§164.504(g) – Requirements for a covered entity with multiple covered functions. (1) A covered entity that performs multiple covered functions that would make the entity any combination of a health plan, a covered health care provider, and a health care clearinghouse, must comply with the standards, requirements, and implementation specifications of this subpart, as applicable to the health plan, health care provider, or health care clearinghouse covered functions performed. (2 )A covered entity that performs multiple covered functions may use or disclose the protected health information of individuals who receive the covered entity’s health plan or health care provider services, but not both, only for the purposes related to the appropriate function being performed.
Audit Inquiry
For entities that perform multiple covered functions, are uses and disclosures of PHI only for the purpose related to the appropriate functions being performed?
Inquire of management.
Obtain and evaluate whether the policies and procedures restrict the uses and disclosures of PHI to only the purpose related to the appropriate function being performed.