Proposed Revisions, Federal Register, 3/27/2002

Existing Language, Final Rule, 12/28/2000

§ 164.504 Uses and disclosures: Organizational requirements.

§ 164.504 Uses and disclosures: Organizational requirements.

(a) Definitions. As used in this section:

(a) Definitions. As used in this section:

Health care component means a component or combination of components of a hybrid entity designated by the hybrid entity in accordance with paragraph (c)(3)(iii) of this section.

[delete and replace]

Health care component has the following meaning:

(1) Components of a covered entity that perform covered functions are part of the health care component.

(2) Another component of the covered entity is part of the entity’s health care component to the extent that:

(i) It performs, with respect to a component that performs covered functions, activities that would make such other component a business associate of the component that performs covered functions if the two components were separate legal entities; and

(ii) The activities involve the use or disclosure of protected health information that such other component creates or receives from or on behalf of the component that performs covered functions.

[Note elimination of term “primary” from the proposed definition.]

Hybrid entity means a single legal entity:

(1) That is a covered entity;

(2) Whose business activities include both covered and non-covered functions; and

(3) That designates health care components in accordance with paragraph (c)(3)(iii) of this section.

Hybrid entity means a single legal entity that is a covered entity and whose covered functions are not its primary functions.

(c)(1) Implementation specification: application of other provisions. In applying a provision of this subpart, other than this section, to a hybrid entity:

(c)(1) Implementation specification: application of other provisions. In applying a provision of this subpart, other than this section, to a hybrid entity:

[no change in (i)]

(i) A reference in such provision to a “covered entity” refers to a health care component of the covered entity;

[clarifying deletion of “covered” in (ii)]

(ii) A reference in such provision to a “health plan,” “covered health care provider,” or “health care clearinghouse” refers to a health care component of the covered entity if such health care component performs the functions of a health plan, health care provider, or health care clearinghouse, as applicable; and

[no change in (iii)]

(ii) A reference in such provision to a “health plan,” “covered health care provider,” or “health care clearinghouse” refers to a health care component of the covered entity if such health care component performs the functions of a health plan, covered health care provider, or health care clearinghouse, as applicable; and

(iii) A reference in such provision to “protected health information” refers to protected health information that is created or received by or on behalf of the health care component of the covered entity.

(2) Implementation specifications: safeguard requirements.

[no change in (2)]

(2) Implementation specifications: safeguard requirements. The covered entity that is a hybrid entity must ensure that a health care component of the entity complies with the applicable requirements of this subpart. In particular, and without limiting this requirement, such covered entity must ensure that:

(i) Its health care component does not disclose protected health information to another component of the covered entity in circumstances in which this subpart would prohibit such disclosure if the health care component and the other component were separate and distinct legal entities;

(ii) A component that is described by paragraph (2)(i) of the definition of health care component in this section does not use or disclose protected health information that is within paragraph (2)(ii) of such definition for purposes of its activities other than those described by paragraph (2)(i) of such definition in a way prohibited by this subpart; and

(iii) If a person performs duties for both the health care component in the capacity of a member of the workforce of such component and for another component of the entity in the same capacity with respect to that component, such workforce member must not use or disclose protected health information created or received in the course of or incident to the member’s work for the health care component in a way prohibited by this subpart. 

(3) Implementation specifications: responsibilities of the covered entity.

[no changes in (3)(i) and (ii)]

(3) Implementation specifications: responsibilities of the covered entity. A covered entity that is a hybrid entity has the following responsibilities:

(i) For purposes of subpart C of part 160 of this subchapter, pertaining to compliance and enforcement, the covered entity has the responsibility to comply with this subpart.

(ii) The covered entity has the responsibility for complying with § 164.530(i), pertaining to the implementation of policies and procedures to ensure compliance with this subpart, including the safeguard requirements in paragraph (c)(2) of this section.

(iii) The covered entity is responsible for designating the components that are part of one or more health care components of the covered entity and documenting the designation as required by § 164.530(j), provided that if the covered entity designates a health care component or components, it must include any component that would meet the definition of covered entity if it were a separate legal entity. Health care component(s) may include a component that performs:

(A) covered functions; and

(B) activities that would make such component a business associate of a component that performs covered functions if the two components were separate legal entities.

 (iii) The covered entity is responsible for designating the components that are part of one or more health care components of the covered entity and documenting the designation as required by § 164.530(j).