be inconsistent with this subpart.

(ii) Provide that the group health plan will disclose protected health information

to the plan sponsor only upon receipt of a certification by the plan sponsor that

the plan documents have been amended to incorporate the following provisions

and that the plan sponsor agrees to:

(A) Not use or further disclose the information other than as permitted or

required by the plan documents or as required by law;

(B) Ensure that any agents, including a subcontractor, to whom it provides

protected health information received from the group health plan agree to the

same restrictions and conditions that apply to the plan sponsor with respect to

such information;

(C) Not use or disclose the information for employment-related actions and

decisions or in connection with any other benefit or employee benefit plan of the

plan sponsor;

(D) Report to the group health plan any use or disclosure of the information that

is inconsistent with the uses or disclosures provided for of which it becomes

aware;

(E) Make available protected health information in accordance with

§ 164.524

;

(F) Make available protected health information for amendment and incorporate

any amendments to protected health information in accordance with

§ 164.526

;

(G) Make available the information required to provide an accounting of

disclosures in accordance with

§ 164.528

;

AMC/HIPAA Workgroup

75

(H) Make its internal practices, books, and records relating to the use and

disclosure of protected health information received from the group health plan

available to the Secretary for purposes of determining compliance by the group

health plan with this subpart;

(I) If feasible, return or destroy all protected health information received from the

group health plan that the sponsor still maintains in any form and retain no

copies of such information when no longer needed for the purpose for which

disclosure was made, except that, if such return or destruction is not feasible,

limit further uses and disclosures to those purposes that make the return or

destruction of the information infeasible; and

(J) Ensure that the adequate separation required in paragraph (f)(2)(iii) of this

section is established.

(iii) Provide for adequate separation between the group health plan and the plan

sponsor. The plan documents must:

(A) Describe those employees or classes of employees or other persons under the

control of the plan sponsor to be given access to the protected health information

to be disclosed, provided that any employee or person who receives protected

health information relating to payment under, health care operations of, or other

matters pertaining to the group health plan in the ordinary course of business

must be included in such description;

(B) Restrict the access to and use by such employees and other persons described

in paragraph (f)(2)(iii)(A) of this section to the plan administration functions that

the plan sponsor performs for the group health plan; and

(C) Provide an effective mechanism for resolving any issues of noncompliance by

persons described in paragraph (f)(2)(iii)(A) of this section with the plan

document provisions required by this paragraph.

(3)

Implementation specifications: uses and disclosures. A group health plan

may:

(i) Disclose protected health information to a plan sponsor to carry out plan

administration functions that the plan sponsor performs only consistent with the

provisions of paragraph (f)(2) of this section;

(ii) Not permit a health insurance issuer or HMO with respect to the group health

plan to disclose protected health information to the plan sponsor except as

permitted by this paragraph;

(iii) Not disclose and may not permit a health insurance issuer or HMO to

disclose protected health information to a plan sponsor as otherwise permitted by

this paragraph unless a statement required by § 164.520(b)(1)(iii)(C) is included

in the appropriate notice; and

(iv) Not disclose protected health information to the plan sponsor for the purpose

of employment-related actions or decisions or in connection with any other

benefit or employee benefit plan of the plan sponsor.

AMC Explanation of HIPAA Regulation

Group health plans may disclose summary health information to their sponsors for specific

purposes. They may also disclose other protected health information to plan sponsors for

specific purposes, but only after the group health plan's plan documents have been amended to

AMC/HIPAA Workgroup

76

require the plan sponsor to conform to the HIPAA privacy regulation's provisions. The purposes

for which group health plans may disclose summary health information to their sponsors without

requiring modifications to the plan documents are limited to obtaining premium bids for

providing coverage under the plan, or modifying, amending, or terminating the plan.

Group health plan sponsors are required to make their internal practices, books, and other

internal documents relating to their handling of protected health information obtained from group

health plans available to the Secretary of HHS for the purpose of determining whether the entity

is in compliance.

Key Issues

Determine whether your entity is a group health plan sponsor.

Determine whether your entity is a group health plan.

Determine whether you receive any protected health information from a group health

plan as a group health plan sponsor.

If your entity is a group health plan, define what constitutes summary health information

that will be provided to plan sponsors.

Category I Guidelines-Actions must be taken to address these

A group health plan must amend its plan documents to:

Establish permitted and required uses and disclosures of protected health information

by the plan sponsor;

Describe which workforce members of the plan sponsor will be given access to the

group health plan's protected health information;

Restrict access to and use by these workforce members to the plan administration

functions which the plan sponsor performs for the group health plan;

Provide a procedure for resolving issues of noncompliance.

The group health plan's sponsor must agree to:

Not use or further disclose protected health information provided by the plan other

than as permitted or required by the plan documents or required by law;

Ensure that its agents adhere to the same rules it adheres to;

Not use protected health information for employment-related actions and decisions;

Not use protected health information for any other benefit or employee benefit plan;

Report any improper uses or disclosures of protected health information to the group

health plan.

The group health plan's sponsor must make certain information available to the group

health plan:

make protected health information available to the group health plan for purposes of

supporting requests to the plan for access to or amendment of protected health

information.

make history of disclosures by the plan sponsor available to the group health plan.

The group health plan's sponsor must make its internal practices, books, and records

relating to the use and disclosure of protected health information received from the group

health plan available to the Secretary of HHS for the purpose of determining whether it is

in compliance.

AMC/HIPAA Workgroup

77

The group health plan's sponsor must (if feasible) return or destroy protected health

information when it is no longer needed.

Category II Guidelines-Actions should be taken to address these

Pay special attention to the provisions prohibiting a group health plan sponsor from using

protected health information obtained from a group health plan for any employment-

related action or decision. Consider clearly documenting which protected health

information has been obtained under this section.

Roadblocks

No roadblocks specific to this point.

Comments

Many AMCs sponsor group health plans in which their employees are enrolled and for which

they serve as third-party payers.

AMC/HIPAA Workgroup

78

PRIV.05

Requirements for a covered entity with multiple covered functions

§

164.504(g)

HIPAA Requirement

Standard: requirements for a covered entity with multiple covered functions.

(1)

A covered entity that performs multiple covered functions that would make

the entity any combination of a health plan, a covered health care provider, and

a health care clearinghouse, must comply with the standards, requirements, and

implementation specifications of this subpart, as applicable to the health plan,

health care provider, or health care clearinghouse covered functions performed.

(2)

A covered entity that performs multiple covered functions may use or

disclose the protected health information of individuals who receive the covered

entity's health plan or health care provider services, but not both, only for

purposes related to the appropriate function being performed.

AMC Explanation of HIPAA Regulation

A covered entity which combines multiple covered functions (that is, which performs functions

of a health plan, a health provider, and a health care clearinghouse) must comply with the

provisions of the HIPAA privacy regulations governing each covered function. Further, a

covered entity which combines multiple covered functions must restrict its uses and disclosures

of protected health information to those appropriate to the function or functions it performs for

each particular individual.

Key Issues

If your entity provides both health plan and healthcare provider services, are there

individuals for whom you provide one service but not the other?

Category I Guidelines-Actions must be taken to address these

Identify the individuals for whom you provide only health plan services or only

healthcare provider services.

For individuals for whom you provide only health plan services, limit your uses and

disclosures of their protected health information to those permitted to a health plan by the

regulation.

For individuals for whom you provide only healthcare provider services, limit your uses

and disclosures of their protected health information to those permitted to a healthcare

provider by the regulation.

Category II Guidelines-Actions should be taken to address these

None.

Roadblocks

No roadblocks specific to this point.

AMC/HIPAA Workgroup

79

Comments

None.

AMC/HIPAA Workgroup

80

PRIV.06

Group health plans

§ 164.530(k)

HIPAA Requirement

(1) A group health plan is not subject to the standards or implementation

specifications in paragraphs (a) through (f) and (i) of this section, to the extent

that:

(i) The group health plan provides health benefits solely through an insurance

contract with a health insurance issuer or an HMO; and

(ii) The group health plan does not create or receive protected health

information, except for:

(A) Summary health information as defined in

§ 164.504(a

); or

(B) Information on whether the individual is participating in the group health

plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO

offered by the plan.

(2) A group health plan described in paragraph (k)(1) of this section is subject to

the standard and implementation specification in paragraph (j) of this section

only with respect to plan documents amended in accordance with

§ 164.504(f).

AMC Explanation of HIPAA Regulation

If an entity is a group health plan which provides benefits solely through an insurance contract

with a health insurer or HMO, and if the entity receives only summary health information and

plan participation status information, then the entity is exempt from the provisions of the HIPAA

privacy regulations.

Key Issues

None.

Category I Guidelines-Actions must be taken to address these

Determine whether your entity is exempt under this section.

Category II Guidelines-Actions should be taken to address these

None.

Roadblocks

No roadblocks specific to this point.

Comments

None.