§ 164.314 Organizational requirements
§ 164.314 Organizational requirements.
(a)
(1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.
(2) Implementation specifications (Required) -
(i) Business associate contracts. The contract must provide that the business associate will -
(A) Comply with the applicable requirements of this subpart;
(B) In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and
(C) Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.
(ii) Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3).
(iii) Business associate contracts with subcontractors. The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.
(b)
(1) Standard: Requirements for group health plans. Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as authorized under § 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.
(2) Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to -
(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;
(ii) Ensure that the adequate separation required by § 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;
(iii) Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and
(iv) Report to the group health plan any security incident of which it becomes aware.
[68 FR 8376, Feb. 20, 2003, as amended at 78 FR 5694, Jan. 25, 2013; 78 FR 34266, June 7, 2013]
| Large Health System Restricts Provider's Use of Patient Records Covered Entity: Multi-Hospital Healthcare Provider Issue: Impermissible Use A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the system’s organized health care arrangement impermissibly accessed the medical records of her ex-husband. In order to resolve this matter to OCR’s satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioner’s access to its electronic records system; reported the nurse practitioner’s conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training. ...read more |
| Health Sciences Center Revises Process to Prevent Unauthorized Disclosures to Employers Covered Entity: General Hospitals Issue: Impermissible Uses and Disclosures; Authorizations A state health sciences center disclosed protected health information to a complainant's employer without authorization. Among other corrective actions to resolve the specific issues in the case, including mitigation of harm to the complainant, OCR required the Center to revise its procedures regarding patient authorization prior to release of protected health information to an employer. All staff was trained on the revised procedures. ...read more |
| Hospital Revises Email Distribution as a Result of a Disclosure to Persons Without a "Need to Know" Covered Entity: General Hospital Issue: Impermissible Use and Disclosure A complainant, who was both a patient and an employee of the hospital, alleged that her protected health information (PHI) was impermissibly disclosed to her supervisor. OCR’s investigation revealed that: the hospital distributed an Operating Room (OR) schedule to employees via email; the hospital’s OR schedule contained information about the complainant’s upcoming surgery. While the Privacy Rule may permit the disclosure of an OR schedule containing PHI, in this case, a hospital employee ...read more |
| Clinic Sanctions Supervisor for Accessing Employee Medical Record Covered Entity: Outpatient Facility Issue: Impermissible Use and Disclosure A hospital employee's supervisor accessed, examined, and disclosed an employee's medical record. OCR's investigation confirmed that the use and disclosure of protected health information by the supervisor was not authorized by the employee and was not otherwise permitted by the Privacy Rule. An employee's medical record is protected by the Privacy Rule, even though employment records held by a covered entity in its role as employer are not. Among other corrective actions to resolve the specific issues in the case, a letter ...read more |
|
July 2025
| Su | Mo | Tu | We | Th | Fr | Sa |
| | 1 | 2 | 3 | 4 | 5 |
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | 31 |
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54)
January 2025 (1)
Blog Labels
HIPAA Enforcement (3)
PPP Fraud (1)
Telehealth (1)
Covered Entity (40)
BAA (4)
Data Breach (1)
ePHI (2)
HIPAA (2)
EHR Fraud (1)
|
