(a) HHS is a HIPAA “covered entity” that is a “hybrid entity” as these terms are defined at sections 160.103 and 164.103 respectively. As such, only the portions of HHS that the Secretary has designated as “health care components” (HCC) as defined at section 164.103, are subject to HIPAA. HHS' HCCs may utilize persons or entities known as “business associates,” as defined at section 160.103. Generally, “business associate” means a “person” as defined by section 160.103 (including contractors, and third-party vendors, etc.) if or when the person or entity:

(1) Creates, receives, maintains, or transmits “protected health information”, as the term is defined at section 160.103, on behalf of an HHS HCC to carry out HHS HIPAA “covered functions” as that term is defined at 164.103; or

(2) Provides certain services to an HHS HCC that involve PHI.

(b) Where the Department as a covered entity is required by 45 CFR 164.502(e)(1) and 164.504(e) and, if applicable, sections 164.308(b)(3) and 164.314(a), to enter into a HIPAA business associate contract, the relevant HCC contracting officer, acting on behalf of the Department, shall ensure that such contract meets the requirements at section 164.504(e)(2) and, if applicable, section 164.314(a)(2).


Tried the LawStack mobile app?

Join thousands and try LawStack mobile for FREE today.

  • Carry the law offline, wherever you go.
  • Download CFR, USC, rules, and state law to your mobile device.