Who Is Subject to Hipaa Privacy Rule
The confidentiality rule requires an entity concerned to take reasonable steps to ascertain the identity of an individual making an access request. See 45 CFR 164.514(h). The rule does not prescribe any particular form of verification (e.g., obtaining a copy of a driver`s licence), but generally leaves the mode of verification to the discretion and professional judgment of the organization concerned, provided that the procedures and verification measures do not unreasonably impede or delay access to its PHI. as described below. The verification may be oral or written and, in many cases, the type of verification may depend on how the individual requests and/or obtains access – whether in person, by telephone (if authorized by the affected entity), by fax or email to the form provided by the entity concerned, through a secure web portal or otherwise. For example, if the covered entity requests that access requests be made on its own form provided, the form could request basic information about the individual that would allow the covered entity to verify whether the person requesting access is the subject of the requested information or is the individual`s personal representative. For captured entities that grant individuals access to their PHI through web portals, those portals must already have appropriate authentication controls in place, as required by 45 CFR 164.312(d) of the HIPAA security rule, to ensure that the person requesting access is the individual or personal representative. Individuals, organizations, and agencies that meet the definition of a HIPAA entity must meet the requirements of the rules protecting the privacy and security of health information and grant individuals certain rights with respect to their health information. If a covered entity engages a business partner to assist it in carrying out its health activities and functions, the covered entity must have a written business partner agreement or other agreement with the counterparty specifying exactly what the business partner has been engaged to do and requiring the counterparty to comply with the requirements of the privacy and security rules and the Privacy and Privacy Security Comply with health information. In addition to these contractual obligations, business partners are directly responsible for complying with certain provisions of HIPAA.
L. 104-191. 2 65 FR 82462. 3 67 FR 53182. 4 45 C.F.R. §§ 160.102, 160.103. 5 Even if a facility, such as a community health center, does not meet the definition of a health care plan, it may still meet the definition of a health care provider, and if it submits health information in electronic form as part of transactions for which the HHS Secretary has adopted HIPAA, it can still be a covered entity. 6 45 C.F.R. §§ 160.102, 160.103; see Social Security Act § 1172(a)(3), 42 U.S.C. § 1320d-1(a)(3). Transaction standards are set forth in the HIPAA Transaction Rule at 45 C.F.R. Part 162.
7 45 C.F.R. § 160.103. 8 45 C.F.R. § 164,500(b).