HIPAA Privacy Regulations: Organizational Requirements Definitions - § 164.504(a)
As Contained in the HHS HIPAA Privacy Rules
HHS Regulations as Amended August 2002 |
(a) Definitions. As used in this section:
Plan administration functions means administration functions performed by the plan sponsor of a group health plan on behalf of the group health plan and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor.
Summary health information means information, that may be individually identifiable health information, and:
(1) That summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan; and
(2) From which the information described at §164.514(b)(2)(i) has been deleted, except that the geographic information described in §164.514(b)(2)(i)(B) need only be aggregated to the level of a five digit zip code.
HHS Description of and Commentary on August 2002 Revisions Organizational Requirements Definitions |
Note that the definitions of common control, common ownership, health care component, and hybrid entity have been relocated to § 164.103 as a result of the Security Regulations.
December 2000 Privacy Rule. The Privacy Rule, as published in December 2000, defined covered entities that primarily engage in activities that are not “covered functions,” that is, functions that relate to the entity’s operation as a health plan, health care provider, or health care clearinghouse, as hybrid entities. See 45 CFR 164.504(a). Examples of hybrid entities were: (1) corporations that are not in the health care industry, but that operate on-site health clinics that conduct the HIPAA standard transactions electronically; and (2) insurance carriers that have multiple lines of business that include both health insurance and other insurance lines, such as general liability or property and casualty insurance.
Under the December 2000 Privacy Rule, a hybrid entity was required to define and designate those parts of the entity that engage in covered functions as one or more health care component(s). A hybrid entity also was required to include in the health care component(s) any other components of the entity that support the covered functions in the same way such support may be provided by a business associate (e.g., an auditing component). The health care component was to include such “business associate” functions for two reasons: (1) it is impracticable for the entity to contract with itself; and (2) having to obtain an authorization for disclosures to such support components would limit the ability of the hybrid entity to engage in necessary health care operations functions. In order to limit the burden on hybrid entities, most of the requirements of the Privacy Rule only applied to the health care component(s) of the entity and not to the parts of the entity that do not engage in covered functions.
The hybrid entity was required to create adequate separation, in the form of firewalls, between the health care component(s) and other components of the entity. Transfer of protected health information held by the health care component to other components of the hybrid entity was a disclosure under the Privacy Rule and was allowed only to the same extent such a disclosure was permitted to a separate entity.
In the preamble to the December 2000 Privacy Rule, the Department explained that the use of the term “primary” in the definition of a “hybrid entity” was not intended to operate with mathematical precision. The Department further explained that it intended a common sense evaluation of whether the covered entity mostly operates as a health plan, health care provider, or health care clearinghouse. If an entity’s primary activity was a covered function, then the whole entity would have been a covered entity and the hybrid entity provisions would not have applied. However, if the covered entity primarily conducted non-health activities, it would have qualified as a hybrid entity and would have been required to comply with the Privacy Rule with respect to its health care component(s). See 65 FR 82502.
March 2002 NPRM. Since the publication of the final Rule, concerns were raised that the policy guidance in the preamble was insufficient so long as the Privacy Rule itself limited the hybrid entity provisions to entities that primarily conducted non-health related activities. In particular, concerns were raised about whether entities, which have the health plan line of business as the primary business and an excepted benefits line, such as workers’ compensation insurance, as a small portion of the business, qualified as hybrid entities. There were also concerns about how “primary” was to be defined, if it was not a mathematical calculation, and how an entity would know whether or not it was a hybrid entity based on the guidance in the preamble.
As a result of these comments, the Department proposed to delete the term “primary” from the definition of “hybrid entity” in § 164.504(a) and permit any covered entity that is a single legal entity and that performs both covered and non-covered functions to choose whether or not to be a hybrid entity for purposes of the Privacy Rule. Under the proposal, any covered entity could be a hybrid entity regardless of whether the non-covered functions represent the entity’s primary functions, a substantial function, or even a small portion of the entity’s activities. In order to be a hybrid entity under the proposal, a covered entity would have to designate its health care component(s). If the covered entity did not designate any health care component(s), the entire entity would be a covered entity and, therefore, subject to the Privacy Rule. Since the entire entity would be the covered entity, § 164.504(c)(2) requiring firewalls between covered and non-covered portions of hybrid entities would not apply.
The Department explained in the preamble to the proposal that there are advantages and disadvantages to being a hybrid entity. Whether or not the advantages outweigh the disadvantages would be a decision for each covered entity that qualified as a hybrid entity, taking into account factors such as how the entity was organized and the proportion of the entity that must be included in the health care component.
The Department also proposed to simplify the definition of “health care component” in § 164.504(a) to make clear that a health care component is whatever the covered entity designates as the health care component, consistent with the provisions regarding designation in proposed § 164.504(c)(3)(iii). The Department proposed to move the specific language regarding which components make up a health care component to the implementation specification that addresses designation of health care components at § 164.504(c)(3)(iii). At § 164.504(c)(3)(iii), the Department proposed that a health care component could include: (1) components of the covered entity that engage in covered functions, and (2) any component that engages in activities that would make such component a business associate of a component that performs covered functions, if the two components were separate legal entities. In addition, the Department proposed to make clear at § 164.504(c)(3)(iii) that a hybrid entity must designate as a health care component(s) any component that would meet the definition of “covered entity” if it were a separate legal entity.
There was some ambiguity in the December 2000 Privacy Rule as to whether a health care provider that does not conduct electronic transactions for which the Secretary has adopted standards (i.e., a non-covered health care provider) and which is part of a larger covered entity was required to be included in the health care component. To clarify this issue, the proposal also would allow a hybrid entity the discretion to include in its health care component a non-covered health care provider component. Including a non-covered health care provider in the health care component would subject the non-covered provider to the Privacy Rule. Accordingly, the Department proposed a conforming change in § 164.504(c)(1)(ii) to make clear that a reference to a “covered health care provider” in the Privacy Rule could include the functions of a health care provider who does not engage in electronic transactions, if the covered entity chooses to include such functions in the health care component.
The proposal also would permit a hybrid entity to designate otherwise non-covered portions of its operations that provide services to the covered functions, such as parts of the legal or accounting divisions of the entity, as part of the health care component, so that protected health information could be shared with such functions of the entity without business associate agreements or individual authorizations. The proposal would not require that the covered entity designate entire divisions as in or out of the covered component. Rather, it would permit the covered entity to designate functions within such divisions, such as the functions of the accounting division that support health insurance activities, without including those functions that support life insurance activities. The Department proposed to delete as unnecessary and redundant the related language in paragraph (2)(ii) of the definition of “health care component” in the Privacy Rule that requires the “business associate” functions include the use of protected health information.
Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, “Response to Other Public Comments.”
The Department received relatively few comments on its proposal regarding hybrid entities. A number of comments supported the proposal, appreciative of the added flexibility it would afford covered entities in their compliance efforts. For example, some drug stores stated that the proposal would provide them with the flexibility to designate health care components, whereas under the December 2000 Rule, these entities would have been required to subject their entire business, including the “front end” of the store which is not associated with dispensing prescription drugs, to the Privacy Rule’s requirements.
Some health plans and other insurers also expressed strong support for the proposal. These comments, however, seemed to be based on a misinterpretation of the uses and disclosures the proposal actually would permit. These commenters appear to assume that the proposal would allow information to flow freely between non-covered and covered functions in the same entity, if that entity chose not to be a hybrid entity. For example, commenters explained that they interpreted the proposal to mean that a multi-line insurer which does not elect hybrid entity status would be permitted to share protected health information between its covered lines and its otherwise non-covered lines. It was stated that such latitude would greatly enhance multi-line insurers’ ability to detect and prevent fraudulent activities and eliminate barriers to sharing claims information between covered and non-covered lines of insurance where necessary to process a claim.
Some commenters opposed the Department’s hybrid entity proposal, stating that the proposal would reduce the protections afforded under the Privacy Rule and would be subject to abuse. Commenters expressed concerns that the proposal would allow a covered entity with only a small health care component to avoid the extra protections of creating firewalls between the health care component and the rest of the organization. Moreover, one of the commenters stated that the proposal could allow a covered entity that is primarily performing health care functions to circumvent the requirements of the Rule for a large part of its operations by designating itself a hybrid and excluding from the health care component a non-covered health care provider function, such as a free nurse advice line that does not bill electronically. In addition, it was stated that the ambiguous language in the proposal could potentially be construed as allowing a hybrid entity to designate only the business associate-like functions as the health care component, and exclude covered functions. The commenter urged the Department to clarify that a hybrid entity must, at a minimum, designate a component that performs covered functions as a health care component, and that a health care provider cannot avoid having its treatment component considered a health care component by relying on a billing department to conduct its standard electronic transactions. These commenters urged the Department to retain the existing policy by requiring those organizations whose primary functions are not health care to be hybrid entities and to institute firewall protections between their health care and other components.
Final Modifications. After consideration of the comments, the Department adopts in the final Rule the proposed approach to provide covered entities that otherwise qualify the discretion to decide whether to be a hybrid entity. To do so, the Department eliminates the term “primary” from the definition of “hybrid entity” at § 164.504(a). Any covered entity that otherwise qualifies (i.e., is a single legal entity that performs both covered and non-covered functions) and that designates health care component(s) in accordance with § 164.504(c)(3)(iii) is a hybrid entity. A hybrid entity is required to create adequate separation, in the form of firewalls, between the health care component(s) and other components of the entity. Transfer of protected health information held by the health care component to other components of the hybrid entity continues to be a disclosure under the Privacy Rule, and, thus, allowed only to the same extent such a disclosure is permitted to a separate entity.
Most of the requirements of the Privacy Rule continue to apply only to the health care component(s) of a hybrid entity. Covered entities that choose not to designate health care component(s) are subject to the Privacy Rule in their entirety.
The final Rule regarding hybrid entities is intended to provide a covered entity with the flexibility to apply the Privacy Rule as best suited to the structure of its organization, while maintaining privacy protections for protected health information within the organization. In addition, the policy in the final Rule simplifies the Privacy Rule and makes moot any questions about what “primary” means for purposes of determining whether an entity is a hybrid entity.
The final Rule adopts the proposal’s simplified definition of “health care component,” which makes clear that a health care component is what the covered entity designates as the health care component. The Department makes a conforming change in § 164.504(c)(2)(ii) to reflect the changes to the definition of “health care component.” The final Rule at § 164.504(c)(3)(iii) requires a health care component to include a component that would meet the definition of a “covered entity” if it were a separate legal entity. The Department also modifies the language of the final Rule at § 164.504(c)(3)(iii) to clarify that only a component that performs covered functions, and a component to the extent that it performs covered functions or activities that would make such component a business associate of a component that performs covered functions if the two components were separate legal entities, may be included in the health care component. “Covered functions” are defined at § 164.501 as “those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse.”
As in the proposal, the Department provides a hybrid entity with some discretion as to what functions may be included in the health care component in two ways. First, the final Rule clarifies that a hybrid entity may include in its health care component a non-covered health care provider component. Accordingly, the Department adopts the proposed conforming change to § 164.504(c)(1)(ii) to make clear that a reference to a “covered health care provider” in the Privacy Rule may include the functions of a health care provider who does not engage in electronic transactions for which the Secretary has adopted standards, if the covered entity chooses to include such functions in the health care component. A hybrid entity that chooses to include a non-covered health care provider in its health care component is required to ensure that the non-covered health care provider, as well as the rest of the health care component, is in compliance with the Privacy Rule.
Second, the final Rule retains the proposed policy to provide hybrid entities with discretion as to whether or not to include business associate-like divisions within the health care component. It is not a violation of the Privacy Rule to exclude such divisions from the health care component. However, a disclosure of protected health information from the health care component to such other division that is not part of the health care component is the same as a disclosure outside the covered entity. Because an entity cannot have a business associate contract with itself, such a disclosure likely will require individual authorization.
The Department clarifies, in response to comments, that a health care provider cannot avoid being a covered entity and, therefore, part of a health care component of a hybrid entity just by relying on a billing department to conduct standard transactions on its behalf. A health care provider is a covered entity if standard transactions are conducted on his behalf, regardless of whether the provider or a business associate (or billing department within a hybrid entity) actually conducts the transactions. In such a situation, however, designating relevant parts of the business associate division as part of the health care component would facilitate the conduct of health care operations and payment.
Also in response to comments, the Department clarifies that even if a covered entity does not choose to be a hybrid entity, and therefore is not required to erect firewalls around its health care functions, the entity still only is allowed to use protected health information as permitted by the Privacy Rule, for example, for treatment, payment, and health care operations. Additionally, the covered entity is still subject to minimum necessary restrictions under '§ 164.502 and 164.514(d), and, thus, must have policies and procedures that describe who within the entity may have access to the protected health information. Under these provisions, workforce members may be permitted access to protected health information only as necessary to carry out their duties with respect to the entity’s covered functions. For example, the health insurance line of a multi-line insurer is not permitted to share protected health information with the life insurance line for purposes of determining eligibility for life insurance benefits or any other life insurance purposes absent an individual’s written authorization. However, the health insurance line of a multi-line insurer may share protected health information with another line of business pursuant to § 164.512(a), if, for example, State law requires an insurer that receives a claim under one policy to share that information with other lines of insurance to determine if the event also may be payable under another insurance policy. Furthermore, the health plan may share information with another line of business if necessary for the health plan’s coordination of benefits activities, which would be a payment activity of the health plan.
Given the above restrictions on information flows within the covered entity, the Department disagrees with those commenters who raised concerns that the proposed policy would weaken the Rule by eliminating the formal requirement for “firewalls.” Even if a covered entity does not designate health care component(s) and, therefore, does not have to establish firewalls to separate its health care function(s) from the non-covered functions, the Privacy Rule continues to restrict how protected health information may be used and shared within the entity and who gets access to the information.
Further, the Department does not believe that allowing a covered entity to exclude a non-covered health care provider component from its health care component will be subject to abuse. Excluding health care functions from the health care component has significant implications under the Rule. Specifically, the Privacy Rule treats the sharing of protected health information from a health care component to a non-covered component as a disclosure, subject to the same restrictions as a disclosure between two legally separate entities. For example, if a covered entity decides to exclude from its health care component a non-covered provider, the health care component is then restricted from disclosing protected health information to that provider for any of the non-covered provider’s health care operations, absent an individual’s authorization. See § 164.506(c). If, however, the non-covered health care provider function is not excluded, it would be part of the health care component and that information could be used for its operations without the individual’s authorization.
Response to Other Public Comments.
Comment: A number of academic medical centers expressed concern that the Privacy Rule prevents them from organizing for compliance in a manner that reflects the integration of operations between the medical school and affiliated faculty practice plans and teaching hospitals. These commenters stated that neither the proposal nor the existing Rule would permit many academic medical centers to designate themselves as either a hybrid or affiliated entity, since the components of each must belong to a single legal entity or share common ownership or control. These commenters also explained that a typical medical school would not appear to qualify as an organized health care arrangement (OHCA) because it does not engage in any of the requisite joint activities, for example, quality assessment and improvement activities, on behalf of the covered entity. It was stated that it is essential that there not be impediments to the flow of information within an academic medical center. These commenters, therefore, urged that the Department add a definition of “academic medical center” to the Privacy Rule and modify the definition of “common control” to explicitly apply to the components of an academic medical center, so as to ensure that academic medical centers qualify as affiliated entities for purposes of the Rule.
Response: The Department does not believe that a modification to include a special rule for academic medical centers is warranted. The Privacy Rule’s organizational requirements at § 164.504 for hybrid entities and affiliated entities, as well as the definition of “organized health care arrangement” in § 164.501, provide covered entities with much flexibility to apply the Rule’s requirements as best suited to the structure of their businesses. However, in order to maintain privacy protections, the Privacy Rule places appropriate conditions on who may qualify for such organizational options, as well as how information may flow within such constructs. Additionally, if the commenter is suggesting that information should flow freely between the covered and non-covered functions within an academic medical center, the Department clarifies that the Privacy Rule restricts the sharing of protected health information between covered and non-covered functions, regardless of whether the information is shared within a single covered entity or a hybrid entity, or among affiliated covered entities or covered entities participating in an OHCA. Such uses and disclosures may only be made as permitted by the Rule.
Comment: A few commenters expressed concern with respect to governmental hybrid entities having to include business associate-like divisions within the health care component or else being required to obtain an individual’s authorization for disclosures to such division. It was stated that this concept does not take into account the organizational structures of local governments and effectively forces such governmental hybrid entities to bring those components that perform business associate type functions into their covered component. Additionally, a commenter stated that this places an undue burden on local government by essentially requiring that functions, such as auditor/controller or county counsel, be treated as fully covered by the Privacy Rule in order to minimize otherwise considerable risk. Commenters, therefore, urged that the Department allow a health care component to enter into a memorandum of understanding (MOU) or other agreement with the business associate division within the hybrid entity. Alternatively, it was suggested that a governmental hybrid entity be permitted to include in its notice of privacy practices the possibility that information may be shared with other divisions within the same government entity for specific purposes.
Response: The Department clarifies that a covered entity which chooses to include its business associate division within the health care component may only do so to the extent such division performs activities on behalf of, or provides services to, the health care component. That same division’s activities with respect to non-covered activities may not be included. To clarify this point, the Department modified the proposed language in § 164.504(c)(3)(iii) to provide that a health care component may only include a component to the extent that it performs covered functions or activities that would make such component a business associate of a component that performs covered functions if the two components were separate legal entities. For example, employees within an accounting division may be included within the health care component to the extent that they provide services to such component. However, where these same employees also provide services to non-covered components of the entity, their activities with respect to the health care component must be adequately separated from their other non-covered functions.
While the Department does not believe that a MOU between governmental divisions within a hybrid entity may be necessary given the above clarification, the Department notes that a governmental hybrid entity may elect to have its health care component enter into a MOU with its business associate division, provided that such agreement is legally binding and meets the relevant requirements of § 164.504(e)(3) and (e)(4). Such agreement would eliminate the need for the health care component to include the business associate division or for obtaining the individual’s authorization to disclose to such division.
Additionally, the Department encourages covered entities to develop a notice of privacy practices that is as specific as possible, which may include, for a government hybrid entity, a statement that information may be shared with other divisions within the government entity as permitted by the Rule. However, the notice of privacy practices is not an adequate substitute for, as appropriate, a memorandum of understanding; designation of business associate functions as part of a health care component; or alternatively, conditioning disclosures to such business associate functions on individuals’ authorizations.
Comment: One commenter requested a clarification that a pharmacy-convenience store, where the pharmacy itself is a separate enclosure under supervision of a licensed pharmacist, is not a hybrid entity.
Response: The Department clarifies that a pharmacy-convenience store, if a single legal entity, is permitted, but not required, to be a hybrid entity and designate the pharmacy as the health care component. Alternatively, such an entity may choose to be a covered entity in its entirety. However, if the pharmacy and the convenience store are separate legal entities, the convenience store is not a covered entity simply by virtue of sharing retail space with the covered pharmacy.
Comment: Another commenter stated that the Rule implies that individual providers, once covered, are covered for all circumstances even if they are employed by more than one entity B one sending transactions electronically but not the other B or if the individual provider changes functions or employment and no longer electronically transmits standard transactions. This commenter asked that either the Rule permit an individual provider to be a hybrid entity (recognizing that there are times when an individual provider may be engaging in standard transactions, and other times when he is not), or that the definition of a “covered entity” should be modified so that individual providers are themselves classified as covered entities only when they are working as individuals.
Response: A health care provider is not a covered entity based on his being a workforce member of a health care provider that conducts the standard transactions. Thus, a health care provider may maintain a separate uncovered practice (if he does not engage in standard transactions electronically in connection with that practice), even though the provider may also practice at a hospital which may be a covered entity. However, the Rule does not permit an individual provider to use hybrid entity status to eliminate protections on information when he is not conducting standard transactions. If a health care provider conducts standard transactions electronically on his own behalf, then the protected health information maintained or transmitted by that provider is covered, regardless of whether the information is actually used in such transactions.
Comment: One commenter requested a clarification that employers are not hybrid entities simply because they may be the plan sponsor of a group health plan.
Response: The Department clarifies that an employer is not a hybrid entity simply because it is the plan sponsor of a group health plan. The employer/plan sponsor and group health plan are separate legal entities and, therefore, do not qualify as a hybrid entity. Further, disclosures from the group health plan to the plan sponsor are governed specifically by the requirements of § 164.504(f).
Comment: A few commenters asked the Department to permit a covered entity with multiple types of health care components to tailor notices to address the specific privacy practices within a component, rather than have just one generic notice for the entire covered entity.
Response: Covered entities are allowed to provide a separate notice for each separate health care component, and are encouraged to provide individuals with the most specific notice possible.
HHS Description from Original Rulemaking Organizational Requirements Definitions |
In the preamble to the proposed rule we introduced the concept of a “component entity” to differentiate the health care unit of a larger organization from the larger organization. In the proposal we noted that some organizations that are primarily involved in non-health care activities do provide health care services or operate health plans or health care clearinghouses. Examples included a school with an on-site health clinic and an employer that self administers a sponsored health plan. In such cases, the proposal said that the health care component of the entity would be considered the covered entity, and any release of information from that component to another office or person in the organization would be a regulated disclosure. We would have required such entities to create barriers to prevent protected health information from being used or disclosed for activities not authorized or permitted under the proposal.
We discuss group health plans and their relationships with plan sponsors below under “Requirements for Group Health Plans.”
In the final rule we address the issue of differentiating health plan, covered health care provider and health care clearinghouse activities from other functions carried out by a single legal entity in paragraphs (a)-(c) of § 164.504. We have created a new term, “hybrid entity”, to describe the situation where a health plan, health care provider, or health care clearinghouse is part of a larger legal entity; under the definition, a “hybrid entity” is “a single legal entity that is a covered entity and whose covered functions are not its primary functions.” The term “covered functions” is discussed above under § 164.501. By “single legal entity” we mean a legal entity, such as a corporation or partnership, that cannot be further differentiated into units with their own legal identities. For example, for purposes of this rule a multinational corporation composed of multiple subsidiary companies would not be a single legal entity, but a small manufacturing firm and its health clinic, if not separately incorporated, could be a single legal entity.
The health care component rules are designed for the situation in which the health care functions of the legal entity are not its dominant mission. Because some part of the legal entity meets the definition of a health plan or other covered entity, the legal entity as a whole could be required to comply with the rules below. However, in such a situation, it makes sense not to require the entire entity to comply with the requirements of the rules below, when most of its activities may have little or nothing to do with the provision of health care; rather, as a practical matter, it makes sense for such an entity to focus its compliance efforts on the component that is actually performing the health care functions. On the other hand, where most of what the covered entity does consists of covered functions, it makes sense to require the entity as a whole to comply with the rules. The provisions at §§ 164.504(a)-(c) provide that for a hybrid entity, the rules apply only to the part of the entity that is the health care component. At the same time, the lack of corporate boundaries increases the risk that protected health information will be used in a manner that would not otherwise be permitted by these rules. Thus, we require that the covered entity erect firewalls to protect against the improper use or disclosure within or by the organization. See § 164.504(c)(2).
The term “primary functions” in the definition of “hybrid entity” is not meant to operate with mathematical precision. Rather, we intend that a more common sense evaluation take place: is most of what the covered entity does related to its health care functions? If so, then the whole entity should be covered. Entities with different insurance lines, if not separately incorporated, present a particular issue with respect to this analysis. Because the definition of “health plan” excludes many types of insurance products (in the exclusion under paragraph (2)(i) of the definition), we would consider an entity that has one or more of these lines of insurance in addition to its health insurance lines to come within the definition of “hybrid entity,” because the other lines of business constitute substantial parts of the total business operation and are required to be separate from the health plan(s) part of the business.
An issue that arises in the hybrid entity situation is what records are covered in the case of an office of the hybrid entity that performs support functions for both the health care component of the entity and for the rest of the entity. For example, this situation could arise in the context of a company with an onsite clinic (which we will assume is a covered health care provider), where the company's business office maintains both clinic records and the company's personnel records. Under the definition of the term “health care component,” the business office is part of the health care component (in this hypothetical, the clinic) “to the extent that” it is performing covered functions on behalf of the clinic involving the use or disclosure of protected health information that it receives from, creates or maintains for the clinic. Part of the business office, therefore, is part of the health care component, and part of the business office is outside the health care component. This means that the non-health care component part of the business office is not covered by the rules below. Under our hypothetical, then, the business office would not be required to handle its personnel records in accordance with the rules below. The hybrid entity would be required to establish firewalls with respect to these record systems, to ensure that the clinic records were handled in accordance with the rules.
With respect to excepted benefits, the rules below operate as follows. (Excepted benefits include accident, disability income, liability, workers' compensation and automobile medical payment insurance.) Excepted benefit programs are excluded from the health care component (or components) through the definition of “health plan.” If a particular organizational unit performs both excepted benefits functions and covered functions, the activities associated with the excepted benefits program may not be part of the health care component. For example, an accountant who works for a covered entity with both a health plan and a life insurer would have his or her accounting functions performed for the health plan as part of the component, but not the life insurance accounting function. See § 164.504(c)(2)(iii). We require this segregation of excepted benefits because HIPAA does not cover such programs, policies and plans, and we do not permit any use or disclosure of protected health information for the purposes of operating or performing the functions of the excepted benefits without authorization from the individual, except as otherwise permitted in this rule.
In § 164.504(c)(2) we require covered entities with a health care component to establish safeguard policies and procedures to prevent any access to protected health information by its other organizational units that would not be otherwise permitted by this rule. We note that Sec. 1173 (d)(1)(B) of HIPAA requires policies and procedures to isolate the activities of a health care clearinghouse from a “larger organization” to prevent unauthorized access by the larger organization. This safeguard provision is consistent with the statutory requirement and extends to any covered entity that performs “non-covered entity functions” or operates or conducts functions of more than one type of covered entity.
Because, as noted, the covered entity in the hybrid entity situation is the legal entity itself, we state explicitly what is implicitly the case, that the covered entity (legal entity) remains responsible for compliance vis-a-vis subpart C of part 160. See § 164.504(c)(3)(i). We do this simply to make these responsibilities clear and to avoid confusion on this point. Also, in the hybrid entity situation the covered entity/legal entity has control over the entire workforce, not just the workforce of the health care component. Thus, the covered entity is in a position to implement policies and procedures to ensure that the part of its workforce that is doing mixed or non-covered functions does not impermissibly use or disclose protected health information. Its responsibility to do so is clarified in § 164.504(c)(3)(ii).
HHS Response to Comments Received from Original Rulemaking Organizational Requirements Definitions |
Comment: A few commenters asked that the concept of “use” be modified to allow uses within an integrated healthcare delivery system. Commenters argued that the rule needs to ensure that the full spectrum of treatment is protected from the need for authorizations at the points where treatment overlaps entities. It was explained that, for example, treatment for a patient often includes services provided by various entities, such as by a clinic and hospital, or that treatment may also necessitate referrals from one provider entity to another unrelated entity. Further, the commenter argued that the rule needs to ensure that the necessary payment and health care operations can be carried out across entities without authorizations.
Response: The Department understands that in today's health care industry, the organization of and relationships among health care entities are highly complex and varied. We modify the proposed rule significantly to allow affiliated entities to designate themselves as a single covered entity. A complex organization, depending on how it self-designates, may have one or several “health care component(s)” that are each a covered entity. Aggregation into a single covered entity will allow the entities to use a single notice of information practices and will allow providers that must obtain consent for uses and disclosures for treatment, payment, and operations to obtain a single consent.
We do not allow this type of aggregation for unrelated entities, as suggested by some commenters, because unrelated entities' information practices will be too disparate to be accurately reflected on a single consent or notice form. Our policies on when consent and authorization are required for sharing information among unrelated entities, and the rationale for these policies, is described in §§ 164.506 and 164.508 and corresponding preamble.
As discussed above, in the final rule we have added a definition of organized health care arrangement and permit covered entities participating in such arrangements to disclose protected health information to support the health care operations of the arrangement. See the preamble discussion of the definitions of organized health care arrangement and health care operations, § 164.501.
Comment: Some commenters expressed concern that the requirement to obtain authorization for the disclosure of information to a non-health related division of the covered entity would impede covered entities' ability to engage in otherwise-permissible activities such as health care operations. Some of these commenters requested clarification that covered entities are only required to obtain authorization for disclosures to non-health related divisions if the disclosure is for marketing purposes.
Response: In the final rule, we remove the example of use and disclosure to non-health related divisions of the covered entity from the list of examples of uses and disclosures requiring authorization in § 164.508. We determined that the example could lead covered entities to the mistaken conclusion that some uses or disclosures that would otherwise be permitted under the rule without authorization would require authorization when made to a non-health related division of the covered entity. In the final rule, we clarify that disclosure to a non-health related division does not require authorization if the use or disclosure is otherwise permitted or required under the rule. For example, in § 164.501 we define health care operations to include conducting or arranging for legal and auditing services. A covered entity that is the health care component of a larger entity is permitted under the final rule to include the legal department of the larger entity as part of the health care component. The covered entity may not, however, generally permit the disclosure of protected health information from the health care component to non-health related divisions unless they support the functions of the health care component and there are policies and procedures in place to restrict the further use to the support of the health related functions.
Comment: Many commenters, especially those who employed providers, supported our position in the proposed rule to consider only the health care component of an entity to be the covered entity. They stated that this was a balanced approach that would allow them to continue conducting business. Some commenters felt that there was ambiguity in the regulation text of the proposed rule and requested that the final rule explicitly clarify that only the health care component is considered the covered entity, not the entity itself. Similarly, another commenter requested that we clarify that having a health care component alone did not make the larger entity a covered entity under the rule.
Response: We appreciate the support of the commenters on the health care component approach and we agree that there was some ambiguity in the proposed rule. The final rule creates a new § 164.504(b) for health care components. Under § 164.504(b), for a covered entity that is a single legal entity which predominantly performs functions other than the functions performed by a health plan, provider, or clearinghouse, the privacy rules apply only to the entity's health care component. A policy, plan, or program that is an “excepted benefit” under section 2791(c)(1) of HIPAA cannot be part of a health care component because it is expressly excluded from the definition of “health plan” for the reasons discussed above. The health care component is prohibited from sharing protected health information outside of the component, except as otherwise permitted or required by the regulation.
At a minimum, the health care component includes the organizational units of the covered entity that operate as or perform the functions of the health plan, health care provider, or clearinghouse and does not include any unit or function of the excepted benefits plan, policy, or program. While the covered entity remains responsible for compliance with this rule because it is responsible for the actions of its workforce, we otherwise limit the responsibility to comply to the health care component of the covered entity. The requirements of this rule apply only to the uses and disclosures of the protected health information by the component entity. See § 164.504(b).
Comment: Some commenters stated that the requirement to erect firewalls between different components would unnecessarily delay treatment, payment, and health care operations and thereby increase costs. Other commenters stressed that it is necessary to create firewalls between the health care component and the larger entity to prevent unauthorized disclosures of protected health information.
Response: We believe that the requirement to implement firewalls or safeguards is necessary to provide meaningful privacy protections, particularly because the health care component is part of a larger legal organization that performs functions other than those covered under this rule. Without the safeguard requirement we cannot ensure that the component will not share protected health information with the larger entity. While we do not specifically identify the safeguards that are required, the covered entity must implement policies and procedures to ensure that: the health care component's use and disclose of protected health information complies with the regulation; members of the health care component who perform duties for the larger entity do not use and disclose protected health information obtained through the health care component while performing non-component functions unless otherwise permitted or required by the regulation; and when a covered entity conducts multiple functions regulated under this rule, the health care component adheres to the appropriate requirements (e.g. when acting as a health plan, adheres to the health plan requirements) and uses or discloses protected health information of individuals who receive limited functions from the component only for the appropriate functions. See §§ 164.504(c)(2) and 164.504(g). For example, a covered entity that includes both a hospital and a health plan may not use protected health information obtained from an individual's hospitalization for the health plan, unless the individual is also enrolled in the health plan. We note that covered entities are permitted to make a disclosure to a health care provider for treatment of an individual without restrictions.
Comment: One commenter stated that multiple health care components of a single organization should be able to be treated as a single component entity for the purposes of this rule. Under this approach, they argued, one set of policies and procedures would govern the entire component and protected health information could be shared among components without authorization. Similarly, other commenters stated that corporate subsidiaries and affiliated entities should not be treated as separate covered entities.
Response: We agree that some efficiencies may result from designating multiple component entities as a single covered entity. In the final rule we allow legally distinct covered entities that share common ownership or control to designate themselves or their health care components as a single covered entity. See § 164.504(d). Common ownership is defined as an ownership or equity interest of five percent or more. Common control exists if an entity has the power - directly or indirectly - to significantly influence or direct the actions or policies of another entity. If the affiliated entity contains health care components, it must implement safeguards to prevent the larger entity from using protected health information maintained by the component entity. As stated above, organizations that perform multiple functions may designate a single component entity as long as it does not include the functions of an excepted benefit plan that is not covered under the rule. In addition, it must adhere to the appropriate requirements when performing its functions (e.g. when acting as a health plan, adhere to the health plan requirements) and uses or discloses protected health information of individuals who receive limited functions from the component only for the appropriate functions. At the same time, a component that is outside of the health care component may perform activities that otherwise are not permitted by a covered entity, as long as it does not use or disclose protected health information created or received by or on behalf of the health care component in ways that violate this rule.
Comment: Some commenters asked whether or not workers' compensation carriers could be a part of the health care component as described in the proposed rule. They argued that this would allow for sharing of information between the group health plan and workers' compensation insurers.
Response: Under HIPAA, workers' compensation is an excepted benefit program and is excluded from the definition of “health plan.” As such, a component of a covered entity that provides such excepted benefits may not be part of a health care component that performs the functions of a health plan. If workforce members of the larger entity perform functions for both the health care component and the non-covered component, they may not use protected health information created or received by or on behalf of the health care component for the purposes of the non-covered component, unless otherwise permitted by the rule. For example, information may be shared between the components for coordination of benefits purposes.
Comment: Several commenters requested specific guidance on identifying the health care component entity. They argued that we underestimated the difficulty in determining the component and that many organizations have multiple functions with the same people performing duties for both the component and the larger entity.
Response: With the diversity of organizational structures, it is impossible to provide a single specific guidance for identifying health care components that will meet the needs of all organizations. Covered entities must designate their health care components consistent with the definition at § 164.504(a). We have tried to frame this definition to delineate what comes within a health care component and what falls outside the component.
Comment: A commenter representing a government agency recommended that only the component of the agency that runs the program be considered a covered entity, not the agency itself. In addition, this commenter stated that often subsets of other government agencies work in partnership with the agency that runs the program to provide certain services. For example, one state agency may provide maternity support services to the Medicaid program which is run by a separate agency. The commenter read the rule to mean that the agency providing the maternity support services would be a business associate of the Medicaid agency, but was unclear as to whether it would also constitute a health care component within its own agency.
Response: We generally agree. We expect that in most cases, government agencies that run health plans or provide health care services would typically meet the definition of a “hybrid entity” under § 164.504(a), so that such an agency would be required to designate the health care component or components that run the program or programs in question under § 164.504(c)(3), and the rules would not apply to the remainder of the agency's operations, under § 164.504(b). In addition, we have created an exception to the business associate contract requirement for government agencies who perform functions on behalf of other government agencies. Government agencies can enter into a memorandum of understanding with another government entity or adopt a regulation that applies to the other government entity in lieu of a business associate contract, as long as the memorandum or regulation contains certain terms. See § 164.504(e).
Comment: One commenter representing an insurance company stated that different product lines should be treated separately under the rule. For example, the commenter argued, because an insurance company offers both life insurance and health insurance, it does not mean that the insurance company itself is a covered entity, rather only the health insurance component is a covered entity. Another commenter requested clarification of the use of the term “product line” in the proposed rule. This commenter stated that product line should differentiate between different lines of coverage such as life vs. health insurance, not different variations of the same coverage, such as HMO vs. PPO. Finally, one commenter stated that any distinction among product lines is unworkable because insurance companies need to share information across product lines for coordinating benefits. This sharing of information, the commenter urged, should be able to take place whether or not all product lines are covered under the rule.
Response: We agree that many forms of insurance do not and should not come within the definition of “health plan,” and we have excepted them from the definition of this term in § 160.103 applies. This point is more fully discussed in connection with that definition. Although we do not agree that the covered entity is only the specific product line, as this comment suggests, the hybrid entity rules in § 164.504 address the substance of this concern. Under § 164.504(c)(3), an entity may create a health plan component which would include all its health insurance lines of business or separate health care components for each health plan product line. Finally, the sharing of protected health information across lines of business is allowed if it meets the permissive or required disclosures under the rule. The commenter's example of coordination of benefits would be allowed under the rule as payment.
Comment: Several commenters representing occupational health care providers supported our use of the component approach to prohibit unauthorized disclosures of protected health information. They requested that the regulation specifically authorize them to deny requests for disclosures outside of the component entity when the disclosure was not otherwise permitted or required by the regulation.
Response: We appreciate the commenters' support of the health care component approach. As members of a health care component, occupational health providers are prohibited from sharing protected health information with the larger entity (i.e., the employer), unless otherwise permitted or required by the regulation.
Comment: One commenter asked how the regulation affects employers who carry out research. The commenter questioned whether the employees carrying out the research would be component entities under the rule.
Response: If the employer is gathering its own information rather than obtaining it from an entity regulated by this rule, the information does not constitute protected health information since the employer is not a covered entity. If the employer is obtaining protected health information from a covered entity, the disclosure by the covered entity must meet the requirements of § 164.512(i) regarding disclosures for research.
Comment: One commenter stated that the proposed rule did not clearly articulate whether employees who are health care providers are considered covered entities when they collect and use individually identifiable health information acting on behalf of an employer. Examples provided include, administering mandatory drug testing, making fitness-for-duty and return-to-work determinations, testing for exposure to environmental hazards, and making short and long term disability determinations. This commenter argued that if disclosing information gained through these activities requires authorization, many of the activities are meaningless. For example, an employee who fails a drug test is unlikely to give authorization to the provider to share the information with the employer.
Response: Health care providers are covered entities under this rule if they conduct standard transactions. A health care provider who is an employee and is administering drug testing on behalf of the employer, but does not conduct standard transactions, is not a covered entity. If the health care provider is a covered entity, then we require authorization for the provider to disclose protected health information to an employer. Nothing in this rule, however, prohibits the employer from conditioning an individual's employment on agreeing to the drug testing and requiring the individual to sign an authorization allowing his or her drug test results to be disclosed to the employer.
Comment: One commenter stated its belief that only a health center at an academic institution would be a covered entity under the component approach. This commenter believed it was less clear whether or not other components that may create protected health information “incidentally” through conducting research would also become covered entities.
Response: While a covered entity must designate as a health care component the functions that make it a health care provider, the covered entity remains responsible for the actions of its workforce. Components that create protected health information through research would be covered entities to the extent they performed one of the required transactions described in § 164.500; however, it is possible that the research program would not be part of the health care component, depending on whether the research program performed or supported covered functions.
Comment: Several commenters stated that employers need access to protected health information in order to provide employee assistance programs, wellness programs, and on-site medical testing to their employees.
Response: This rule does not affect disclosure of health information by employees to the employer if the information is not obtained from a covered entity. The employer's access to information from an EAP, wellness program, or on-site medical clinic will depend on whether the program or clinic is a covered entity.
Comment: One commenter stated that access to workplace medical records by the occupational medical physicians is fundamental to workplace and community health and safety. Access is necessary whether it is a single location or multiple sites of the same company, such as production facilities of a national company located throughout the country.
Response: Health information collected by the employer directly from providers who are not covered entities is outside the scope of this regulation. We note that the disclosures which this comment concerns should be covered by § 164.512(b).