Mo. Code Regs. Ann. tit. 9, § 10-5.220
PURPOSE: This rule specifies the policies and procedures required for covered entities under the HIPAA privacy rule.
(2) Definitions. The following terms, as used in this rule, shall mean:
(B) Protected Health Information (PHI)—As defined by HIPAA (45 CFR section 160.103), PHI is individually identifiable health information that is—
medium;
(C) Individually identifiable health information—As defined by HIPAA (45 CFR section 160.103), information that is a subset of health information, including demographic information collected from an individual, and—
plan, employer, or healthcare clearinghouse; and
health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and—
believe the information can be used to identify the individual; and
(D) Business associate—As defined by HIPAA (45 CFR section 160.103), with respect to a covered entity, a person who—
healthcare arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement;
health information for a function or activity regulated by this rule and 45 CFR section 160.103, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized healthcare arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
(3) Covered Entity. All providers that determine they qualify as a covered entity must comply with the provisions of the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA).
(B) If a provider is a covered entity, HIPAA requires the appropriate policies and procedures be in place to comply with the HIPAA Privacy Rule. HIPAA requires such policies and procedures to include but not be limited to the following:
qualifying as business associates as defined in this rule and in 45 CFR part 160.
AUTHORITY: section 630.050, RSMo 2016,* and 45 CFR parts 160 and 164, the Health Insurance Portability and Accountability Act. Emergency rule filed April 1, 2003, effective April 14, 2003, expired Oct. 14, 2003. Original rule filed April 1, 2003, effective Oct. 30, 2003. Amended: Filed March 9, 2022, effective Sept. 30, 2022.
*Original authority: 630.050, RSMo 1980, amended 1993, 1995, 2008.