Under this proposed rule, a business partner would be acting on behalf of a covered entity, and we propose that its use or disclosure of protected health information be limited to the same extent that the covered entity for whom they are acting would be limited. Thus, a business partner could have no more authority to use or disclose protected health information than that possessed by the covered entity from which the business partner received the information. For example, a business partner could not sell protected health information to a financial services firm without individual authorization because the covered entity would not be permitted to do so under these proposed rules. We would note that a business partner’s authority to use and disclose protected health information could be further restricted by its contract with a covered entity, as described below.
We are not proposing to require the business partners of covered entities to develop and distribute a notice of information practices, as provided in proposed § 164.512. A business partner would, however, be bound by the terms of the notice of the covered entity from which it obtains protected health information. For example, if a covered entity provided notice to its subscribers that it would not engage in certain permissible disclosures of protected health information, we are proposing that such a limitation would apply to all of the business partners of the covered entity that made the commitment. See proposed § 164.506(e). We are proposing this approach so that individuals could rely on the notices that they receive from the covered entities to which they disclose protected health information. If the business partners of a covered entity were able to make wider use or make more disclosures than the covered entity, the patients or enrollees of the covered entity would have difficulty knowing how their information was being used and to whom it was being disclosed.