NRPM: Standards for Privacy of Individually Identifiable Health Information. 8. Application to covered entities that are components of organizations that are not covered entities.


In this section we describe how the provisions of this proposed rule apply to persons or organizations that provide health care or have created health plans but are primarily engaged in other unrelated activities. Examples of such organizations include schools that operate on-site clinics, employers who operate self-funded health plans, and information processing companies that include a health care services component. The health care component (whether or not separately incorporated) of the organization would be the covered entity. Therefore, any movement of protected health information into another component of the organization would be a “disclosure,” and would be lawful only if such disclosure would be authorized by this regulation. In addition, we propose to require such entities to create barriers to prevent protected health information from being used or disclosed for other activities not authorized or permitted under these proposed rules.

For example, schools frequently employ school nurses or operate on-site clinics. In doing so, the nurse or clinic component of the school would be acting as a provider, and must conform to this proposed rule. School clinics would be able to use protected health information obtained in an on-site clinic for treatment and payment purposes, but could not disclose it to the school for disciplinary purposes except as permitted by this rule. Similarly, an employee assistance program of an employer could meet the definition of “provider,” particularly if health care services are offered directly by the program. Protected health information obtained by the employee assistance program could be used for treatment and payment purposes, but not for other purposes such as hiring and firing, placement and promotions, except as may be permitted by this rule.