123STA T . 2 64PUBLIC LA W 111 –5—FE B.1 7, 2 0 0 9SEC.1340 4. AP P LI CA T I ON O F P R I V AC Y PROVISIONS AN D PENALTIES TO BU SINESS ASSOCIATES OF COVERED ENTITIES. (a)AP P LICAT I ON O FC ONT R ACT REQU IRE M ENT S.—Inthec a s e of a bu s i ness associate of a co v e r e d entit y that obtains or creates p rotected hea l th infor m ation pursuant to a w ritten contract (or other written arran g ement) described in section 164 . 502 (e)(2) of title 45 , Code of F ederal Regulations, with such covered entity, the business associate may use and disclose such protected health information only if such use or disclosure, respectively, is in compli - ance with each applicable re q uirement of section 164.504(e) of such title. T he additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered enti- ties shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity. (b) APPLICATION OF K NO W LE DG E E LEMENTS ASSOCIATED W IT H CONTRACTS.— S ection 164.504(e)(1)(ii) of title 45, Code of Federal Regulations, shall apply to a business associate described in sub- section (a), with respect to compliance with such subsection, in the same manner that such section applies to a covered entity, with respect to compliance with the standards in sections 164.502(e) and 164.504(e) of such title, e x cept that in applying such section 164.504(e)(1)(ii) each reference to the business associate, with respect to a contract, shall be treated as a reference to the covered entity involved in such contract. (c) APPLICATION OF CI V IL AND CRIMINAL P ENALTIES.—In the case of a business associate that violates any provision of subsection (a) or (b), the provisions of sections 11 7 6 and 1177 of the Social Security Act (42 U .S.C. 1 3 20d – 5, 1320d–6) shall apply to the busi- ness associate with respect to such violation in the same manner as such provisions apply to a person who violates a provision of part C of title X I of such Act. SEC. 1340 5 . RESTRICTIONS ON CERTAIN DISCLOSURES AND SALES OF H EALTH INFOR M ATION
ACCOUNTIN G OF CERTAIN PRO - TECTED HEALTH INFORMATION DISCLOSURES; ACCESS TO CERTAIN INFORMATION IN ELECTRONIC FORMAT. (a) REQUESTED RESTRICTIONS ON CERTAIN D ISCLOSURES OF H EALTH INFORMATION.—In the case that an individual requests under paragraph (a)(1)(i)(A) of section 164.522 of title 45, Code of Federal Regulations, that a covered entity restrict the disclosure of the protected health information of the individual, notwith- standing paragraph (a)(1)(ii) of such section, the covered entity must comply with the requested restriction if— (1) except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment)
and (2) the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of poc k et in full. (b) DISCLOSURES REQUIRED TO B E L IMITED TO THE LIMITED DATA SET OR THE M INIMUM N ECESSAR Y .— (1) IN GENERAL.— (A) IN GENERAL.—Sub j ect to subparagraph (B), a cov- ered entity shall be treated as being in compliance with 42USC17935. 42 USC 17934.
