Is a health information organization (HIO) covered by the HIPAA Privacy Rule?
Generally, no. The HIPAA Privacy Rule applies to health plans, health care clearinghouses, and health care providers that conduct covered transactions. The functions a HIO typically performs do not make it a health plan, health care clearinghouse, or covered health care provider. Thus, a HIO is generally not a HIPAA covered entity. However, a HIO that performs certain functions or activities on behalf of, or provides certain services to, a covered entity which require access to PHI would be a business associate under the Privacy Rule. See 45 C.F.R. § 160.103 (definition of “business associate”). HIPAA covered entities must enter into contracts or other agreements with their business associates that require the business associates to safeguard and appropriately protect the privacy of protected health information. See 45 C.F.R. §§ 164.502(e), 164.504(e). (See also the relevant business associate requirements in the HIPAA Security Rule at 45 C.F.R. §§ 164.308(b), 164.314(a).) For instance, a HIO that manages the exchange of PHI through a network on behalf of multiple covered health care providers is a business associate of the covered providers, and thus, one or more business associate agreements would need to be in place between the covered providers and the HIO.