HIPAA Privacy - Requirements for a Covered Entity with Multiple Covered Functions 164.504(g)

Overview:
§164.504(g)
Requirements for a covered entity with multiple covered functions
(1) A covered entity that performs multiple covered functions that would make the entity any combination of a health plan, a covered health care provider, and a health care clearinghouse, must comply with the standards, requirements, and implementation specifications of this subpart, as applicable to the health plan, health care provider, or health care clearinghouse covered functions performed.
(2 )A covered entity that performs multiple covered functions may use or disclose the protected health information of individuals who receive the covered entity's health plan or health care provider services, but not both, only for the purposes related to the appropriate function being performed.

Action Items:
1) Obtain and evaluate whether the policies and procedures restrict the uses and disclosures of PHI to only the purpose related to the appropriate function being performed.

Related Documents:
1) Policies and procedures that restrict the uses and disclosures of PHI to only the purpose related to the appropriate function being performed.

Additional Guidance:
A covered entity that performs multiple covered functions must operate its different covered functions in compliance with the Privacy Rule provisions applicable to those covered functions.82 The covered entity may not use or disclose the protected health information of an individual who receives services from one covered function (e.g., health care provider) for another covered function (e.g., health plan) if the individual is not involved with the other function.