NRPM: Standards for Privacy of Individually Identifiable Health Information. a. Entities covered.


Under section 1172(a) of the Act, the provisions of this proposed rule apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act (the “covered entities”). The terms health plan, health care provider, and health care clearinghouse are defined in proposed § 160.103.

As noted above, because we do not have the authority to apply these standards directly to any entity that is not a covered entity, the proposed rule does not directly cover many of the persons who obtain identifiable health information from the covered entities. Examples of persons who receive this information include contractors, third-party administrators, researchers, public health officials, life insurance issuers, employers and marketing firms. We would attempt to fill this gap in our legislative authority in part by requiring covered entities to apply many of the provisions of rule to the entities with whom they contract for administrative and other services. The proposed provision is outlined in more detail below in the discussion of business partners.