The discussion below describes the entities and the information that are subject to the final regulation.

Many of the provisions of the regulation are presented as “standards.” Generally, the standards indicate what must be accomplished under the regulation and implementation specifications describe how the standards must be achieved.

Covered Entities

We proposed in the NPRM to apply the standards in the regulation to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act. The proposal referred to these entities as “covered entities.”

We have revised § 164.500 to clarify the applicability of the rule to health care clearinghouses. As we stated in the preamble to the NPRM, we believe that in most instances health care clearinghouses will receive protected health information as a business associate to another covered entity. This understanding was confirmed by the comments and by our fact finding. Clearinghouses rarely have direct contact with individuals, and usually will not be in a position to create protected health information or to receive it directly from them. Unlike health plans and providers, clearinghouses usually convey and repackage information and do not add materially to the substance of protected health information of an individual.

The revised language provides that clearinghouses are not subject to certain requirements in the rule when acting as business associates of other covered entities. As revised, a clearinghouse acting as a business associate is subject only to the provisions of this section, to the definitions, to the general rules for uses and disclosures of protected health information (subject to limitations), to the provision relating to health care components, to the provisions relating to uses and disclosures for which consent, individual authorization or an opportunity to agree or object is not required (subject to limitations), to the transition requirements and to the compliance date. With respect to the uses and disclosures authorized under § 164.502 or § 164.512, a clearinghouse acting as a business associate is not authorized by the rule to make any use or disclosure not permitted by its business associate contract. Clearinghouses acting as business associates are not subject to the other requirements of this rule, which include the provisions relating to procedural requirements, requirements for obtaining consent, individual authorization or agreement, provision of a notice, individual rights to request privacy protection, access and amend information and receive an accounting of disclosures and the administrative requirements.

We note that, even as business associates, clearinghouses remain covered entities.

Clearinghouses, like other covered entities, are responsible under this regulation for abiding by the terms of business associate contracts. For example, while the provisions regarding individuals’ access to and right to request corrections to protected health information about them apply only to health plans and covered health care providers, clearinghouses may have some responsibility for providing such access under their business associate contracts. A clearinghouse (or any other covered entity) that violates the terms of a business associate contract also is in direct violation of this rule and, as a covered entity, is subject to compliance and enforcement action.

We clarify that a covered entity is only subject to these rules to the extent that they possess protected health information. Moreover, these rules only apply with regard to protected health information. For example, if a covered entity does not disclose or receive from its business associate any protected health information and no protected health information is created or received by its business associate on behalf of the covered entity, then the business associate requirements of this rule do not apply.

We clarify that the Department of Defense or any other federal agency and any non-governmental organization acting on its behalf, is not subject to this rule when it provides health care in another country to foreign national beneficiaries. The Secretary believes that this exemption is warranted because application of the rule could have the unintended effect of impeding or frustrating the conduct of such activities, such as interfering with the ability of military command authorities to obtain protected health information on prisoners of war, refugees, or detainees for whom they are responsible under international law. See the preamble to the definition of “individual” for further discussion.

Covered Information

We proposed in the NPRM to apply the requirements of the rule to individually identifiable health information that is or has been electronically transmitted or maintained by a covered entity. The provisions would have applied to the information itself, referred to as protected health information in the rule, and not to the particular records in which the information is contained. We proposed that once information was maintained or transmitted electronically by a covered entity, the protections would follow the information in whatever form, including paper records, in which it exists while held by a covered entity. The proposal would not have applied to information that was never electronically maintained or transmitted by a covered entity.

In the final rule, we extend the scope of protections to all individually identifiable health information in any form, electronic or non-electronic, that is held or transmitted by a covered entity. This includes individually identifiable health information in paper records that never has been electronically stored or transmitted. (See § 164.501, definition of “protected health information,” for further discussion.)