HIPAA Regulations: Security and Privacy General Provisions: Organizational Requirements - § 164.105

As Contained in the HHS HIPAA Privacy and Security Rules

HHS Regulations as Amended January 2013
Security and Privacy General Provisions: Organizational Requirements - § 164.105

(a)(1) Standard: Health care component. If a covered entity is a hybrid entity, the requirements of this part, other than the requirements of this section, §164.314, and §164.504, apply only to the health care component(s) of the entity, as specified in this section.

(2) Implementation specifications:

(i) Application of other provisions. In applying a provision of this part, other than the requirements of this section, §164.314, and §164.504, to a hybrid entity:

(A) A reference in such provision to a “covered entity” refers to a health care component of the covered entity;

(B) A reference in such provision to a “health plan,” “covered health care provider,” or “health care clearinghouse,” refers to a health care component of the covered entity if such health care component performs the functions of a health plan, health care provider, or health care clearinghouse, as applicable;

(C) A reference in such provision to “protected health information” refers to protected health information that is created or received by or on behalf of the health care component of the covered entity; and

(D) A reference in such provision to “electronic protected health information” refers to electronic protected health information that is created, received, maintained, or transmitted by or on behalf of the health care component of the covered entity.

(ii) Safeguard requirements. The covered entity that is a hybrid entity must ensure that a health care component of the entity complies with the applicable requirements of this part. In particular, and without limiting this requirement, such covered entity must ensure that:

(A) Its health care component does not disclose protected health information to another component of the covered entity in circumstances in which subpart E of this part would prohibit such disclosure if the health care component and the other component were separate and distinct legal entities;

(B) Its health care component protects electronic protected health information with respect to another component of the covered entity to the same extent that it would be required under subpart C of this part to protect such information if the health care component and the other component were separate and distinct legal entities;

(C) If a person performs duties for both the health care component in the capacity of a member of the workforce of such component and for another component of the entity in the same capacity with respect to that component, such workforce member must not use or disclose protected health information created or received in the course of or incident to the member's work for the health care component in a way prohibited by subpart E of this part.

(iii) Responsibilities of the covered entity. A covered entity that is a hybrid entity has the following responsibilities:

(A) For purposes of subpart C of part 160 of this subchapter, pertaining to compliance and enforcement, the covered entity has the responsibility of complying with this part.

(B) The covered entity is responsible for complying with §164.316(a) and §164.530(i), pertaining to the implementation of policies and procedures to ensure compliance with applicable requirements of this part, including the safeguard requirements in paragraph (a)(2)(ii) of this section.

(C) The covered entity is responsible for complying with §164.314 and §164.504 regarding business associate arrangements and other organizational requirements.

(D) The covered entity is responsible for designating the components that are part of one or more health care components of the covered entity and documenting the designation in accordance with paragraph (c) of this section, provided that, if the covered entity designates one or more health care components, it must include any component that would meet the definition of a covered entity or business associate if it were a separate legal entity. Health care component(s) also may include a component only to the extent that it performs covered functions.

(b)(1) Standard: Affiliated covered entities. Legally separate covered entities that are affiliated may designate themselves as a single covered entity for purposes of this part.

(2) Implementation specifications—(i) Requirements for designation of an affiliated covered entity—(A) Legally separate covered entities may designate themselves (including any health care component of such covered entity) as a single affiliated covered entity, for purposes of this part, if all of the covered entities designated are under common ownership or control.

(B) The designation of an affiliated covered entity must be documented and the documentation maintained as required by paragraph (c) of this section.

(ii) Safeguard requirements. An affiliated covered entity must ensure that it complies with the applicable requirements of this part, including, if the affiliated covered entity combines the functions of a health plan, health care provider, or health care clearinghouse, §164.308(a)(4)(ii)(A) and §164.504(g), as applicable.

(c)(1) Standard: Documentation. A covered entity must maintain a written or electronic record of a designation as required by paragraphs (a) or (b) of this section.

(2) Implementation specification: Retention period. A covered entity must retain the documentation as required by paragraph (c)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

HHS Description and Commentary from the January 2013 Amendments
Security and Privacy General Provisions: Organizational Requirements

Section 164.105 outlines the organizational requirements and implementation specifications for health care components of covered entities and for affiliated covered entities. As § 164.105 now also applies to Subpart D of Part 164 regarding breach notification for unsecured protected health information, we proposed to remove several specific references to Subparts C and E throughout this section to make clear that the provisions of this section also apply to Subpart D of Part 164.

The final rule adopts these modifications.

In addition, we proposed the following modifications to this section.

Section 164.105(a)(2)(ii)(C)–(E)

Proposed Rule

As a covered entity’s obligation to ensure that a health care component complies with the Privacy and Security Rules is already set out at § 164.105(a)(2)(ii), we proposed to modify this section to remove as unnecessary paragraphs (C) and (D), which pertain to the obligation of a covered entity to ensure that any component that performs business associate-like activities and is included in the health care component complies with the requirements of the Privacy and Security Rules, and to re-designate paragraph (E) as (C).

Additionally, we requested comment on whether we should require, rather than permit as was the case at § 164.105(a)(2)(iii)(C), a covered entity that is a hybrid entity to include a component that performs business associate-like activities within its health care component so that such components are directly subject to the Rules.

Overview of Public Comments

Several commenters recommended that hybrid entities should retain the flexibility to either include or exclude business associates from the healthcare component. Two of these commenters stated this option would allow the covered entity to distinguish the functions and responsibilities of the business associate as separate from the health care component, which would result in better compliance, as covered entities would evaluate each business associate separately for compliance purposes.

Additionally, several commenters stated that requiring a hybrid entity to include business associate departments is excessive and burdensome. Some of these commenters further stated that business associate departments of a hybrid entity will likely commit limited time, personnel, and staff hours to Privacy and Security Rule compliance and suggested that the hybrid entity should implement applicable entity-wide policies and procedures and separately ensure that business associate departments implement specific practices scaled to the business associate’s use or disclosure of protected health information.

In contrast, several commenters supported the proposed change. Several of these commenters suggested that the modification would better facilitate compliance, because requiring the covered entity to include the business associate department in the health care component would better protect the protected health information held by the business associate and would ensure consistent standards within the health care component of the covered entity.

Final Rule

Many covered entities perform both covered and non-covered functions as part of their business operations. For such covered entities, the entire entity is generally required to comply with the Privacy Rule. However, the hybrid entity provisions of the HIPAA Rules permit the entity to limit the application of the Rules to the entity’s components that perform functions that would make the component a “covered entity” if the component were a separate legal entity. Specifically, this provision allows an entity to designate a health care component by documenting the components of its organization that perform covered entity functions. The effect of such a designation is that most of the requirements of the HIPAA Rules apply only to the designated health care component of the entity and not to the functions the entity performs that are not included in the health care component. While most of the HIPAA Rules’ requirements apply only to the health care component, the hybrid entity retains certain oversight, compliance, and enforcement obligations.

We explained in the preamble to the 2002 modifications to the Privacy Rule that the Rule provides hybrid entities with discretion as to whether or not to include business associate divisions within the health care component. However, a disclosure of protected health information from the health care component to any other division that is not part of the health care component, including a business associate division, is treated the same as a disclosure outside the covered entity. As a result, because an entity generally cannot have a business associate agreement with itself, a disclosure from the health care component to the business associate division(s) of the entity likely would require individual authorization. See 67 FR 53182, 53205 (Aug. 14, 2002).

Importantly, after this final rule, business associates, by definition, are separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their business associate contracts.

With respect to a hybrid entity, however, not including business associate functions within the health care component of a hybrid entity could avoid direct liability and compliance obligations for the business associate component.

Thus, we agree with the commenters that supported requiring inclusion of business associate functions inside the health care component of a hybrid entity. As such, the final rule requires that the health care component of a hybrid entity include all business associate functions within the entity.

Response to Other Public Comments

Comment: One commenter requested that the Department revise the definitions of “hybrid entity” to permit business associates to designate a health care component.

Response: A business associate performs one or more functions on behalf of a covered entity (or, in this final rule, another business associate). As a business associate is only subject to the HIPAA Rules with respect to the protected health information it maintains, uses, or discloses on behalf of a covered entity (or business associate) and not to other information it may maintain, including health information, there is no need for a business associate to designate one or more health care components.

Comment: One commenter asked whether an employer that operates an on-site clinic for the treatment of employees functions as a hybrid entity.

Response: An entity that maintains an on-site clinic to provide health care to one or more employees may be a HIPAA covered provider to the extent the clinic performs one or more covered transactions electronically, such as billing a health plan for the services provided. If covered, the entity need not become a hybrid entity so as to avoid applying the Privacy Rule to health information the entity holds in its role as employer, such as sick leave requests of its employees. Such information is already excluded from the definition of “protected health information” as employment records and thus, the Privacy Rule does not apply to this information. However, the identifiable health information the entity holds as a covered health care provider (e.g., the information the clinic holds about employees who have received treatment) is protected health information and generally may not be shared with the employer for employment purposes without the individual’s authorization.

Section 164.105(a)(2)(iii)(C)

We proposed to modify this section to re-designate § 164.105(a)(2)(iii)(C) as (D), and to include a new paragraph (C), which makes clear that, with respect to a hybrid entity, the covered entity itself, and not merely the health care component, remains responsible for complying with §§ 164.314 and 164.504 regarding business associate arrangements and other organizational requirements. Hybrid entities may need to execute legal contracts and conduct other organizational matters at the level of the legal entity rather than at the level of the health care component. The final rule adopts this change.

Section 164.105(b)(1)

The final rule fixes a minor typographical error in this paragraph by redesignating the second paragraph (1) as paragraph (2).

Section 164.105(b)(2)(ii)

The final rule simplifies this paragraph by collapsing subparagraphs (A), (B), and (C) regarding the obligations of an affiliated entity to comply with the Privacy and Security Rules into one provision.

HHS Description From the Original Rulemaking
Security and Privacy General Provisions: Organizational Requirements

From Privacy Regulations

Affiliated Covered Entity

Some legally distinct covered entities may share common administration of organizationally differentiated but similar activities (for example, a hospital chain). In § 164.504(d) we permit legally distinct covered entities that share common ownership or control to designate themselves, or their health care components, together to be a single covered entity. Common control exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity. Common ownership exists if an entity or entities possess an ownership or equity interest of 5 percent or more in another entity.

Such organizations may promulgate a single shared notice of information practices and a consent form. For example, a corporation with hospitals in twenty states may designate itself as a covered entity and, therefore, able to merge information for joint marketplace analyses. The requirements that apply to a covered entity also apply to an affiliated covered entity. For example, under the minimum necessary provisions, a hospital in one state could not share protected health information about a particular patient with another hospital if such a use is not necessary for treatment, payment or health care operations. The covered entities that together make up the affiliated covered entity are separately subject to liability under this rule. The safeguarding requirements for affiliated covered entities track the requirements that apply to health care components.

HHS Response to Comments Received From the Original Rulemaking
Security and Privacy General Provisions: Organizational Requirements

For HHS Response to Comments Received regarding Affiliated Covered Entity see §164.504(a)

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.