HIPAA Resources

HIPAA Home

HIPAA Message Board

Privacy Regulations

Security Regulations

Transactions & Code Sets

All Regulations By Topic


HIPAA Self Assessment
and Compliance Guides

Media Guide

Training Q & A

HIPAA Links & Preemption

Contacts

 

ORGANIZATIONAL REQUIREMENTS
SECTION 164.105
As Contained in the HHS Final HIPAA Security Rules

HHS Security Regulations
Organizational Requirements - § 164.105

    1. Standard: Health care component. If a covered entity is a hybrid entity, the requirements of subparts C and E of this part, other than the requirements of this section, § 164.314, and § 164.504, apply only to the health care component(s) of the entity, as specified in this section.

    2. Implementation specifications:

      1. Application of other provisions. In applying a provision of subparts C and E of this part, other than the requirements of this section, § 164.314, and § 164.504, to a hybrid entity:

        1. A reference in such provision to a "covered entity" refers to a health care component of the covered entity;

        2. A reference in such provision to a "health plan," "covered health care provider," or "health care clearinghouse," refers to a health care component of the covered entity if such health care component performs the functions of a health plan, health care provider, or health care clearinghouse, as applicable;

        3. A reference in such provision to "protected health information" refers to protected health information that is created or received by or on behalf of the health care component of the covered entity; and

        4. A reference in such provision to "electronic protected health information" refers to electronic protected health information that is created, received, maintained, or transmitted by or on behalf of the health care component of the covered entity.

      2. Safeguard requirements. The covered entity that is a hybrid entity must ensure that a health care component of the entity complies with the applicable requirements of this section and subparts C and E of this part. In particular, and without limiting this requirement, such covered entity must ensure that:

        1. Its health care component does not disclose protected health information to another component of the covered entity in circumstances in which subpart E of this part would prohibit such disclosure if the health care component and the other component were separate and distinct legal entities;

        2. Its health care component protects electronic protected health information with respect to another component of the covered entity to the same extent that it would be required under subpart C of this part to protect such information if the health care component and the other component were separate and distinct legal entities;

        3. A component that is described by paragraph (a)(2)(iii)(C)(2) of this section does not use or disclose protected health information that it creates or receives from or on behalf of the health care component in a way prohibited by subpart E of this part;

        4. A component that is described by paragraph (a)(2)(iii)(C)(2) of this section that creates, receives, maintains, or transmits electronic protected health information on behalf of the health care component is in compliance with subpart C of this part; and

        5. If a person performs duties for both the health care component in the capacity of a member of the workforce of such component and for another component of the entity in the same capacity with respect to that component, such workforce member must not use or disclose protected health information created or received in the course of or incident to the member's work for the health care component in a way prohibited by subpart E of this part.

      3. Responsibilities of the covered entity. A covered entity that is a hybrid entity has the following responsibilities:

        1. For purposes of subpart C of part 160 of this subchapter, pertaining to compliance and enforcement, the covered entity has the responsibility of complying with subpart E of this part.

        2. The covered entity is responsible for complying with § 164.316(a) and § 164.530(i), pertaining to the implementation of policies and procedures to ensure compliance with applicable requirements of this section and subparts C and E of this part, including the safeguard requirements in paragraph (a)(2)(ii) of this section.

        3. The covered entity is responsible for designating the components that are part of one or more health care components of the covered entity and documenting the designation in accordance with paragraph (c) of this section, provided that, if the covered entity designates a health care component or components, it must include any component that would meet the definition of covered entity if it were a separate legal entity. Health care component(s) also may include a component only to the extent that it performs:

          1. Covered functions; or

          2. Activities that would make such component a business associate of a component that performs covered functions if the two components were separate legal entities.

    1. Standard: Affiliated covered entities. Legally separate covered entities that are affiliated may designate themselves as a single covered entity for purposes of subparts C and E of this part.

    2. Implementation specifications:

      1. Requirements for designation of an affiliated covered entity.

        1. Legally separate covered entities may designate themselves (including any health care component of such covered entity) as a single affiliated covered entity, for 259 purposes of subparts C and E of this part, if all of the covered entities designated are under common ownership or control.

        2. The designation of an affiliated covered entity must be documented and the documentation maintained as required by paragraph (c) of this section.

      2. Safeguard requirements. An affiliated covered entity must ensure that:

        1. The affiliated covered entity's creation, receipt, maintenance, or transmission of electronic protected health information complies with the applicable requirements of subpart C of this part;

        2. The affiliated covered entity's use and disclosure of protected health information comply with the applicable requirements of subpart E of this part; and

        3. If the affiliated covered entity combines the functions of a health plan, health care provider, or health care clearinghouse, the affiliated covered entity complies with § 164.308(a)(4)(ii)(A) and § 164.504(g), as applicable.

    1. Standard: Documentation. A covered entity must maintain a written or electronic record of a designation as required by paragraphs (a) or (b) of this section.

    2. Implementation specification: Retention period. A covered entity must retain the documentation as required by paragraph (c)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

HHS Description
Organizational Requirements

From Privacy Regulations

Affiliated Covered Entity

Some legally distinct covered entities may share common administration of organizationally differentiated but similar activities (for example, a hospital chain). In § 164.504(d) we permit legally distinct covered entities that share common ownership or control to designate themselves, or their health care components, together to be a single covered entity. Common control exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity. Common ownership exists if an entity or entities possess an ownership or equity interest of 5 percent or more in another entity.

Such organizations may promulgate a single shared notice of information practices and a consent form. For example, a corporation with hospitals in twenty states may designate itself as a covered entity and, therefore, able to merge information for joint marketplace analyses. The requirements that apply to a covered entity also apply to an affiliated covered entity. For example, under the minimum necessary provisions, a hospital in one state could not share protected health information about a particular patient with another hospital if such a use is not necessary for treatment, payment or health care operations. The covered entities that together make up the affiliated covered entity are separately subject to liability under this rule. The safeguarding requirements for affiliated covered entities track the requirements that apply to health care components.

HHS Response to Comments Received
Organizational Requirements

For HHS Response to Comments Received regarding Affiliated Covered Entity see §164.504(a)