Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.504(d) - Affiliated Entities


Some legally distinct covered entities may share common administration of organizationally differentiated but similar activities (for example, a hospital chain). In § 164.504(d) we permit legally distinct covered entities that share common ownership or control to designate themselves, or their health care components, together to be a single covered entity. Common control exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity. Common ownership exists if an entity or entities possess an ownership or equity interest of 5 percent or more in another entity.

Such organizations may promulgate a single shared notice of information practices and a consent form. For example, a corporation with hospitals in twenty states may designate itself as a covered entity and, therefore, able to merge information for joint marketplace analyses. The requirements that apply to a covered entity also apply to an affiliated covered entity. For example, under the minimum necessary provisions, a hospital in one state could not share protected health information about a particular patient with another hospital if such a use is not necessary for treatment, payment or health care operations. The covered entities that together make up the affiliated covered entity are separately subject to liability under this rule. The safeguarding requirements for affiliated covered entities track the requirements that apply to health care components.