In the proposed rule, other than for purposes of consultation or referral for treatment, we would have allowed a covered entity to disclose protected health information to a business partner only pursuant to a written contract that would, among other specified provisions, limit the business partner's uses and disclosures of protected health information to those permitted by the contract, and would impose certain security, inspection and reporting requirements on the business partner. We proposed to define the term "business partner" to mean, with respect to a covered entity, a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity.
In the final rule, we change the term "business partner" to "business associate" and in the definition clarify the full range of circumstances in which a person is acting as a business associate of a covered entity. (See definition of "business associate" in § 160.103.) These changes mean that § 164.502(e) requires a business associate contract (or other arrangement, as applicable) not only when the covered entity discloses protected health information to a business associate, but also when the business associate creates or receives protected health information on behalf of the covered entity.
In the final rule, we modify the proposed standard and implementation specifications for business associates in a number of significant ways. These modifications are explained in the preamble discussion of § 164.504(e).