We counsel healthcare providers and
other covered entities on HIPAA and state privacy law compliance, breach response, crisis management, and regulatory investigations and audits.
Not exact matches
So it's not imposing anything more than what is imposed
on any
other entity that is
covered by the Smoke - Free Air Act,» siad City Councilman Vincent Gentile of Brooklyn.
A
covered employer or
other entity fails to make a reasonable accommodation and can not demonstrate that the request is an undue hardship
on the employer.
-- When assigning remedies to individuals found to have a valid claim under the Acts referred to in paragraph (2), the Select Committee
on Ethics, or such
other entity as the Senate may designate, should to the extent practicable apply the same remedies applicable to all
other employees
covered by the Acts referred to in paragraph (2).
Defines «reporting
entity» to mean: (1) a
covered entity; (2) an
entity that would be
covered if it had emitted, produced, imported, manufactured, or delivered in 2008 or any subsequent year more than the applicable threshold level of carbon dioxide; (3)
other entities that EPA determines will help achieve overall goals of reducing global warming pollution; (4) any vehicle fleet with emissions of more than 25,000 tons of carbon dioxide equivalent
on an annual basis, if its inclusion will help achieve such reduction; (5) any
entity that delivers electricity to a facility in an energy - intensive industrial sector that meets the energy or GHG intensity criteria.
If the Administrator determines, based
on consideration of environmental effectiveness, cost effectiveness, administrative feasibility, extent of coverage of emissions, competitiveness and
other relevant considerations consistent with the purposes of this title, that emissions of non-HFC fluorinated gases can best be regulated by designating downstream emission sources as
covered entities with compliance obligations under section 722, the Administrator shall, after notice and comment rulemaking, change the definition of
covered entity and the compliance obligations under section 722 with respect to non-HFC fluorinated gases accordingly, consistent with the purposes of this title, and establish such
other requirements as are necessary to ensure compliance for such
entities with the requirements of this title.
A
covered entity's allowable emissions level for each calendar year is the number of emission allowances (or offset credits or
other allowances as provided in subsection (d)-RRB- it holds as of 12:01 a.m.
on April 1 (or a later date established by the Administrator under subsection (j)-RRB- of the following calendar year.
The law requires an employer or
other covered entity to reasonably accommodate an employee's religious beliefs or practices, unless doing so would cause more than a minimal burden
on the operations of the employer's business.
The regulation does not specify the form that the program must take, but requires that it be «designed to perform the following core cybersecurity functions:» (1) identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored
on the
Covered Entity's Information Systems, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed; (2) use defensive infrastructure and the implementation of policies and procedures to protect the company's Information Systems and the Nonpublic Information stored
on those Information Systems, from unauthorized access, use or
other malicious acts; (3) detect Cybersecurity Events - which are defined broadly to include «any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored
on an Information System;» (4) respond to identified or detected Cybersecurity Events to mitigate any negative effects; (5) recover from Cybersecurity Events and restore normal operations and services; and (6) fulfill all regulatory reporting obligations.
Rather, we allow
covered entities to disclose protected health information to law enforcement when the subpoena or
other administrative request indicates
on its face that the three - part test has been met, or where a separate document so indicates.
(i)
On behalf of such
covered entity or of an organized health care arrangement (as defined in § 164.501 of this subchapter) in which the
covered entity participates, but
other than in the capacity of a member of the workforce of such
covered entity or arrangement, performs, or assists in the performance of:
We note that under § 164.508 (b)(3)(iii), the
covered entity may combine the research - related authorization required under § 164.508 (f) with any
other authorization for the use or disclosure of protected health information (
other than psychotherapy notes), provided that the
covered entity does not condition the provision of treatment
on the individual signing the authorization.
We note that there may be
other instances in which a business associate may combine or aggregate protected health information received in its capacity as a business associate of different
covered entities, such as when it is performing health care operations
on behalf of
covered entities that participate in an organized health care arrangement.
We proposed to prohibit
covered entities from conditioning treatment or payment
on authorization for the use or disclosure of any
other protected health information (see proposed § 164.508 (a)(2)(iii)-RRB-.
They expressed concern that
covered entities could refuse or delay compliance with legally mandated disclosures by misplaced reliance
on a rule that permits, but does not require, a use or disclosure required by
other law.
Other than as described below, § 164.508 (b)(3) prohibits a covered entity from acting on an authorization required under this rule that is combined with any other document, including any other written legal permission from the indivi
Other than as described below, § 164.508 (b)(3) prohibits a
covered entity from acting
on an authorization required under this rule that is combined with any
other document, including any other written legal permission from the indivi
other document, including any
other written legal permission from the indivi
other written legal permission from the individual.
The majority of commenters
on this topic, however, argued that a signed acknowledgment would be administratively burdensome, inconsistent with the intent of the Administrative Simplification requirements of HIPAA, impossible to achieve for incapacitated individuals, difficult to achieve for
covered entities that do not have direct contact with patients, inconsistent with
other notice requirements under
other laws, misleading to individuals who might interpret their signature as an agreement, inimical to the concept of permitting uses and disclosures without authorization, and an insufficient substitute for authorization.
On the
other hand, several
other commenters supported applying the minimum necessary standard to
covered entities» disclosures to financial institutions for payment processing.
Other sections of this rule allow
covered entities to reasonably rely
on certain representations by law enforcement officials (see § 164.514, regarding verification,) and require disclosure of the minimum necessary protected health information for this purpose.
Comment: The NPRM proposed that
covered entities, upon accepting a request for amendment, make reasonable efforts to notify those persons the individual identifies, and
other persons whom the
covered entity knows have received the erroneous or incomplete information and who may have relied, or could foreseeably rely,
on such information to the detriment of the individual.
The rule waives the requirement for individual agreement if the victim is unable to agree due to incapacity or
other emergency circumstance and: (1) The law enforcement official represents that the protected health information is needed to determine whether a violation of law by a person
other than the victim has occurred and the information is not intended to be used against the victim; (2) the law enforcement official represents that immediate law enforcement activity that depends
on such disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and (3) the
covered entity, in the exercise of professional judgment, determines that the disclosure is in the individual's best interests.
If under applicable law a parent, guardian, or
other person acting in loco parentis has authority to act
on behalf of an individual who is an unemancipated minor in making decisions related to health care, a
covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to protected health information pertaining to a health care service, if:
(2) A
covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or
on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, Start Printed Page 82799become a business associate of
other covered entities participating in such organized health care arrangement.
These and
other health insurance or provider programs operated by the federal government are subject to requirements placed
on covered entities under this rule, including, but not limited to, those outlined in Section D of the impact analysis.
We do not consider a financial institution to be acting
on behalf of a
covered entity, and therefore no business associate contract is required, when it processes consumer - conducted financial transactions by debit, credit or
other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any
other activity that directly facilitates or effects the transfer of funds for compensation for health care.
In the NPRM we proposed to permit
covered entities to disclose, in connection with routine banking activities or payment by debit, credit, or
other payment card, or
other payment means, the minimum amount of protected health information necessary to complete a banking or payment activity to financial institutions or to
entities acting
on behalf of financial institutions to authorize, process, clear, settle, bill, transfer, reconcile, or collect payments for financial institutions.
(B) Quality assessment and improvement activities, in which treatment provided by participating
covered entities is assessed by
other participating
covered entities or by a third party
on their behalf; or
Other comments asked whether
covered entities can rely
on the assurances of a third party, such as a government
entity, that a valid authorization has been obtained to use or disclose protected health information.
In addition, these
covered providers may elect to reach agreements with
other entities distribute their notice
on their behalf, or to participate in an organized health care arrangement that produces a joint notice.
We also include within the definition an organized system of health care in which more than one
covered entity participates, and in which the participating
covered entities hold themselves out to the public as participating in a joint arrangement, and in which the joint activities of the participating
covered entities include at least one of the following: utilization review, in which health care decisions by participating
covered entities are reviewed by
other participating
covered entities or by a third party
on their behalf; quality assessment and improvement activities, in which treatment provided by participating
covered entities is assessed by
other participating
covered entities or by a third party
on their behalf; or payment activities, if the financial risk for delivering health care is shared in whole or in part by participating
covered entities through the joint arrangement and if protected health information created or received by a
covered entity is reviewed by
other participating
covered entities or by a third party
on their behalf for the purpose of administering the sharing of financial risk.
However, to ensure that this rule does not inadvertently cause
covered entities to second - guess the professional judgment of the attorneys and
other professionals they hire, we modify the proposed policies to explicitly allow
covered entities to rely
on the representation of a professional hired to provide professional services as to what information is the minimum necessary for that purpose.
The final rule waives the requirement for agreement if the
covered entity is unable to obtain the individual's agreement due to incapacity or
other emergency circumstance, and (1) the law enforcement official represents that the information is needed to determine whether a violation of law by a person
other than the victim has occurred and the information is not intended to be used against the victim; (2) the law enforcement official represents that immediate law enforcement activity that depends
on the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and (3) the
covered entity determines, in the exercise of professional judgment, that the disclosure is in the individual's best interests.
On the
other hand, if a statute stated that a
covered entity may or is permitted to report the names of all individuals presenting with gun shot wounds to the emergency room and, in turn, would receive $ 500 for each month it made these reports, a
covered entity would not be permitted by § 164.512 (a) to disclose the protected health information.
In the proposed rule,
other than for purposes of consultation or referral for treatment, we would have allowed a
covered entity to disclose protected health information to a business partner only pursuant to a written contract that would, among
other specified provisions, limit the business partner's uses and disclosures of protected health information to those permitted by the contract, and would impose certain security, inspection and reporting requirements
on the business partner.
Section 164.512 (k) of the final rule states that while individuals are in a correctional facility or in the lawful custody of a law enforcement official,
covered entities (for example, the prison's clinic) can use or disclose protected health information about these individuals without authorization to the correctional facility or the law enforcement official having custody as necessary for: (1) The provision of health care to such individuals; (2) the health and safety of such individual or
other inmates; (3) the health and safety of the officers of employees of or
others at the correctional institution; and (4) the health and safety of such individuals and officers or
other persons responsible for the transporting of inmates or their transfer from one institution or facility to another; (5) law enforcement
on the premises of the correctional institution; and (6) the administration and maintenance of the safety, security, and good order of the correctional institution.
Lastly, we clarify that health care providers who do not submit HIPAA transactions in standard form become
covered by this rule when
other entities, such as a billing service or a hospital, transmit standard electronic transactions
on their behalf.
As
covered entities spend significant resources
on hardware, software, and
other information technology costs, questions arise about which of these costs are fairly attributable to the privacy regulations as opposed to costs that would have been expended even in the absence of the regulations.
We note that we do not consider a financial institution to be acting
on behalf of a
covered entity, and therefore no business associate contract is required, when it processes consumer - conducted financial transactions by debit, credit or
other payment card, Start Printed Page 82505clears checks, initiates or processes electronic funds transfers, or conducts any
other activity that directly facilitates or effects the transfer of funds for compensation for health care.
We note that health care providers who do not submit HIPAA transactions in standard form become
covered by this rule when
other entities, such as a billing service or a hospital, transmit standard electronic transactions
on their behalf.
(C) Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating
covered entities through the joint arrangement and if protected health information created or received by a
covered entity is reviewed by
other participating
covered entities or by a third party
on their behalf for the purpose of administering the sharing of financial risk.
In order to fall within this definition of clearinghouse, the
covered entity must perform the clearinghouse function
on health information received from some
other entity.
This requirement allows individuals to exercise some control in determining recipients they consider important to be notified, and requires the
covered entity to communicate amendments to
other persons that the
covered entity knows have the erroneous or incomplete information and may take some action in reliance
on the erroneous or incomplete information to the detriment of the individual.
Others stated that the «no reason to believe» test creates an unreasonable burden
on covered entities, and would actually chill the release of de-identified information, and set an impossible standard.
(4) If, after the applicable compliance date of this subpart, a
covered entity agrees to a restriction requested by an individual under § 164.522 (a), a subsequent use or disclosure of Start Printed Page 82829protected health information that is subject to the restriction based
on a consent, authorization, or
other express legal permission obtained from an individual as given effect by paragraph (b) of this section, must comply with such restriction.
To limit
covered entities» burden, we do not require
covered entities to acknowledge receipt of the individuals» requests,
other than to notify the individual once a decision
on the request has been made.
Third, authorizations for the use or disclosure of protected health information
other than psychotherapy notes may be combined, provided that the
covered entity has not conditioned the provision of treatment, payment, enrollment, or eligibility
on obtaining the authorization.
These and
other health insurance or provider programs operated by state and local government are subject to requirements placed
on covered entities under this rule, including, but not limited to, those outlined in this section (Section E) of the impact analysis.
Furthermore, if the state law creates an affirmative and binding legal obligation
on the
covered entity to make disclosures to family or
other persons under specific circumstances, the final rule allows
covered entities to comply Start Printed Page 82665with these legal obligations.
The proposal allowed a
covered entity, when making disclosures to public officials that were permitted without individual authorization but not required by
other law, to reasonably rely
on the representations of such officials that the information requested was the minimum necessary for the stated purpose (s).
We do not attempt to directly regulate employers or
other plan sponsors, but pursuant to our authority to regulate health plans, we place restrictions
on the flow of information from
covered entities to non-
covered entities.