I know the Security Rule would now apply to business associates. What about the Privacy Rule?
Yes, the proposed modifications make clear, consistent with the HITECH Act, that, where provided, the standards, requirements, and implementation specifications of the Privacy Rule apply to business associates. Specifically, among other things: • a business associate may not use or disclose PHI except as permitted or required by the Privacy Rule or the Enforcement Rule; • a business associate may use or disclose PHI only as permitted or required by its business associate contracts or as required by law; • if a covered entity and business associate have failed to enter into a business associate contract or other arrangement, then the business associate may use or disclose PHI only as necessary to perform its obligations for the covered entity (pursuant to whatever agreement sets the general terms for the relationship between the covered entity and business associate) or as required by law; • a business associate may not use or disclose PHI in a manner that would violate the Privacy Rule
Related Questions
- Are the following entities considered business associates under the Privacy Rule: U.S. Postal Service, United Parcel Service, delivery truck line employees and/or their management?
- Are the following entities considered business associates under the Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?
- Who is a "Covered Entity" under HIPAA?
