Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Article II


Comment: One commenter contended that the Secretary improperly delegated authority to private entities by requiring covered entities to enter into contracts with, monitor, and take action for violations of the contract against their business partners. These comments assert that the selection of these entities to "enforce" the regulations violates the Executive Powers Clause and the Appointments and Take Care Clauses.

Response: We reject the assertion that the business associate provisions constitute an improper delegation of executive power to private entities. HIPAA provides HHS with authority to enforce the regulation against covered entities. The rules below regulate only the conduct of the covered entity; to the extent a covered entity chooses to conduct its funding through a business associate, those functions are still functions of the covered entity. Thus, no improper delegation has occurred because what is being regulated are the actions of the covered entity, not the actions of the business associate in its independent capacity.

We also reject the suggestion that the business associates provisions constitute an improper appointment of covered entities to enforce the regulation and violate the Take Care Clause. Because the Secretary has not delegated authority to covered entities, the inference that she has appointed covered entities to exercise such authority misses the mark.