Each organization, with respect to a covered entity, that provides data transmission of protected health information to such entity (or its business associate) and that requires access on a routine basis to such protected health information, such as a Health Information Exchange Organization, Regional Health Information Organization, E-prescribing Gateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record, is required to enter into a written contract (or other written arrangement) described in section 164.502(e)(2) of title 45, Code of Federal Regulations and a written contract (or other arrangement) described in section 164.308(b) of such title, with such entity and shall be treated as a business associate of the covered entity for purposes of the provisions of this subchapter and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of .
Structure US Code
Title 42— THE PUBLIC HEALTH AND WELFARE
CHAPTER 156— HEALTH INFORMATION TECHNOLOGY
Part A— Improved Privacy Provisions and Security Provisions
§ 17932. Notification in the case of breach
§ 17933. Education on health information privacy
§ 17934. Application of privacy provisions and penalties to business associates of covered entities
§ 17936. Conditions on certain contacts as part of health care operations
§ 17938. Business associate contracts required for certain entities