§ 164.314 Organizational requirements
§ 164.314 Organizational requirements.
(a)
(1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.
(2) Implementation specifications (Required) -
(i) Business associate contracts. The contract must provide that the business associate will -
(A) Comply with the applicable requirements of this subpart;
(B) In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and
(C) Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.
(ii) Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3).
(iii) Business associate contracts with subcontractors. The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.
(b)
(1) Standard: Requirements for group health plans. Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to § 164.504(f)(1)(ii) or (iii), or as authorized under § 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.
(2) Implementation specifications (Required). The plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to -
(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;
(ii) Ensure that the adequate separation required by § 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;
(iii) Ensure that any agent to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and
(iv) Report to the group health plan any security incident of which it becomes aware.
[68 FR 8376, Feb. 20, 2003, as amended at 78 FR 5694, Jan. 25, 2013; 78 FR 34266, June 7, 2013]
| Hospital Implements New Minimum Necessary Polices for Telephone Messages Covered Entity: General Hospital Issue: Minimum Necessary; Confidential Communications A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patient’s home telephone number, despite the patient’s instructions to contact her through her work number. To resolve the issues in this case, the hospital developed and implemented several new procedures. ...read more |
| Physician Revises Faxing Procedures to Safeguard PHI Covered Entity: Health Care Provider Issue: Safeguards A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. The office informed all its employees of the ...read more |
| Health Sciences Center Revises Process to Prevent Unauthorized Disclosures to Employers Covered Entity: General Hospitals Issue: Impermissible Uses and Disclosures; Authorizations A state health sciences center disclosed protected health information to a complainant's employer without authorization. Among other corrective actions to resolve the specific issues in the case, including mitigation of harm to the complainant, OCR required the Center to revise its procedures regarding patient authorization prior to release of protected health information to an employer. All staff was trained on the revised procedures. ...read more |
| Wednesday, November 9, 2022 A federal grand jury in Newark, New Jersey, returned an indictment today charging an Indian national for fraudulently obtaining millions of dollars in Paycheck Protection Program (PPP) loans guaranteed by the Small Business Administration (SBA) under the Coronavirus Aid, Relief, and Economic Security (CARES) Act. According to court documents, Abhishek Krishnan, 40, previously resided in Wake County, North Carolina, before returning to his home country of India. After returning to India, Krishnan allegedly submitted numerous fraudulent PPP loan applications to federally insured banks, including on behalf of purported companies that were not registered business entities. ...read more |
|
May 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | | | 1 | 2 |
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
| 31 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
January 2025 (1)
November 2022 (54)
Blog Labels
ePHI (2)
Telehealth (1)
Covered Entity (40)
Data Breach (1)
PPP Fraud (1)
EHR Fraud (1)
HIPAA Enforcement (3)
BAA (4)
HIPAA (2)
|
