Part 160: General Administrative Requirements

1. The authority citation for part 160 continues to read as follows: Authority: Sec. 1171 through 1179 of the Social Security Act, (42 U.S.C. 1320d- 1329d-8) as added by sec. 262 of Pub. L. 104-191, 110 Stat. 2021-2031 and sec. 264 of Pub. L. 104-191 (42 U.S.C. 1320d-2(note)). 160(2) 2. In § 160.103, the definitions of “disclosure”, “electronic media”, “electronic protected health information,” “individual,” “organized health care arrangement”, “protected health information,” and “use” are added in alphabetical order to read as follows:

160.103 Defintions

160.103

Disclosure
means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.
Electronic media
means
  1. (1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
  2. (2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dialup lines, private networks, and the physical movement of removable/ transportable electronic storage media.

    Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

Electronic protected health information
means information that comes within paragraphs (1)(i) or (1)(ii) of the definition of protected health information as specified in this section.
Individual
means the person who is the subject of protected health information.
Organized health care arrangement
means:
  1. (1) A clinically integrated care setting in which individuals typically receive health care from more than one health care provider;
  2. (2) An organized system of health care in which more than one covered entity participates and in which the participating covered entities:
    1. (i) Hold themselves out to the public as participating in a joint arrangement; and
    2. (ii) Participate in joint activities that include at least one of the following:
      1. (A) Utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf;
      2. (B) Quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or
      3. (C) Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk.
  3. (3) A group health plan and a health insurance issuer or HMO with respect to such group health plan, but only with respect to protected health information created or received by such health insurance issuer or HMO that relates to individuals who are or who have been participants or beneficiaries in such group health plan;
  4. (4) A group health plan and one or more other group health plans each of which are maintained by the same plan sponsor; or
  5. (5) The group health plans described in paragraph (4) of this definition and health insurance issuers or HMOs with respect to such group health plans, but only with respect to protected health information created or received by such health insurance issuers or HMOs that relates to individuals who are or have been participants or beneficiaries in any of such group health plans.
Protected health information
means individually identifiable health information:
  1. (1) Except as provided in paragraph (2) of this definition, that is:
    1. (i) Transmitted by electronic media;
    2. (ii) Maintained in electronic media; or
    3. (iii) Transmitted or maintained in any other form or medium.
  2. (2) Protected health information excludes individually identifiable health information in:
    1. (i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
    2. (ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
    3. (iii) Employment records held by a covered entity in its role as employer.
Use
means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.