Is a health information organization (HIO) covered by the HIPAA Privacy Rule?
Generally, no. The HIPAA Privacy Rule applies to health plans, health care clearinghouses, and health care providers that conduct covered transactions. The functions a HIO typically performs do not make it a health plan, health care clearinghouse, or covered health care provider. Thus, a HIO is generally not a HIPAA covered entity. However, a HIO that performs certain functions or activities on behalf of, or provides certain services to, a covered entity which require access to PHI would be a business associate under the Privacy Rule. See 45 C.F.R. § 160.103 (definition of “business associate”). HIPAA covered entities must enter into contracts or other agreements with their business associates that require the business associates to safeguard and appropriately protect the privacy of protected health information. See 45 C.F.R. §§ 164.502(e), 164.504(e). (See also the relevant business associate requirements in the HIPAA Security Rule at 45 C.F.R. §§ 164.308(b), 164.314(a).) For instance
Related Questions
- What are a covered entity’s obligations under the HIPAA Privacy Rule with respect to protected health information held by a business associate during the contract transition period?
- Does the HIPAA Privacy Rule require a covered entity to create an Institutional Review Board (IRB) or Privacy Board before using or disclosing protected health information for research?
- What are a covered entitys obligations under the HIPAA Privacy Rule with respect to protected health information held by a business associate during the contract transition period?
