Mo. Code Regs. Ann. tit. 9, § 10-5.220
PURPOSE: This rule alerts providers to the possible HIPAA Privacy Rule requirements if the provider has determined that it is a covered entity as defined by HIPAA. Once that is established, this rule lists policies and procedures that the HIPAA Privacy Rule requires for each covered entity.
(2) Definitions.
(B) Protected Health Information (PHI): As defined by HIPAA (45 CFR section 164.501), PHI is individually identifiable health information that is—
in the definition of electronic media; or
other form or medium.
(C) Individually identifiable health information: As defined by HIPAA (45 CFR section 160.103), individually identifiable health information is any information, including demographic information, collected from an individual that is—
provider, health plan, employer, or healthcare clearinghouse; and
physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual, and which identifies the individual, or with respect to which there is reasonable basis to believe that the information can be used to identify the individual.
(D) Business associate: As defined by HIPAA (45 CFR section 160.103), a person who, on behalf of the covered entity or provider or of an organized healthcare arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:
use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
lated by this subchapter; or provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized healthcare arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
AUTHORITY: section 630.050, RSMo 2000* and 45 CFR parts 160 and 164, the Health Insurance Portability and Accountability Act of 1996. Emergency rule filed April 1, 2003, effective April 14, 2003, expired Oct. 14, 2003. Original rule filed April 1, 2003, effective Oct. 30, 2003. *Original authority: 630.050, RSMo 1980, amended 1993, 1995.