HIPAA Regulations: Security and Privacy General Provisions: Definitions - § 164.103
As Contained in the HHS HIPAA Privacy and Security Rules
HHS Privacy and Security Regulations |
As used in this part, the following terms have the following meanings:
Common control exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity.
Common ownership exists if an entity or entities possess an ownership or equity interest of 5 percent or more in another entity.
Covered functions means those functions of a covered entity the performance of which makes the entity a health plan, health care provider, or health care clearinghouse.
Health care component means a component or combination of components of a hybrid entity designated by the hybrid entity in accordance with § 164.105(a)(2)(iii)(D).
Hybrid entity means a single legal entity:
-
That is a covered entity;
-
Whose business activities include both covered and non-covered functions; and
-
That designates health care components in accordance with paragraph § 164.105(a)(2)(iii)(D).
Law enforcement official means an officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to:
-
Investigate or conduct an official inquiry into a potential violation of law; or
-
Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
Plan sponsor is defined as defined at section 3(16)(B) of ERISA, 29 U.S.C. 1002(16)(B).
Required by law means a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
HHS Description Security and Privacy General Provisions: Definitions |
Note: Note that the definitions of common control, common ownership, health care component, and hybrid entity have been relocated here from their original place in § 164.504(a). Some of the original discussion and comments in 504(a) relate to these definitions.
From the Privacy Regulations
Covered Functions
We add a new term, “covered functions,” as a shorthand way of expressing and referring to the functions that the entities covered by section 1172(a) of the Act perform. Section 1171 defines the terms “health plan”, “health care provider”, and “health care clearinghouse” in functional terms. Thus, a “health plan” is an individual or group plan “that provides, or pays the cost of, medical care...”, a “health care provider” “furnish[es] health care services or supplies,” and a “health care clearinghouse” is an entity “that processes or facilitates the processing of ... data elements of health information...”. Covered functions, therefore, are the activities that any such entity engages in that are directly related to operating as a health plan, health care provider, or health care clearinghouse; that is, they are the functions that make it a health plan, health care provider, or health care clearinghouse.
The term “covered functions” is not intended to include various support functions, such as computer support, payroll and other office support, and similar support functions, although we recognize that these support functions must occur in order for the entity to carry out its health care functions. Because such support functions are often also performed for parts of an organization that are not doing functions directly related to the health care functions and may involve access to and/or use of protected health information, the rules below describe requirements for ensuring that workforce members who perform these support functions do not impermissibly use or disclose protected health information. See § 164.504.
Plan Sponsor
In the final rule we add a definition of "plan sponsor." We define plan sponsor by referencing the definition of the term provided in (3)(16)(B) of the Employee Retirement Income Security Act (ERISA). The plan sponsor is the employer or employee organization, or both, that establishes and maintains an employee benefit plan. In the case of a plan established by two or more employers, it is the association, committee, joint board of trustees, or other similar group of representative of the parties that establish and maintain the employee benefit plan. This term includes church health plans and government health plans. Group health plans may disclose protected health information to plan sponsors who conduct payment and health care operations activities on behalf of the group health plan if the requirements for group health plans in § 164.504 are met.
The preamble to the Transactions Rule noted that plan sponsors of group health plans are not covered entities and, therefore, are not required to use the standards established in that regulation to perform electronic transactions, including enrollment and disenrollment transactions. We do not change that policy through this rule. Plan sponsors that perform enrollment functions are doing so on behalf of the participants and beneficiaries of the group health plan and not on behalf of the group health plan itself. For purposes of this rule, plan sponsors are not subject to the requirements of § 164.504 regarding group health plans when conducting enrollment activities.
Required By Law
In the preamble to the NPRM, we did not include a definition of “required by law.” We discussed what it meant for an action to be considered to be “required” or “mandated” by law and included several examples of activities that would be considered as required by law for the purposes of the proposed rule, including a valid Inspector General subpoena, grand jury subpoena, civil investigative demand, or a statute or regulation requiring production of information justifying a claim would constitute a disclosure required by law.
In the final rule we include a new definition, move the preamble clarifications to the regulatory text and add several items to the illustrative list. For purposes of this regulation, “required by law” means a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Among the examples listed in definition are Medicare conditions of participation with respect to health care providers participating in that program, court-ordered warrants, and subpoenas issued by a court. We note that disclosures “required by law” include disclosures of protected health information required by this regulation in § 164.502(a)(2). It does not include contracts between private parties or similar voluntary arrangements. This list is illustrative only and is not intended in any way to limit the scope of this paragraph or other paragraphs in § 164.512 that permit uses or disclosures to the extent required by other laws. We note that nothing in this rule compels a covered entity to make a use or disclosure required by the legal demands or prescriptions listed in this clarification or by any other law or legal process, and a covered entity remains free to challenge the validity of such laws and processes.
For HHS description of Common control, Common ownership, Health care component, and Hybrid entity see §164.504(a)
HHS Response to Comments Received Security and Privacy General Provisions: Definitions |
For HHS Response to Comments Received regarding Common control, Common ownership, Health care component, and Hybrid entity see §164.504(a)