HIPAA GENERAL OPERATING PO
HIPAA GENERAL OPERATING POLICY #5
HEALTH CARE CLEARINGHOUSES
I. General
A Health Care Component that is a Health Care Clearinghouse must comply with the University’s privacy policies and procedures and the Privacy Rule as set forth below.
II. Health Care Clearinghouse as a Business Associate
When a Health Care Clearinghouse creates or receives PHI as a business associate of another covered entity, the clearinghouse must comply with the following:
a. 45 CFR § 164.500, relating to applicability;
b. 45 CFR § 164.501, relating to definitions;
c. 45 CFR § 164.502, relating to uses and disclosures of PHI, except that a clearinghouse is prohibited from using or disclosing PHI other than as permitted in the business associate contract under which it created or received the PHI;
d. 45 CFR §164.504, and 45 CFR § 164.105 relating to the organizational requirements for covered entities, including the designation of health care components of a covered entity;
e. 45 CFR §164.512, relating to uses and disclosures for which individual authorization or an opportunity to agree or object is not required, except that a clearinghouse is prohibited from using or disclosing PHI other than as permitted in the business associate contract under which it created or received the PHI;
f. 45 CFR § 164.532, relating to transition requirements; and
g. 45 CFR § 164.534, relating to compliance dates for initial implementation of the privacy standards.
III. Health Care Clearinghouse Not as a Business Associate
When a Health Care Clearinghouse creates or receives PHI other than as a business associate of a covered entity, the clearinghouse must comply with all applicable University privacy policies and procedures and the Privacy Rule.
(Rev. 4/30/03)