403.812—HIPAA privacy, security, administrative data standards, and national identifiers.
(a) HIPAA covered entities.
An endorsed sponsor is a HIPAA covered entity and must comply with the standards, implementation specifications, and requirements in 45 CFR parts 160, 162, and 164 as set forth in this section. Those functions of an endorsed sponsor the performance of which are necessary or directly related to the operations of the endorsed discount card program are covered functions for purposes of applying to endorsed sponsors the standards, implementation specifications, and requirements in 45 CFR parts 160, 162, and 164.
(b) HIPAA privacy requirements.
An endorsed sponsor must comply with the standards, implementation specifications, and requirements in the Standards for Privacy of Individually Identifiable Health Information, 45 CFR parts 160 and 164, subparts A and E, in the same manner as a health plan, except to the extent such requirements are temporarily waived by the Secretary.
(c) Security requirements—
(1) Standard.
An endorsed sponsor must comply with the applicable standards, implementation specifications, and requirements in the HIPAA Security Rule, 45 CFR parts 160 and 164, subparts A and C, in the same manner as other covered entities as of the compliance date of such Rule.
(2) Attestation.
An applicant in its application shall—
(i)
Attest that, as of the initial enrollment date, it will have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information in accordance with 45 CFR 164.530(c); and
(ii)
Attest that its information security measures will meet the standards, implementation specifications, and requirements of 45 CFR part 164 subparts A and C as of the initial enrollment date, or, if unable to make this attestation, provide a plan for coming into compliance with these requirements by the compliance date of the Security Rule set forth in 45 CFR part 164, subpart C.
(d) Administrative data standards.
An endorsed sponsor must comply with any applicable standards, implementation specifications, and requirements in the Standards for Electronic Transactions under 45 CFR parts 160 and 162 subparts I through R.
(e) Unique identifiers.
An endorsed sponsor must comply with any applicable standards, implementation specifications, and requirements regarding standard unique identifiers under 45 CFR parts 160 and 162 as of the compliance date of any final rule for standard unique identifiers.
(f) Applicability of other regulations.
Nothing in this paragraph or in § 403.813 shall be deemed a modification of parts 160, 162 and 164 of title 45, Code of Federal Regulations or otherwise modify the applicability of such regulations to other organizations or covered entities independently subject to the mandates of HIPAA. If an endorsed sponsor is also a health plan, health care provider, or health care clearinghouse, nothing is this paragraph shall impair or otherwise affect the application of HIPAA or parts 160, 162 and 164 of title 45, Code of Federal Regulations to such entity and its performance of those functions which make such entity a health plan, health care provider, or health care clearinghouse.