The discussion below describes the entities and the information that are
subject to the final regulation.
Many of the provisions of the regulation are presented as “standards.”
Generally, the standards indicate what must be accomplished under the
regulation and implementation specifications describe how the standards must
be achieved.
Covered Entities
We proposed in the NPRM to apply the standards in the regulation to health
plans, health care clearinghouses, and to any health care provider who
transmits health information in electronic form in connection with
transactions referred to in section 1173(a)(1) of the Act. The proposal
referred to these entities as “covered entities.”
We have revised § 164.500 to clarify the applicability of the rule to
health care clearinghouses. As we stated in the preamble to the NPRM, we
believe that in most instances health care clearinghouses will receive
protected health information as a business associate to another covered
entity. This understanding was confirmed by the comments and by our fact
finding. Clearinghouses rarely have direct contact with individuals, and
usually will not be in a position to create protected health information or to
receive it directly from them. Unlike health plans and providers,
clearinghouses usually convey and repackage information and do not add
materially to the substance of protected health information of an individual.
The revised language provides that clearinghouses are not subject to
certain requirements in the rule when acting as business associates of other
covered entities. As revised, a clearinghouse acting as a business associate
is subject only to the provisions of this section, to the definitions, to the
general rules for uses and disclosures of protected health information
(subject to limitations), to the provision relating to health care components,
to the provisions relating to uses and disclosures for which consent,
individual authorization or an opportunity to agree or object is not required
(subject to limitations), to the transition requirements and to the compliance
date. With respect to the uses and disclosures authorized under § 164.502 or §
164.512, a clearinghouse acting as a business associate is not authorized by
the rule to make any use or disclosure not permitted by its business associate
contract. Clearinghouses acting as business associates are not subject to the
other requirements of this rule, which include the provisions relating to
procedural requirements, requirements for obtaining consent, individual
authorization or agreement, provision of a notice, individual rights to
request privacy protection, access and amend information and receive an
accounting of disclosures and the administrative requirements.
We note that, even as business associates, clearinghouses remain covered
entities.
Clearinghouses, like other covered entities, are responsible under this
regulation for abiding by the terms of business associate contracts. For
example, while the provisions regarding individuals’ access to and right to
request corrections to protected health information about them apply only to
health plans and covered health care providers, clearinghouses may have some
responsibility for providing such access under their business associate
contracts. A clearinghouse (or any other covered entity) that violates the
terms of a business associate contract also is in direct violation of this
rule and, as a covered entity, is subject to compliance and enforcement
action.
We clarify that a covered entity is only subject to these rules to the
extent that they possess protected health information. Moreover, these rules
only apply with regard to protected health information. For example, if a
covered entity does not disclose or receive from its business associate any
protected health information and no protected health information is created or
received by its business associate on behalf of the covered entity, then the
business associate requirements of this rule do not apply.
We clarify that the Department of Defense or any other federal agency and
any non-governmental organization acting on its behalf, is not subject to this
rule when it provides health care in another country to foreign national
beneficiaries. The Secretary believes that this exemption is warranted because
application of the rule could have the unintended effect of impeding or
frustrating the conduct of such activities, such as interfering with the
ability of military command authorities to obtain protected health information
on prisoners of war, refugees, or detainees for whom they are responsible
under international law. See the preamble to the definition of “individual”
for further discussion.
Covered Information
We proposed in the NPRM to apply the requirements of the rule to
individually identifiable health information that is or has been
electronically transmitted or maintained by a covered entity. The provisions
would have applied to the information itself, referred to as protected health
information in the rule, and not to the particular records in which the
information is contained. We proposed that once information was maintained or
transmitted electronically by a covered entity, the protections would follow
the information in whatever form, including paper records, in which it exists
while held by a covered entity. The proposal would not have applied to
information that was never electronically maintained or transmitted by a
covered entity.
In the final rule, we extend the scope of protections to all individually
identifiable health information in any form, electronic or non-electronic,
that is held or transmitted by a covered entity. This includes individually
identifiable health information in paper records that never has been
electronically stored or transmitted. (See § 164.501, definition of “protected
health information,” for further discussion.)
