All individually identifiable health information that is Protected Health Information (PHI), as defined in 45 CFR 160.103 shall be administered in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) implementing regulations at 45 CFR parts 160 and 164 (the HIPAA Privacy, Security, and Breach Notification Rules). The term “HIPAA” is used in this part to refer to title II, subtitle F of the HIPAA statute, at part C of title XI of the Social Security Act, 42 U.S.C. 1320d et seq., section 264 of HIPAA, subtitle D of title XIII of the American Recovery and Reinvestment Act of 2009, and regulations under such provisions.
(a) HHS is a HIPAA “covered entity” that is a “hybrid entity” as these terms are defined at sections 160.103 and 164.103 respectively. As such, only the portions of HHS that the Secretary has designated as “health care components” (HCC) as defined at section 164.103, are subject to HIPAA. HHS' HCCs may utilize persons or entities known as “business associates,” as defined at section 160.103. Generally, “business associate” means a “person” as defined by section 160.103 (including contractors, and third-party vendors, etc.) if or when the person or entity:
(1) Creates, receives, maintains, or transmits “protected health information”, as the term is defined at section 160.103, on behalf of an HHS HCC to carry out HHS HIPAA “covered functions” as that term is defined at 164.103; or
(2) Provides certain services to an HHS HCC that involve PHI.
(b) Where the Department as a covered entity is required by 45 CFR 164.502(e)(1) and 164.504(e) and, if applicable, sections 164.308(b)(3) and 164.314(a), to enter into a HIPAA business associate contract, the relevant HCC contracting officer, acting on behalf of the Department, shall ensure that such contract meets the requirements at section 164.504(e)(2) and, if applicable, section 164.314(a)(2).