HIPAA GENERAL OPERATING POLICY #37
TRANSITION PROVISIONS
I. Effect of Prior Authorizations
Notwithstanding the Privacy Rule requirements regarding authorization and waiver of authorization by an Institutional Review Board for research, a HCC may use or disclose PHI, consistent with subsections (a) and (b) below, pursuant to an authorization or other express legal permission obtained from an individual permitting the use or disclosure of PHI, informed consent of the individual to participate in research, or a waiver of informed consent by an IRB.
a. Effect of Prior Authorizations for Other than Research Purposes
Notwithstanding the Privacy Rule requirements regarding authorization, a HCC may use or disclose PHI that it created or received prior to April 14, 2003 pursuant to an authorization or other express legal permission obtained from an individual prior to the applicable compliance date of the privacy regulations, provided that the authorization or other express legal permission specifically permits such use or disclosure and there is no agreed-to restriction.
b. Effect of Prior Permission for Research
Notwithstanding the Privacy Rule requirements regarding authorization and waiver of authorization by an Institutional Review Board for research, a HCC may, to the extent allowed by one of the following permissions, use or disclose, for research, PHI that it created or received either before or after April 14, 2003, provided that there is no agreed-to restriction, and the HCC has obtained, prior to the applicable compliance date, either:
i. An authorization or other express legal permission from an individual to use or disclose PHI for the research;
ii. The informed consent of the individual to participate in the research; or
iii. A waiver by an IRB of informed consent in accordance with federal regulations, provided that a HCC must obtain a new authorization in accordance with the Privacy Rule if, after the compliance date, informed consent is sought from an individual participating in the research.
III. Effect of Prior Contracts or Arrangements with Business Associates
Notwithstanding any other part of the Privacy Rule, a HCC, other than a small health plan, may disclose PHI to a business associate and may allow a business associate to create, receive or use PHI on its behalf pursuant to a written contract or other written arrangement with such business associate that does not comply with the requirements of the Privacy Rule pertaining to business associates consistent with the requirements, and only for such time, as set forth below.
a. Deemed Compliance
1. Qualification - Notwithstanding any other part of the Privacy Rule, a HCC, other than a small health plan, is deemed to be in compliance with the documentation and contract requirements pertaining to business associates, with respect to a particular business associate relationship, for the time period set forth in (2) below, if:
i. Prior to October 15, 2002, such HCC has entered into and is operating pursuant to a written contract or arrangement with a business associate for such business associate to perform functions or activities or provide services that make the entity a business associate; and
ii. The contract or other arrangement is not renewed or modified from October 15, 2002 until April 14, 2003.
2. Limited Deemed Compliance Period - A prior contract or other arrangement that meets the qualification requirements in this subsection (a), shall be deemed compliant until the earlier of:
i. The date such contract or other arrangement is renewed or modified on or after April 14, 2003; or
ii. April 14, 2004.
3. HCC Responsibilities - Nothing in this section shall alter the requirements of a HCC to comply with the compliance and enforcement regulations of HIPAA, and the requirements pertaining to access to PHI, accounting of disclosures of PHI, amendment of PHI and mitigation of harmful effects with respect to PHI held by a business associate.