 |
164.504(d) |
|
 |
|
|
|
Affiliated Covered
Entities:. |
|
| |
|
|
|
| |
10.4.1. |
Legally separate CEs
that are affiliated may designate themselves (including any health
care component) as a single covered entity if all CEs so designated
are under common ownership or control; such designation must be documented
in accordance with 164.530(j) [¶ 11.3.10]. |
| |
10.4.2. |
Affiliated CE must ensure that its use and
disclosure of PHI complies with applicable requirements of the regulations,
and that if the affiliated CE combines functions of a health plan,
a provider, or a health care clearinghouse, it complies with 164.504(g)
[¶ 10.7.].
|
|
164.502(e) |
|
|
|
|
|
Disclosures to Business
Associates (BAs) |
|
| 164.504(e) |
|
|
|
| |
10.5.1. |
Standard for disclosures
to BAs: CE may disclose PHI, or allow BA to create or receive PHI
on CE's behalf, if CE obtains assurance that BA will safeguard the
information; this standard does not apply with respect to:
10.5.1.1. |
Disclosure by CE to a provider concerning
the individual's treatment;
|
10.5.1.2. |
Disclosure by group health plan, or health
insurance issuer or HMO with respect to the plan, when requirements
of ¶ 10.6. are met, or;
|
10.5.1.3. |
Uses/disclosures
by health plan that is a governmental program providing public
benefits, regarding PHI collected or shared for determination
of eligibility or enrollment, where such information is collected,
or eligibility or enrollment is determined, by an agency other
than the one administering the plan, and such activity is authorized
by law. |
|
|
164.502(e)(2);
164.504(e)
|
|
|
|
| |
10.5.2. |
CE must
document assurances through a written agreement or other arrangement
meeting the following requirements:
10.5.2.1. |
Establish permitted
and required uses/disclosures of PHI that are consistent with
those authorized for the CE under the regulations, except that
the contract/arrangement:
10.5.2.1.1. |
May permit BA to use/disclose PHI
for management and administration of the BA: (i) if
disclosure is required by law, or (ii) BA obtains reasonable
assurances that the PHI will be held confidentially
and used/disclosed only as required by law or for the
purpose of the disclosure and person notifies BA of
any breach of confidentiality, and
|
10.5.2.1.2. |
May permit BA to provide data aggregation services relating
to the health care operations of the CE; |
|
10.5.2.2. |
Provide
that the BA will:
10.5.2.2.1. |
Not use/disclose
PHI except as authorized or as required by law; |
10.5.2.2.2. |
Use safeguards
to prevent unauthorized uses/disclosures; |
10.5.2.2.3. |
Report
unauthorized uses/disclosures to CE; |
10.5.2.2.4. |
Pass on
same obligations to subcontractors/agents; |
10.5.2.2.5. |
Make PHI available for access and/or
amendment by individuals in accordance with the provisions
of 164.524 and 164.526 [¶ 8.1. and ¶ 8.3.];
|
10.5.2.2.6. |
Make information available for
provision of accounting of uses/disclosures [¶
11.2.];
|
10.5.2.2.7. |
Make information available to the
Secretary of HHS for purposes of determining CE's compliance
with the regulations, and;
|
10.5.2.2.8. |
Return or destroy all PHI at termination
of the contract, or offer ongoing protection for PHI.
|
|
10.5.2.3. |
Authorize termination
of the contract by the CE upon material breach by the BA. |
|
|
| 164.504(e)(1) |
|
|
|
| |
10.5.3. |
If CE knows of a pattern
or practice of material non-compliance by the BA, and reasonable steps
have not cured breach, CE must do one of the following:
10.5.3.1. |
Terminate the contract, if feasible;
or
|
10.5.3.2. |
Report the problem
to the Secretary of HHS. |
|
|
| 164.504(e)(3)(i) |
|
|
|
| |
10.5.4. |
If CE and BA are
both governmental entities, CE may comply with requirements of a BA
agreement:
10.5.4.1. |
By entering into a Memorandum of Understanding
covering the required terms; or
|
10.5.4.2. |
If other law
contains requirements applicable to the BA that satisfy the
objectives of the terms. |
|
|
| 164.504(e)(3)(ii) |
|
|
|
| |
10.5.5. |
If a BA is required
by law to perform a function or activity or to perform a specified
service on behalf of a CE, the CE may disclose PHI to the extent necessary
to comply with that mandate, as long as CE documents an attempt to
obtain the enumerated BA assurances and the reasons such assurances
could not be obtained. |
|
| 164.504(e)(3)(iii) |
|
|
|
| |
10.5.6. |
CE may omit requirement
for termination provision in contract if it would be inconsistent
with statutory obligations of CE or BA. |
|
| 164.504(f) |
|
|
|
|
| 164.504(f)(1) |
|
|
|
| |
10.6.1. |
Generally, in order
for a group health plan to use or disclose PHI to the plan sponsor
or to permit disclosure of PHI to the plan sponsor by a health insurance
issuer or HMO for the plan, the group health plan must ensure that
plan documents restrict uses and disclosures by the plan sponsor consistent
with the requirements of the regulations, except when the use/disclosure:
10.6.1.1. |
Is made pursuant to the terms of an authorization
pursuant to164.508 [¶ 7.]; or
|
10.6.1.2. |
Involves summary health information disclosed
to the plan sponsor in response to a request to use the information
for the purposes of obtaining premium bids from health plans
for providing coverage under the group health plan or modifying,
amending or terminating the group health plan. The group health
plan, or a health insurance issuer or HMO with respect to
the group health plan, may disclose to the plan sponsor information
on whether the individual is participating in the group health
plan, or is enrolled in or has disenrolled from a health insurance
issuer or HMO offered plan.
|
|
|
| |
|
|
|
|
| |
|
|
|
|
