Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.504 - Uses and Disclosures - Organizational Requirements - Component Entities, Affiliated Entities, Business Associates and Group Health Plans

In the preamble to the proposed rule we introduced the concept of a "component entity" to differentiate the health care unit of a larger organization from the larger organization. In the proposal we noted that some organizations that are primarily involved in non-health care activities do provide health care services or operate health plans or health care clearinghouses. Examples included a school with an on-site health clinic and an employer that self administers a sponsored health plan. In such cases, the proposal said that the health care component of the entity would be considered the covered entity, and any release of information from that component to another office or person in the organization would be a regulated disclosure. We would have required such entities to create barriers to prevent protected health information from being used or disclosed for activities not authorized or permitted under the proposal.

We discuss group health plans and their relationships with plan sponsors below under "Requirements for Group Health Plans."

In the final rule we address the issue of differentiating health plan, covered health care provider and health care clearinghouse activities from other functions carried out by a single legal entity in paragraphs (a)-(c) of § 164.504. We have created a new term, "hybrid entity", to describe the situation where a health plan, health care provider, or health care clearinghouse is part of a larger legal entity; under the definition, a "hybrid entity" is "a single legal entity that is a covered entity and whose covered functions are not its primary functions." The term "covered functions" is discussed above under § 164.501. By "single legal entity" we mean a legal entity, such as a corporation or partnership, that cannot be further differentiated into units with their own legal identities. For example, for purposes of this rule a multinational corporation composed of multiple subsidiary companies would not be a single legal entity, but a small manufacturing firm and its health clinic, if not separately incorporated, could be a single legal entity.

The health care component rules are designed for the situation in which the health care functions of the legal entity are not its dominant mission. Because some part of the legal entity meets the definition of a health plan or other covered entity, the legal entity as a whole could be required to comply with the rules below. However, in such a situation, it makes sense not to require the entire entity to comply with the requirements of the rules below, when most of its activities may have little or nothing to do with the provision of health care; rather, as a practical matter, it makes sense for such an entity to focus its compliance efforts on the component that is actually performing the health care functions. On the other hand, where most of what the covered entity does consists of covered functions, it makes sense to require the entity as a whole to comply with the rules. The provisions at §§ 164.504(a)-(c) provide that for a hybrid entity, the rules apply only to the part of the entity that is the health care component. At the same time, the lack of corporate boundaries increases the risk that protected health information will be used in a manner that would not otherwise be permitted by these rules. Thus, we require that the covered entity erect firewalls to protect against the improper use or disclosure within or by the organization. See § 164.504(c)(2).

The term "primary functions" in the definition of "hybrid entity" is not meant to operate with mathematical precision. Rather, we intend that a more common sense evaluation take place: is most of what the covered entity does related to its health care functions? If so, then the whole entity should be covered. Entities with different insurance lines, if not separately incorporated, present a particular issue with respect to this analysis. Because the definition of "health plan" excludes many types of insurance products (in the exclusion under paragraph (2)(i) of the definition), we would consider an entity that has one or more of these lines of insurance in addition to its health insurance lines to come within the definition of "hybrid entity," because the other lines of business constitute substantial parts of the total business operation and are required to be separate from the health plan(s) part of the business.

An issue that arises in the hybrid entity situation is what records are covered in the case of an office of the hybrid entity that performs support functions for both the health care component of the entity and for the rest of the entity. For example, this situation could arise in the context of a company with an onsite clinic (which we will assume is a covered health care provider), where the company's business office maintains both clinic records and the company's personnel records. Under the definition of the term "health care component," the business office is part of the health care component (in this hypothetical, the clinic) "to the extent that" it is performing covered functions on behalf of the clinic involving the use or disclosure of protected health information that it receives from, creates or maintains for the clinic. Part of the business office, therefore, is part of the health care component, and part of the business office is outside the health care component. This means that the non-health care component part of the business office is not covered by the rules below. Under our hypothetical, then, the business office would not be required to handle its personnel records in accordance with the rules below. The hybrid entity would be required to establish firewalls with respect to these record systems, to ensure that the clinic records were handled in accordance with the rules.

With respect to excepted benefits, the rules below operate as follows. (Excepted benefits include accident, disability income, liability, workers' compensation and automobile medical payment insurance.) Excepted benefit programs are excluded from the health care component (or components) through the definition of "health plan." If a particular organizational unit performs both excepted benefits functions and covered functions, the activities associated with the excepted benefits program may not be part of the health care component. For example, an accountant who works for a covered entity with both a health plan and a life insurer would have his or her accounting functions performed for the health plan as part of the component, but not the life insurance accounting function. See § 164.504(c)(2)(iii). We require this segregation of excepted benefits because HIPAA does not cover such programs, policies and plans, and we do not permit any use or disclosure of protected health information for the purposes of operating or performing the functions of the excepted benefits without authorization from the individual, except as otherwise permitted in this rule.

In § 164.504(c)(2) we require covered entities with a health care component to establish safeguard policies and procedures to prevent any access to protected health information by its other organizational units that would not be otherwise permitted by this rule. We note that Sec. 1173 (d)(1)(B) of HIPAA requires policies and procedures to isolate the activities of a health care clearinghouse from a "larger organization" to prevent unauthorized access by the larger organization. This safeguard provision is consistent with the statutory requirement and extends to any covered entity that performs "non-covered entity functions" or operates or conducts functions of more than one type of covered entity.

Because, as noted, the covered entity in the hybrid entity situation is the legal entity itself, we state explicitly what is implicitly the case, that the covered entity (legal entity) remains responsible for compliance vis-a-vis subpart C of part 160. See § 164.504(c)(3)(i). We do this simply to make these responsibilities clear and to avoid confusion on this point. Also, in the hybrid entity situation the covered entity/legal entity has control over the entire workforce, not just the workforce of the health care component. Thus, the covered entity is in a position to implement policies and procedures to ensure that the part of its workforce that is doing mixed or non-covered functions does not impermissibly use or disclose protected health information. Its responsibility to do so is clarified in § 164.504(c)(3)(ii).

Some legally distinct covered entities may share common administration of organizationally differentiated but similar activities (for example, a hospital chain). In § 164.504(d) we permit legally distinct covered entities that share common ownership or control to designate themselves, or their health care components, together to be a single covered entity. Common control exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity. Common ownership exists if an entity or entities possess an ownership or equity interest of 5 percent or more in another entity.

Such organizations may promulgate a single shared notice of information practices and a consent form. For example, a corporation with hospitals in twenty states may designate itself as a covered entity and, therefore, able to merge information for joint marketplace analyses. The requirements that apply to a covered entity also apply to an affiliated covered entity. For example, under the minimum necessary provisions, a hospital in one state could not share protected health information about a particular patient with another hospital if such a use is not necessary for treatment, payment or health care operations. The covered entities that together make up the affiliated covered entity are separately subject to liability under this rule. The safeguarding requirements for affiliated covered entities track the requirements that apply to health care components.

In the NPRM, we proposed to require a contract between a covered entity and a business associate, except for disclosures of protected health information by a covered entity that is a health care provider to another health care provider for the purposes of consultation or referral. A covered entity would have been in violation of this rule if the covered entity knew or reasonably should have known of a material breach of the contract by a business associate and it failed to take reasonable steps to cure the breach or terminate the contract. We proposed in the preamble that when a covered entity acted as a business associate to another covered entity, the covered entity that was acting as business associate also would have been responsible for any violations of the regulation.

We also proposed that covered health care providers receiving protected health information for consultation or referral purposes would still have been subject to this rule, and could not have used or disclosed such protected health information for a purpose other than the purpose for which it was received (i.e., the consultation or referral). Further, we noted that providers making disclosures for consultations or referrals should be careful to inform the receiving provider of any special limitations or conditions to which the disclosing provider had agreed to impose (e.g., the disclosing provider had provided notice to its patients that it would not make disclosures for research).

We proposed that business associates would not have been permitted to use or disclose protected health information in ways that would not have been permitted of the covered entity itself under these rules, and covered entities would have been required to take reasonable steps to ensure that protected health information disclosed to a business associate remained protected.

In the NPRM (proposed § 164.506(e)(2)) we would have required that the contractual agreement between a covered entity and a business associate be in writing and contain provisions that would:

• Prohibit the business associate from further using or disclosing the protected health information for any purpose other than the purpose stated in the contract.

• Prohibit the business associate from further using or disclosing the protected health information in a manner that would violate the requirements of this proposed rule if it were done by the covered entity.

• Require the business associate to maintain safeguards as necessary to ensure that the protected health information is not used or disclosed except as provided by the contract.

• Require the business associate to report to the covered entity any use or disclosure of the protected health information of which the business associate becomes aware that is not provided for in the contract.

• Require the business associate to ensure that any subcontractors or agents to whom it provides protected health information received from the covered entity will agree to the same restrictions and conditions that apply to the business associate with respect to such information.

• Require the business associate to provide access to non-duplicative protected health information to the subject of that information, in accordance with proposed § 164.514(a).

• Require the business associate to make available its internal practices, books and records relating to the use and disclosure of protected health information received from the covered entity to the Secretary for the purposes of enforcing the provisions of this rule.

• Require the business associate, at termination of the contract, to return or destroy all protected health information received from the covered entity that the business associate still maintains in any form to the covered entity and prohibit the business associate from retaining such protected health information in any form.

• Require the business associate to incorporate any amendments or corrections to protected health information when notified by the covered entity that the information is inaccurate or incomplete.

• State that individuals who are the subject of the protected health information disclosed are intended to be third party beneficiaries of the contract.

• Authorize the covered entity to terminate the contract, if the covered entity determines that the business associate has violated a material term of the contract.

We also stated in the preamble to the NPRM that the contract could have included any additional arrangements that did not violate the provisions of this regulation.

We explained in the preamble to the NPRM that a business associate (including business associates that are covered entities) that had contracts with more than one covered entity would have had no authority to combine, aggregate or otherwise use for a single purpose protected health information obtained from more than one covered entity unless doing so would have been a lawful use or disclosure for each of the covered entities that supplied the protected health information that is being combined, aggregated or used. In addition, the business associate would have had to have been authorized through the contract or arrangement with each covered entity that supplied the protected health information to combine or aggregate the information. A covered entity would not have been permitted to obtain protected health information through a business associate that it could not otherwise obtain itself.

In the final rule we retain the overall approach proposed: covered entities may disclose protected health information to persons that meet the rule's definition of business associate, or hire such persons to obtain or create protected health information for them, only if covered entities obtain specified satisfactory assurances from the business associate that it will appropriately handle the information; the regulation specifies the elements of such satisfactory assurances; covered entities have responsibilities when such specified satisfactory assurances are violated by the business associate. We retain the requirement that specified satisfactory assurances must be obtained if a covered entity's business associate is also a covered entity. We note that a master business associate contract or MOU that otherwise meets the requirements regarding specified satisfactory assurances meets the requirements with respect to all the signatories.

A covered entity may disclose protected health information to a business associate, consistent with the other requirements of the final rule, as necessary to permit the business associate to perform functions and activities for or on behalf of the covered entity, or to provide the services specified in the business associate definition to or for the covered entity. As discussed below, a business associate may only use the protected health information it receives in its capacity as a business associate to a covered entity as permitted by its contract or agreement with the covered entity.

We do not attempt to directly regulate business associates, but pursuant to our authority to regulate covered entities we place restrictions on the flow of information from covered entities to non-covered entities. We add a provision to clarify that a violation of a business associate agreement by a covered entity that is a business associate of another covered entity constitutes a violation of this rule.

In the final rule, we make significant changes to the requirements regarding business associates. As explained below in more detail: we make significant changes to the content of the required contractual satisfactory assurances; we include exceptions for arrangements that would otherwise meet the definition of business associate; we make special provisions for government agencies that by law cannot enter into contracts with one another or that operate under other legal requirements incompatible with some aspects of the required contractual satisfactory assurances; we provide a new mechanism for covered entities to hire a third party to aggregate data.

The final rule provides several exception to the business associate requirements, where a business associate relationship would otherwise exist. We substantially expand the exception for disclosure of protected health information for treatment. Rather than allowing disclosures without business associate assurances only for the purpose of consultation or referral, in the final rule we allow covered entities to make any disclosure of protected health information for treatment purposes to a health care provider without a business associate arrangement. This provision includes all activities that fall under the definition of treatment.

We do not require a business associate contract for a group health plan to make disclosures to the plan sponsor, to the extent that the health plan meets the applicable requirements of § 164.504(f).

We also include an exception for certain jointly administered government programs providing public benefits. Where a health plan that is a government program provides public benefits, such as SCHIP and Medicaid, and where eligibility for, or enrollment in, the health plan is determined by an agency other than the agency administering the health plan, or where the protected health information used to determine enrollment or eligibility in the health plan is collected by an agency other than the agency administering the health plan, and the joint activities are authorized by law, no business associate contract is required with respect to the collection and sharing of individually identifiable health information for the performance of the authorized functions by the health plan and the agency other than the agency administering the health plan. We note that the phrase "government programs providing public benefits" refers to programs offering benefits to specified members of the public and not to programs that offer benefits only to employees or retirees of government agencies.

We note that we do not consider a financial institution to be acting on behalf of a covered entity, and therefore no business associate contract is required, when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for compensation for health care. A typical consumer-conducted payment transaction is when a consumer pays for health care or health insurance premiums using a check or credit card. In these cases, the identity of the consumer is always included and some health information (e.g., diagnosis or procedure) may be implied through the name of the health care provider or health plan being paid. Covered entities that initiate such payment activities must meet the minimum necessary disclosure requirements described in the preamble to § 164.514.

In the final rule, we reduce the extent to which a covered entity must monitor the actions of its business associate and we make it easier for covered entities to identify the circumstances that will require them to take actions to correct a business associate's material violation of the contract, in the following ways. We delete the proposed language requiring covered entities to "take reasonable steps to ensure" that each business associate complies with the rule's requirements. Additionally, we now require covered entities to take reasonable steps to cure a breach or terminate the contract for business associate behaviors only if they know of a material violation by a business associate. In implementing this standard, we will view a covered entity that has substantial and credible evidence of a violation as knowing of such violation. While this standard relieves the covered entity of the need to actively monitor its business associates, a covered entity nonetheless is expected to investigate when they receive complaints or other information that contain substantial and credible evidence of violations by a business associate, and it must act upon any knowledge of such violation that it possesses. We note that a whistleblowing disclosure by a business associate of a covered entity that meets the requirements of § 164.502(j)(1) does not put the covered entity in violation of this rule, and the covered entity has no duty to correct or cure, or to terminate the relationship.

We also qualify the requirement for terminating contracts with non-compliant business associates. The final rule still requires that the business associate contract authorize the covered entity to terminate the contract, if the covered entity determines that the business associate has violated a material term of the contract, and it requires the covered entity to terminate the contract if steps to cure such a material breach fail. The rule now stipulates, however, that if the covered entity is unable to cure a material breach of the business associate's obligation under the contract, it is expected to terminate the contract, when feasible. This qualification has been added to accommodate circumstances where terminating the contract would be unreasonably burdensome on the covered entity, such as when there are no viable alternatives to continuing a contract with that particular business associate. It does not mean, for instance, that the covered entity can choose to continue the contract with a non-compliant business associate merely because it is more convenient or less costly than contracts with other potential business associates. We also require that if a covered entity determines that it is not feasible to terminate a non-compliant business associate, the covered entity must notify the Secretary.

We retain all of the requirements for a business associate contract that were listed in proposed § 164.506(e)(2), with some modifications. See § 164.504(e)(2).

We retain the requirement that the business associate contract must provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law. We do not mean by this requirement that the business associate contract must specify each and every use and disclosure of protected health information permitted to the business associate. Rather, the contract must state the purposes for which the business associate may use and disclose protected health information, and must indicate generally the reasons and types of persons to whom the business associate may make further disclosures. For example, attorneys often need to provide information to potential witnesses, opposing counsel, and others in the course of their representation of a client. The business associate contract pursuant to which protected health information is provided to its attorney may include a general statement permitting the attorney to disclose protected health information to these types of people, within the scope of its representation of the covered entity.

We retain the requirement that a business associate contract may not authorize a business associate to use or further disclose protected health information in a manner that would violate the requirements of this subpart if done by the covered entity, but we add two exceptions. First, we permit a covered entity to authorize a business associate to use and disclose protected health information it receives in its capacity as a business associate for its proper management and administration and to carry out its legal responsibilities. The contract must limit further disclosures of the protected health information for these purposes to those that are required by law and to those for which the business associate obtains reasonable assurances that the protected health information will be held confidentially and that it will be notified by the person to whom it discloses the protected health information of any breaches of confidentiality.

Second, we permit a covered entity to authorize the business associate to provide data aggregation services to the covered entity. As discussed above in § 164.501, data aggregation, with respect to protected health information received by a business associate in its capacity as the business associate of a covered entity, is the combining of such protected health information by the business associate with protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit the creation of data for analyses that relate to the health care operations of the respective covered entities. We added this service to the business associate definition to clarify the ability of covered entities to contract with business associates to undertake quality assurance and comparative analyses that involve the protected health information of more than one contracting covered entity. We except data aggregation from the general requirement that a business associate contract may not authorize a business associate to use or further disclose protected health information in a manner that would violate the requirements of this subpart if done by the covered entity in order to permit the combining or aggregation of protected health information received in its capacity as a business associate of different covered entities when it is performing this service. In many cases, the combining of this information for the respective health care operations of the covered entities is not something that the covered entities could do - a covered entity cannot generally disclose protected health information to another covered entity for the disclosing covered entity's health care operations. However, we permit covered entities that enter into business associate contracts with a business associate for data aggregation to permit the business associate to combine or aggregate the protected health information they disclose to the business associate for their respective health care operations.

We note that there may be other instances in which a business associate may combine or aggregate protected health information received in its capacity as a business associate of different covered entities, such as when it is performing health care operations on behalf of covered entities that participate in an organized health care arrangement. A business associate that is performing payment functions on behalf of different covered entities also may combine protected health information when it is necessary, such as when the covered entities share financial risk or otherwise jointly bill for services.

In the final rule we clarify that the business associate contract must require the business associate to make available protected health information for amendment and to incorporate such amendments. The business associate contract must also require the business associate to make available the information required to provide an accounting of disclosures. We provide more flexibility to the requirement that all protected health information be returned by the business associate upon termination of the contract. The rule now stipulates that if feasible, the protected health information should be destroyed or returned at the end of a contract. Accordingly, a contract with a business associate must state that if there are reasons that the return or destruction of the information is not feasible and the information must be retained for specific reasons and uses, such as for future audits, privacy protections must continue after the contract ends, for as long as the business associate retains the information. The contract also must state that the uses of information after termination of the contract must be limited to the specific set of uses or disclosures that make it necessary for the business associate to retain the information.

We also remove the requirement that business associate contracts contain a provision stating that individuals whose protected health information is disclosed under the contract are intended third-party beneficiaries of the contract. Third party beneficiary or similar responsibilities may arise under these business associate arrangements by operation of state law; we do not intend in this rule to affect the operation of such state laws.

We modify the requirement that a business associate contract require the business associate to ensure that agents abide by the provisions of the business associate contract. We clarify that agents includes subcontractors, and we note that a business associate contract must make the business associate responsible for ensuring that any person to whom it delegates a function, activity or service which is within its business associate contract with the covered entity agrees to abide by the restrictions and conditions that apply to the business associate under the contract. We note that a business associate will need to consider the purpose for which protected health information is being disclosed in determining whether the recipient must be bound to the restrictions and conditions of the business associate contract. When the disclosure is a delegation of a function, activity or service that the business associate has agreed to perform for a covered entity, the recipient who undertakes such a function steps into the shoes of the business associate and must be bound to the restrictions and conditions. When the disclosure is to a third party who is not performing business associate functions, activities or services for on behalf of the covered entity, but is the type of disclosure that the covered entity itself could make without giving rise to a business associate relationship, the business associate is not required to ensure that the restrictions or conditions of the business associate contract are maintained.

For example, if a business associate acts as the billing agent of a health care provider, and discloses protected health information on behalf of the hospital to health plans, the business associate has no responsibility with respect to further uses or disclosures by the health plan. In the example above, where a covered entity has a business associate contract with a lawyer, and the lawyer discloses protected health information to an expert witness in preparation for litigation, the lawyer again would have no responsibility under this subpart with respect to uses or disclosures by the expert witness, because such witness is not undertaking the functions, activities or services that the business associate lawyer has agreed to perform. However, if a covered entity contracts with a third party administrator to provide claims management, and the administrator delegates management of the pharmacy benefits to a third party, the business associate third party administrator must ensure that the pharmacy manager abides by the restrictions and conditions in the business associate contract between the covered entity and the third party administrator.

We provide in § 164.504(c)(3) several methods other than a business associate contract that will satisfy the requirement for satisfactory assurances under this section. First, when a government agency is a business associate of another government agency that is a covered entity, we permit memorandum of understanding between the agencies to constitute satisfactory assurance for the purposes of this rule, if the memorandum accomplishes each of the objectives of the business associate contract. We recognize that the relationships of government agencies are often organized as a matter of law, and that it is not always feasible for one agency to contract with another for all of the purposes provided for in this section. We also recognize that it may be incorrect to view one government agency as 'acting on behalf of" the other government agency; under law, each agency may be acting to fulfill a statutory mission. We note that in some instances, it may not be possible for the agencies to include the right to terminate the arrangement because the relationship may be established under law. In such instances, the covered entity government agency would need to fulfill the requirement to report known violations of the memorandum to the Secretary.

Where the covered entity is a government agency, we consider the satisfactory assurances requirement to be satisfied if other law contains requirements applicable to the business associate that accomplish each of the objectives of the business associate contract. We recognize that in some cases, covered entities that are government agencies may be able to impose the requirements of this section directly on the persons acting as their business associates. We also recognize that often one government agency is acting as a business associate of another government agency, and either party may have the legal authority to establish the requirements of this section by regulation. We believe that imposing these requirements directly on business associates provides greater protection than we can otherwise provide under this section, and so we recognize such other laws as sufficient to substitute for a business associate contract.

We also recognize that there may be some circumstances where the relationship between covered entities and business associates is otherwise mandated by law. In the final rule, we provide that where a business associate is required by law to act as a business associate to a covered entity, the covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirement to have a business associate contract (or, in the case of government agencies, a memorandum of understanding or law pertaining to the business associate) if it makes a good faith attempt the obtain satisfactory assurances required by this section and, if unable to do so, documents the attempt and the reasons that such assurances cannot be obtained. This provision addresses situations where law requires one party to act as the business associate of another party. The fact that the parties have contractual obligations that may be enforceable is not sufficient to meet the required by law test in this provision.

This provision recognizes that in some instances the law requires that a government agency act as a business associate of a covered entity. For example, the United States Department of Justice is required by law to defend tort suits brought against certain covered entities; in such circumstances, however, the United States, and not the individual covered entity, is the client and is potentially liable. In such situations, covered entities must be able to disclose protected health information needed to carry out the representation, but the particular requirements that would otherwise apply to a business associate relationship may not be possible to obtain. Subsection (iii) makes clear that, where the relationship is required by law, the covered entity complies with the rule if it attempts, in good faith, to obtain satisfactory assurances as are required by this paragraph and, if such attempt fails, documents the attempts and the reasons that such assurances cannot be obtained.

The operation of the final rule maintains the construction discussed in the preamble to the NPRM that a business associate (including a business associate that is a covered entity) that has business associate contracts with more than one covered entity generally may not use or disclose the protected health information that it creates or receives in its capacity as a business associate of one covered entity for the purposes of carrying out its responsibilities as a business associate of another covered entity, unless doing so would be a lawful use or disclosure for each of the covered entities and the business associate's contract with each of the covered entities permits the business associate to undertake the activity. For example, a business associate performing a function under health care operations on behalf of an organized health care arrangement would be permitted to combine or aggregate the protected health information obtained from covered entities participating in the arrangement to the extent necessary to carry out the authorized activity and in conformance with its business associate contracts. As described above, a business associate providing data aggregation services to different covered entities also could combine and use the protected health information of the covered entities to assist with their respective health care operations. A covered entity that is undertaking payment activities on behalf of different covered entities also may use or disclose protected health information obtained as a business associate of one covered entity when undertaking such activities as a business associate of another covered entity where the covered entities have authorized the activities and where they are necessary to secure payment for the entities. For example, when a group of providers share financial risk and contract with a business associate to conduct payment activities on their behalf, the business associate may use the protected health information received from the covered entities to assist them in managing their shared risk arrangement.

Finally, we note that the requirements imposed by this provision are intended to extend privacy protection to situations in which a covered entity discloses substantial amounts of protected health information to other persons so that those persons can perform functions or activities on its behalf or deliver specified services to it. A business associate contract basically requires the business associate to maintain the confidentiality of the protected health information that it receives and generally to use and disclose such information for the purposes for which it was provided. This requirement does not interfere with the relationship between a covered entity and business associate, or require the business associate to subordinate its professional judgment to that of a covered entity. Covered entities may rely on the professional judgment of their business associates as to the type and amount of protected health information that is necessary to carry out a permitted activity. The requirements of this provision are aimed at securing the continued confidentiality of protected health information disclosed to third parties that are serving the covered entity's interests.

Covered entities under HIPAA include health care clearinghouses, health care providers and health plans. Specifically included in the definition of "health plan" are group health plans (as defined in section 2791(a) of the Public Health Service Act) with 50 or more participants or those of any size that are administered by an entity other than the employer who established and maintains the plan. These group health plans may be fully insured or self-insured. Neither employers nor other group health plan sponsors are defined as covered entities. However, employers and other plan sponsors - particularly those sponsors with self-insured group health plans - may perform certain functions that are integrally related to or similar to the functions of group health plans and, in carrying out these functions, often require access to individual health information held by the group health plan.

Most group health plans are also regulated under the Employee Retirement Income Security Act of 1974 (ERISA). Under ERISA, a group health plan must be a separate legal entity from its plan sponsor. ERISA-covered group health plans usually do not have a corporate presence, in other words, they may not have their own employees and sometimes do not have their own assets (i.e., they may be fully insured or the benefits may be funded through the general assets of the plan sponsor, rather than through a trust). Often, the only tangible evidence of the existence of a group health plan is the contractual agreement that describes the rights and responsibilities of covered participants, including the benefits that are offered and the eligible recipients.

ERISA requires the group health plan to identify a "named fiduciary," a person responsible for ensuring that the plan is operated and administered properly and with ultimate legal responsibility for the plan. If the plan documents under which the group health plan was established and is maintained permit, the named fiduciary may delegate certain responsibilities to trustees and may hire advisors to assist it in carrying out its functions. While generally the named fiduciary is an individual, it may be another entity. The plan sponsor or employees of the plan sponsor are often the named fiduciaries. These structural and operational relationships present a problem in our ability to protect health information from being used inappropriately in employment-related decisions. On the one hand, the group health plan, and any health insurance issuer or HMO providing health insurance or health coverage to the group health plan, are covered entities under the regulation and may only disclose protected health information as authorized under the regulation or with individual consent. On the other hand, plan sponsors may need access to protected health information to carry out administration functions on behalf of the plan, but under circumstances in which securing individual consent is impractical. We note that we sometimes refer in the rule and preamble to health insurance issuers and HMOs that provide health insurance or health coverage to a group health plan as health insurance issuers or HMOs with respect to a group health plan.

The proposed rule used the health care component approach for employers and other plan sponsors. Under this approach, only the component of an employer or other plan sponsor would be treated as a covered entity. The component of the plan sponsor would have been able to use protected health information for treatment, payment, and health care operations, but not for other purposes, such as discipline, hiring and firing, placement and promotions. We have modified the final rule in a number of ways.

In the final rule, we recognize plan sponsors' legitimate need for health information in certain situations while, at the same time, protecting health information from being used for employment-related functions or for other functions related to other employee benefit plans or other benefits provided by the plan sponsor. We do not attempt to directly regulate employers or other plan sponsors, but pursuant to our authority to regulate health plans, we place restrictions on the flow of information from covered entities to non-covered entities.

The final rule permits group health plans, and allows them to authorize health insurance issuers or HMOs with respect to the group health plan, to disclose protected health information to plan sponsors if the plan sponsors voluntarily agree to use and disclose the information only as permitted or required by the regulation. The information may be used only for plan administration functions performed on behalf of the group health plan which are specified in plan documents. The group health plan is not required to have a business associate contract with the plan sponsor to disclose the protected health information or allow the plan sponsor to create protected health information on its behalf, if the conditions of § 164.504(e) are met.

In order for the group health plan to disclose protected health information to a plan sponsor, the plan documents under which the plan was established and is maintained must be amended to: (1) describe the permitted uses and disclosures of protected health information; (2) specify that disclosure is permitted only upon receipt of a certification from the plan sponsor that the plan documents have been amended and the plan sponsor has agreed to certain conditions regarding the use and disclosure of protected health information; and (3) provide adequate firewalls to: identify the employees or classes of employees who will have access to protected health information; restrict access solely to the employees identified and only for the functions performed on behalf of the group health plan; and provide a mechanism for resolving issues of noncompliance.

Any employee of the plan sponsor who receives protected health information for payment, health care operations or other matters related to the group health plan must be identified in the plan documents either by name or function. We assume that since individuals employed by the plan sponsor may change frequently, the group health plan would likely describe such individuals in a general manner. Any disclosure to employees or classes of employees not identified in the plan documents is not a permissible disclosure. To the extent a group health plan does have its own employees separate from the plan sponsor's employees, as the workforce of a covered entity (i.e. the group health plan), they also are bound by the permitted uses and disclosures of this rule.

The certification that must be given to the group health plan must state that the plan sponsor agrees to: (1) not use or further disclose protected health information other than as permitted or required by the plan documents or as required by law; (2) ensure that any subcontractors or agents to whom the plan sponsor provides protected health information agree to the same restrictions; (3) not use or disclose the protected health information for employment-related actions; (4) report to the group health plan any use or disclosure that is inconsistent with the plan documents or this regulation; (5) make the protected health information accessible to individuals; (6) allow individuals to amend their information; (7) provide an accounting of its disclosures; (8) make its practices available to the Secretary for determining compliance; (9) return and destroy all protected health information when no longer needed, if feasible; and (10) ensure that the firewalls have been established.

We have included this certification requirement in part, as a way to reduce the burden on health insurance issuers and HMOs. Without a certification, health insurance issuers and HMOs would need to review the plan documents in order to ensure that the amendments have been made before they could disclose protected health information to plan sponsors. The certification, however, is a simple statement that the amendments have been made and that the plan sponsor has agreed to certain restrictions on the use and disclosure of protected health information. The receipt of the certification therefore, is sufficient basis for the health insurance issuer or HMO to disclose protected health information to the plan sponsor.

Many activities included in the definitions of health care operations and payment are commonly referred to as plan administration functions in the ERISA group health plan context. For purposes of this rule, plan administration activities are limited to activities that would meet the definition of payment or health care operations, but do not include functions to modify, amend, or terminate the plan or solicit bids from prospective issuers. Plan administration functions include quality assurance, claims processing, auditing, monitoring, and management of carve-out plans - such as vision and dental. Under the final rule, "plan administration" does not include any employment-related functions or functions in connection with any other benefits or benefit plans, and group health plans may not disclose information for such purposes absent an authorization from the individual. For purposes of this rule, enrollment functions performed by the plan sponsor on behalf of its employees are not considered plan administration functions.

Plan sponsors have access to protected health information only to the extent group health plans have access to protected health information and plan sponsors are permitted to use or disclose protected health information only as would be permitted by group health plans. That is, a group health plan may permit a plan sponsor to have access to or to use protected health information only for purposes allowed by the regulation.

As explained above, where a group health plan purchases insurance or coverage from a health insurance issuer or HMO, the provision of insurance or coverage by the health insurance issuer or HMO to the group health plan does not make the health insurance issuer or HMO a business associate. In such case, the activities of the health insurance issuer or HMO are on their own behalf and not on the behalf of the group health plan. We note that where a group health plan contracts with a health insurance issuer or HMO to perform functions or activities or to provide services that are in addition to or not directly related to the provision of insurance, the health insurance issuer or HMO may be a business associate with respect to those additional functions, activities, or services. In addition, group health plans that provide health benefits only through an insurance contract and do not create, maintain, or receive protected health information (except for summary information described below or information that merely states whether an individual is enrolled in or has been disenrolled from the plan) do not have to meet the notice requirements of § 164.520 or the administrative requirements of § 164.530, except for the documentation requirement in § 164.530(j), because these requirements are satisfied by the issuer or HMO that is providing benefits under the group health plan. A group health plan, however, may not permit a health insurance issuer or HMO to disclose protected health information to a plan sponsor unless the notice required in 164.520 indicate such disclosure may occur.

The final rule also permits a health plan that is providing insurance to a group health plan to provide summary information to the plan sponsor to permit the plan sponsor to solicit premium bids from other health plans or for the purpose of modifying, amending, or terminating the plan. The rule provides that summary information is information that summarizes claims history, claims expenses, or types of claims experienced by individuals for whom the plan sponsor has provided health benefits under a group health plan, provided that specified identifiers are not included. Summary information may be disclosed under this provision even if it does not meet the definition of de-identified information. As part of the notice requirements in § 164.520, health plans must inform individuals that they may disclose protected health information to plan sponsors. The provision to allow summaries of claims experience to be disclosed to plan sponsors that purchase insurance will allow them to shop for replacement coverage, and get meaningful bids from prospective issuers. It also permits a plan sponsor to get summary information as part of its consideration of whether or not to change the benefits that are offered or employees or whether or not to terminate a group health plan.

We note that a plan sponsor may perform enrollment functions on behalf of its employees without meeting the conditions above and without using the standard transactions described in the Transactions Rule.

Although not addressed in the proposed rule, this final rule also recognizes that a covered entity may as a single legal entity, affiliated entity, or other arrangement combine the functions or operations of health care providers, health plans and health care clearinghouses (for example, integrated health plans and health care delivery systems may function as both health plans and health care providers). The rule permits such covered entities to use or disclose the protected health information of its patients or members for all covered entity functions, consistent with the other requirements of this rule. The health care component must meet the requirements of this rule that apply to a particular type of covered entity when it is functioning as that entity; e.g., when a health care component is operating as a health care provider it must meet the requirements of this rule applicable to a health care provider. However, such covered entities may not use or disclose the protected health information of an individual who is not involved in a particular covered entity function for that function, and such information must be segregated from any joint information systems. For example, an HMO may integrate data about health plan members and clinic services to members, but a health care system may not share information about a patient in its hospital with its health plan if the patient is not a member of the health plan.