HIPAA Regs

U.S. Department of Health and Human Services

Office for Civil Rights

HIPAA Administrative Simplification

Regulation Text

45 CFR Parts 160, 162, and 164

(Unofficial Version, as amended through February 16, 2006)

HIPAA Administrative Simplification

Table of Contents

Section Page

PART 160 – GENERAL ADMINISTRATIVE REQUIREMENTS

SUBPART A – GENERAL P ROVISIONS

§ 160.101 Statutory basis and purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

§ 160.102 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

§ 160.103 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

ANSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Business associate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Compliance date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

EIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Electronic media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Electronic protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Employer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Group health plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

HCFA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

HHS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Health care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Health care clearinghouse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Health care provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Health insurance issuer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Health maintenance organization (HMO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Health plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Implementation specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Individually identifiable health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Modify or modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Organized health care arrangement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Person . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Secretary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Small health plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Standard setting organization (SSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Trading partner agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

-i

Transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Workforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

§ 160.104 Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

SUBPART B – PREEMPTION OF STATE LAW

§ 160.201 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

§ 160.202 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Contrary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

More stringent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Relates to the privacy of individually identifiable health information . . . . . . . . . . . . . . . . . . . . . . 7

State law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

§ 160.203 General rule and exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

§ 160.204 Process for requesting exception determinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

§ 160.205 Duration of effectiveness of exception determinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

SUBPART C – COMPLIANCE AND ENFORCEMENT

§ 160.300 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

§ 160.302 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Administrative simplification provision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

ALJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Civil money penalty or penalty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Respondent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Violation or violate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

§ 160.304 Principles for achieving compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(a) Cooperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(b) Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

§ 160.306 Complaints to the Secretary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(a) Right to file a complaint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(b) Requirements for filing complaints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(c) Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

§ 160.308 Compliance reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

-ii

§ 160.310 Responsibilities of covered entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

(a) Provide records and compliance reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

(b) Cooperate with complaint investigations and compliance reviews . . . . . . . . . . . . . . . . . . . . . 9

(c) Permit access to information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

§ 160.312 Secretarial action regarding complaints and compliance reviews . . . . . . . . . . . . . . . . . . . . . . 9

(a) Resolution where noncompliance is indicated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

(b) Resolution when no violation is found . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

§ 160.314 Investigational subpoenas and inquiries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

§ 160.316 Refraining from intimidation or retaliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

SUBPART D - IMPOSITION OF CIVIL MONEY PENALTIES

§ 160.400 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

§ 160.402 Basis for a civil money penalty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

(a) General rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

(b) Violation by more than one covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

(c) Violation attributed to a covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

§ 160.404 Amount of a civil money penalty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

§ 160.406 Violations of an identical requirement or prohibition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

§ 160.408 Factors considered in determining the amount of a civil money penalty . . . . . . . . . . . . . . . 12

§ 160.410 Affirmative defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Reasonable cause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Reasonable diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Willful neglect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

§ 160.412 Waiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

§ 160.414 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

§ 160.416 Authority to settle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

§ 160.418 Penalty not exclusive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

§ 160.420 Notice of proposed determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

§ 160.422 Failure to request a hearing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

-iii

§ 160.424 Collection of penalty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

§ 160.426 Notification of the public and other agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

SUBPART E – PROCEDURES FOR H EARINGS

§ 160.500 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

§ 160.502 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

§ 160.504 Hearing before an ALJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

§ 160.506 Rights of the parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

§ 160.508 Authority of the ALJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

§ 160.510 Ex parte contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

§ 160.512 Prehearing conferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

§ 160.514 Authority to settle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

§ 160.516 Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

§ 160.518 Exchange of witness lists, witness statements, and exhibits . . . . . . . . . . . . . . . . . . . . . . . . . . 16

§ 160.520 Subpoenas for attendance at hearing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

§ 160.522 Fees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

§ 160.524 Form, filing, and service of papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

(a) Forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

(b) Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(c) Proof of service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

§ 160.526 Computation of time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

§ 160.528 Motions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

§ 160.530 Sanctions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

§ 160.532 Collateral estoppel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

§ 160.534 The hearing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

§ 160.536 Statistical sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

-iv

§ 160.538 Witnesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

§ 160.540 Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

§ 160.542 The record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

§ 160.544 Post hearing briefs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

§ 160.546 ALJ’s decision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

§ 160.548 Appeal of the ALJ’s decision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

§ 160.550 Stay of the Secretary’s decision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

§ 160.552 Harmless error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

PART 162 – ADMINISTRATIVE REQUIREMENTS

SUBPART A – GENERAL PROVISIONS

§ 162.100 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

§ 162.103 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Code set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Code set maintaining organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Data condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Data content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Data element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Descriptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Designated standard maintenance organization (DSMO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Direct data entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

HCPCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Maintain or maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Maximum defined data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Standard transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

SUBPARTS B and C – [RESERVED]

SUBPART D – STANDARD UNIQUE HEALTH IDENTIFIER FOR HEALTH CARE PROVIDERS

§ 162.402 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Covered health care provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

-v

§ 162.404 Compliance dates of the implementation of the standard

unique health identifier for health care providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

(a) Health care providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

(b) Health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

(c) Health care clearinghouses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

§ 162.406 Standard unique health identifier for health care providers . . . . . . . . . . . . . . . . . . . . . . . . . 24

(a) Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

(b) Required and permitted uses for the NPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

§ 162.408 National provider system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

§ 162.410 Implementation specifications: Health care providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

§ 162.412 Implementation specifications: Health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

§ 162.414 Implementation specifications: Health care clearinghouses . . . . . . . . . . . . . . . . . . . . . . . . . 25

SUBPART E – [RESERVED]

SUBPART F – STANDARD UNIQUE HEALTH EMPLOYER IDENTIFIER

§ 162.600 Compliance dates of the implementation of the

standard unique employer identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25


(b) Health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25


§ 162.605 Standard unique employer identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

§ 162.610 Implementation specifications for covered entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

SUBPARTS G and H – [RESERVED]

SUBPART I – GENERAL PROVISIONS FOR TRANSACTIONS

§ 162.900 Compliance dates for transaction standards and code sets . . . . . . . . . . . . . . . . . . . . . . . . . . 25

(a) Small health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

(b) Covered entities that timely submitted a compliance plan . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(c) Covered entities that did not timely submit a compliance plan . . . . . . . . . . . . . . . . . . . . . . . 26

-vi

§ 162.910 Maintenance of standards and adoption of modifications and new standards . . . . . . . . . . 26

(a) Designation of DSMOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(b) Maintenance of standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(c) Process for modification of existing standards and adoption of new standards . . . . . . . . . . . 26

§ 162.915 Trading partner agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

§ 162.920 Availability of implementation specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(a) ASC X12N specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(1) The ASC X12N 837- Health Care Claim: Dental . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(2) The ASC X12N 837- Health Care Claim: Professional . . . . . . . . . . . . . . . . . . . . . . 27

(3) The ASC X12N 837- Health Care Claim: Institutional . . . . . . . . . . . . . . . . . . . . . . 27

(4) The ASC X12N 835- Health Care Claim Payment/Advice . . . . . . . . . . . . . . . . . . . 27

(5) ASC X12N 834- Benefit Enrollment and Maintenance . . . . . . . . . . . . . . . . . . . . . . 27

(6) The ASC X12N 820- Payroll Deducted and Other Group Premium Payment

for Insurance Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(7) The ASC X12N 278- Health Care Services Review-Request for Review

and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(8) The ASC X12N 276/277-Health Care Claim Status Request and Response . . . . . . 27

(9) The ASC X12N 270/271-Health Care Eligibility Benefit Inquiry and Response . . 27

(b) Retail pharmacy specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(1) The Telecommunication Standard Implementation Guide . . . . . . . . . . . . . . . . . . . . 27

(2) The Batch Standard Batch Implementation Guide . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(3) The National Council for Prescription Drug Programs (NCPDP)

Equivalent NCPDP Batch Standard Batch Implementation Guide . . . . . . . . . . . . 28

§ 162.923 Requirements for covered entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

(a) General rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

(b) Exception for direct data entry transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

(c) Use of a business associate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

§ 162.925 Additional requirements for health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

(a) General rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

(b) Coordination of benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

(c) Code sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

§ 162.930 Additional requirements for health care clearinghouses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

§ 162.940 Exceptions from standards to permit testing of proposed modifications . . . . . . . . . . . . . . . 29

(a) Requests for an exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(1) Comparison to a current standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(2) Specifications for the proposed modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(3) Testing of the proposed modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(4) Trading partner concurrences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(b) Basis for granting an exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

-vii

(c) Secretary’s decision on exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(1) Exception granted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(2) Exception denied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(d) Organization’s report on test results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(e) Extension allowed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

SUBPART J – CODE SETS

§ 162.1000 General requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

(a) Medical data code sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

(b) Nonmedical data code sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

§ 162.1002 Medical data code sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

§ 162.1011 Valid code sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

SUBPART K – HEALTH CARE CLAIMS OR EQUIVALENT ENCOUNTER INFORMATION

§ 162.1101 Health care claims or equivalent encounter information transaction . . . . . . . . . . . . . . . . . . 31

§ 162.1102 Standards for health care claims or equivalent encounter information transaction . . . . . . 31

SUBPART L – ELIGIBILITY FOR A HEALTH PLAN

§ 162.1201 Eligibility for a health plan transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

§ 162.1202 Standards for eligibility for a health plan transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

SUBPART M – REFERRAL CERTIFICATION AND AUTHORIZATION

§ 162.1301 Referral certification and authorization transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

§ 162.1302 Standards for referral certification and authorization transaction . . . . . . . . . . . . . . . . . . . 32

SUBPART N – HEALTH CARE CLAIM STATUS

§ 162.1401 Health care claim status transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

§ 162.1402 Standards for health care claim status transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

SUBPART O – ENROLLMENT AND DISENROLLMENT IN A H EALTH PLAN

-viii

§ 162.1501 Enrollment and disenrollment in a health plan transaction . . . . . . . . . . . . . . . . . . . . . . . . . . 33

§ 162.1502 Standards for enrollment and disenrollment in a health plan transaction . . . . . . . . . . . . . . 33

SUBPART P – HEALTH CARE P AYMENT AND REMITTANCE ADVICE

§ 162.1601 Health care payment and remittance advice transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

§ 162.1602 Standards for health care payment and remittance advice transaction . . . . . . . . . . . . . . . . 33

SUBPART Q – HEALTH PLAN PREMIUM PAYMENTS

§ 162.1701 Health plan premium payments transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

§ 162.1702 Standards for health plan premium payments transaction . . . . . . . . . . . . . . . . . . . . . . . . . . 34

SUBPART R – COORDINATION OF BENEFITS

§ 162.1801 Coordination of benefits transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

§ 162.1802 Standards for coordination of benefits information transaction . . . . . . . . . . . . . . . . . . . . . . 34

PART 164 – SECURITY AND PRIVACY

SUBPART A – GENERAL PROVISIONS

§ 164.102 Statutory basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

§ 164.103 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Common control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Common ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Covered functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Health care component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Hybrid entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Plan sponsor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Required by law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

§ 164.104 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

§ 164.105 Organizational Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

§ 164.106 Relationship to other parts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

-ix

SUBPART B– [RESERVED]

SUBPART C – Security Standards for the Protection of Electronic Protected Health
Information
§ 164.302 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

§ 164.304 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Administrative Safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Information system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Malicious software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Physical safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Security or Security measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Security incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Technical safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

§ 164.306 Security standards: General rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

§ 164.308 Administrative safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

§ 164.310 Physical safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

§ 164.312 Technical safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

§ 164.314 Organizational requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

§ 164.316 Policies and procedures and documentation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 44

§ 164.318 Compliance dates for initial implementation of security standards . . . . . . . . . . . . . . . . . . . 44

SUBPART D– [RESERVED]

SUBPART E – PRIVACY OF INDIVIDUALLY IDENTIFIABLE H EALTH INFORMATION

§ 164.500 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

-x

§ 164.501 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Correctional institution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Data aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Designated record set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Direct treatment relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Health care operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Health oversight agency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Indirect treatment relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Inmate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Law enforcement official . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Payment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Psychotherapy notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Public health authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

§ 164.502 Uses and disclosures of protected health information: general rules . . . . . . . . . . . . . . . . . . 47

(a) Standard: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

(1) Permitted uses & disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

(2) Required disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

(b) Standard: minimum necessary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

(1) Minimum necessary applies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

(2) Minimum necessary does not apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

(c) Standard: uses and disclosures of protected health information subject to

an agreed upon restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

(d) Standard: Uses and disclosures of de-identified protected health information . . . . . . . . . . . . 48

(1) Uses and disclosures to create de-identified information . . . . . . . . . . . . . . . . . . . . . 48

(2) Uses and disclosures of de-identified information . . . . . . . . . . . . . . . . . . . . . . . . . . 48

(e)(1) Standard: disclosures to business associates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

(2) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

(f) Standard: deceased individuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

(g)(1) Standard: personal representatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

(2) Implementation specification: adults and emancipated minors . . . . . . . . . . . . . . . . 49

(3) Implementation specification: unemancipated minors . . . . . . . . . . . . . . . . . . . . . . . 49

(4) Implementation specification: deceased individuals . . . . . . . . . . . . . . . . . . . . . . . . 49

(5) Implementation specification: abuse, neglect, endangerment situations . . . . . . . . . 50

(h) Standard: confidential communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

(i) Standard: uses and disclosures consistent with notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

(j) Standard: disclosures by whistleblowers and workforce member crime victims . . . . . . . . . . 50

(1) Disclosures by whistleblowers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

(2) Disclosures by workforce members who are victims of a crime . . . . . . . . . . . . . . . 50

§ 164.504 Uses and disclosures: organizational requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

(a) Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Plan administration functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Summary health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

-xi

Paragraphs (b)-(d)– [Removed and Reserved] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

(e)(1) Standard: business associate contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

(2) Implementation specifications: business associate contracts . . . . . . . . . . . . . . . . . . 51

(3) Implementation specifications: other arrangements . . . . . . . . . . . . . . . . . . . . . . . . . 51

(4) Implementation specifications: other requirements for contracts

and other arrangements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

(f)(1) Standard: requirements for group health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

(2) Implementation specifications: requirements for plan documents . . . . . . . . . . . . . . 52

(3) Implementation specifications: uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . 53

(g) Standard: requirements for a covered entity with multiple covered functions . . . . . . . . . . . . 53

§ 164.506 Uses and disclosures to carry out treatment, payment, or health care operations . . . . . . . . 54

(a) Standard: permitted uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

(b) Standard: consent for uses and disclosures permitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

(c) Implementation specifications: treatment, payment, or health care operations . . . . . . . . . . . 54

§ 164.508 Uses and disclosures for which an authorization is required . . . . . . . . . . . . . . . . . . . . . . . . . 54

(a) Standard: authorizations for uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

(1) Authorization required: general rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

(2) Authorization required: psychotherapy notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

(3) Authorization required: marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

(b) Implementation specifications: general requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

(1) Valid authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

(2) Defective authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

(3) Compound authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

(4) Prohibition on conditioning of authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

(5) Revocation of authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

(6) Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

(c) Implementation specifications: core elements and requirements . . . . . . . . . . . . . . . . . . . . . . 56

(1) Core elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

(2) Required statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

(3) Plain language requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

(4) Copy to the individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

§ 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object . . . 56

(a) Standard: use and disclosure for facility directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

(1) Permitted uses and disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

(2) Opportunity to object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

(3) Emergency circumstances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

(b) Standard: uses and disclosures for involvement in the individual’s care and

notification purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

(1) Permitted uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

(2) Uses and disclosures with the individual present . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

(3) Limited uses and disclosures when the individual is not present . . . . . . . . . . . . . . . 57

(4) Use and disclosures for disaster relief purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

§ 164.512 Uses and disclosures for which an authorization or opportunity to

-xii

agree or object is not required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

(a) Standard: uses and disclosures required by law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

(b) Standard: uses and disclosures for public health activities . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

(1) Permitted disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

(2) Permitted uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

(c) Standard: disclosures about victims of abuse, neglect, or domestic violence . . . . . . . . . . . . . 59


(2) Informing the individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

(d) Standard: uses and disclosures for health oversight activities . . . . . . . . . . . . . . . . . . . . . . . . 59


(2) Exception to health oversight activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

(3) Joint activities or investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

(4) Permitted uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

(e) Standard: disclosures for judicial and administrative proceedings . . . . . . . . . . . . . . . . . . . . . 60


(2) Other uses and disclosures under this section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

(f) Standard: disclosures for law enforcement purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

(1) Permitted disclosures: pursuant to process and as otherwise

required by law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

(2) Permitted disclosures: limited information for identification and

location purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

(3) Permitted disclosure: victims of a crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

(4) Permitted disclosure: decedents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

(5) Permitted disclosure: crime on premises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

(6) Permitted disclosure: reporting crime in emergencies . . . . . . . . . . . . . . . . . . . . . . . 62

(g) Standard: uses and disclosures about decedents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

(1) Coroners and medical examiners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

(2) Funeral directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

(h) Standard: uses and disclosures for cadaveric organ, eye, or tissue

donation purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

(i) Standard: uses and disclosures for research purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

(1) Permitted uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

(2) Documentation of waiver approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

(j) Standard: uses and disclosures to avert a serious threat to health or safety . . . . . . . . . . . . . . . 64


(2) Use or disclosure not permitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

(3) Limit on information that may be disclosed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

(4) Presumption of good faith belief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

(k) Standard: uses and disclosures for specialized government functions . . . . . . . . . . . . . . . . . . 64

(1) Military and veterans activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

(2) National security and intelligence activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

(3) Protective services for the President and others . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

(4) Medical suitability determinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

(5) Correctional institutions and other law enforcement custodial situations . . . . . . . . 65

(6) Covered entities that are government programs providing public benefits . . . . . . . 65

(l) Standard: disclosures for workers’ compensation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

§ 164.514 Other requirements relating to uses & disclosures of protected

health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

-xiii

(a) Standard: de-identification of protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . 66

(b) Implementation specifications: requirements for de-identification of

protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

(c) Implementation specifications: re-identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

(1) Derivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

(2) Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

(d)(1) Standard: minimum necessary requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

(2) Implementation specifications: minimum necessary uses of

protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

(3) Implementation specification: minimum necessary disclosures of


(4) Implementation specifications: minimum necessary requests for


(5) Implementation specification: other content requirement . . . . . . . . . . . . . . . . . . . . 67

(e)(1) Standard: limited data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

(2) Implementation specification: limited data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

(3) Implementation specification: permitted purposes for uses and disclosures . . . . . . 68

(4) Implementation specifications: data use agreement . . . . . . . . . . . . . . . . . . . . . . . . . 68

(f)(1) Standard: uses and disclosures for fundraising . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

(2) Implementation specifications: fundraising requirements . . . . . . . . . . . . . . . . . . . . 69

(g) Standard: uses and disclosures for underwriting and related purposes . . . . . . . . . . . . . . . . . . 69

(h)(1) Standard: verification requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

(2) Implementation specifications: verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

§ 164.520 Notice of privacy practices for protected health information . . . . . . . . . . . . . . . . . . . . . . . . 70

(a) Standard: notice of privacy practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

(1) Right to notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

(2) Exception for group health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

(3) Exception for inmates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

(b) Implementation specifications: content of notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

(1) Required elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

(2) Optional elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

(3) Revisions to the notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

(c) Implementation specifications: provision of notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

(1) Specific requirements for health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

(2) Specific requirements for certain covered health care providers . . . . . . . . . . . . . . . 72

(3) Specific requirements for electronic notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

(d) Implementation specifications: joint notice by separate covered entities . . . . . . . . . . . . . . . . 72

(e) Implementation specifications: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

§ 164.522 Rights to request privacy protection for protected health information . . . . . . . . . . . . . . . . 73

(a)(1) Standard: right of an individual to request restriction of uses and disclosures . . . . . . . . . 73

(2) Implementation specifications: terminating a restriction . . . . . . . . . . . . . . . . . . . . . 73


(b)(1) Standard: confidential communications requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

(2) Implementation specifications: conditions on providing

confidential communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

-xiv

§ 164.524 Access of individuals to protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

(a) Standard: access to protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

(1) Right of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

(2) Unreviewable grounds for denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

(3) Reviewable grounds for denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

(4) Review of a denial of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

(b) Implementation specifications: requests for access and timely action . . . . . . . . . . . . . . . . . . 75

(1) Individual’s request for access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

(2) Timely action by the covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

(c) Implementation specifications: provision of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

(1) Providing the access requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

(2) Form of access requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

(3) Time and manner of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

(4) Fees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

(d) Implementation specifications: denial of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

(1) Making other information accessible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

(2) Denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

(3) Other responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

(4) Review of denial requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

(e) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

§ 164.526 Amendment of protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

(a) Standard: right to amend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

(1) Right to amend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

(2) Denial of amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

(b) Implementation specifications: requests for amendment and timely action . . . . . . . . . . . . . . 77

(1) Individual’s request for amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

(2) Timely action by the covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

(c) Implementation specifications: accepting the amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

(1) Making the amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

(2) Informing the individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

(3) Informing others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

(d) Implementation specifications: denying the amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

(1) Denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

(2) Statement of disagreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

(3) Rebuttal statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

(4) Recordkeeping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

(5) Future disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

(e) Implementation specification: actions on notices of amendment . . . . . . . . . . . . . . . . . . . . . . 78

(f) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

§ 164.528 Accounting of disclosures of protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . 78

(a) Standard: right to an accounting of disclosures of protected health information . . . . . . . . . . 78

(b) Implementation specifications: content of the accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

(c) Implementation specifications: provision of the accounting . . . . . . . . . . . . . . . . . . . . . . . . . 80

(d) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

-xv

§ 164.530 Administrative requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

(a)(1) Standard: personnel designations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

(2) Implementation specification: personnel designations . . . . . . . . . . . . . . . . . . . . . . . 80

(b)(1) Standard: training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

(2) Implementation specifications: training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

(c)(1) Standard: safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

(2) Implementation specification: safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

(d)(1) Standard: complaints to the covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

(2) Implementation specification: documentation of complaints . . . . . . . . . . . . . . . . . . 81

(e)(1) Standard: sanctions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81


(f) Standard: mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

(g) Standard: refraining from intimidating or retaliatory acts . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

(1) Individuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

(2) Individuals and others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

(h) Standard: waiver of rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

(i)(1) Standard: policies and procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

(2) Standard: changes to policies or procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

(3) Implementation specification: changes in law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

(4) Implementation specifications: changes to privacy practices stated in the

notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

(5) Implementation specification: changes to other policies or procedures . . . . . . . . . . 82

(j)(1) Standard: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

(2) Implementation specification: retention period . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

(k) Standard: group health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

§ 164.532 Transition provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

(a) Standard: effect of prior authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

(b) Implementation specification: effect of prior authorization for purposes

other than research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

(c) Implementation specification: effect of prior permission for research . . . . . . . . . . . . . . . . . . 83

(d) Standard: effect of prior contracts or other arrangements with business associates . . . . . . . . 83

(e) Implementation specification: deemed compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

(1) Qualification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

(2) Limited deemed compliance period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

(3) Covered entity responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

§ 164.534 Compliance dates for initial implementation of the privacy standards . . . . . . . . . . . . . . . . 84


(b) Health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

(1) Health plans other than small health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

(2) Small health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84


-xvi

HIPAA Administrative Simplification Regulation Text
March 2006

PART 160 – GENERAL ADMINISTRATIVE 160.502 Definitions.

REQUIREMENTS 160.504 Hearing before an ALJ.

160.506 Rights of the parties.

Subpart A – General Provisions 160.508 Authority of the ALJ.

160.101 Statutory basis and purpose.
160.510 Ex parte contacts.

160.102 Applicability.
160.512 Prehearing conferences.

160.103 Definitions.
160.514 Authority to settle.

160.104 Modifications.
160.516 Discovery.

160.518 Exchange of witness lists, witness

Subpart B – Preemption of State Law statements, and exhibits.

160.520 Subpoenas for attendance at hearing.

160.522 Fees.

160.203 General rule and exceptions.
160.524 Form, filing, and service of papers.

160.204 Process for requesting exception
160.526 Computation of time.

determinations.
160.528 Motions.

160.205 Duration of effectiveness of exception
160.530 Sanctions.

determinations.
160.532 Collateral estoppel.

160.534 The hearing.

Subpart C - Compliance and Investigations 160.536 Statistical sampling.

160.538 Witnesses.

160.540 Evidence.

160.304 Principles for achieving compliance.
160.542 The record.

160.306 Complaints to the Secretary.
160.544 Post hearing briefs.

160.308 Compliance reviews.
160.546 ALJ’s decision.

160.310 Responsibilities of covered entities.
160.548 Appeal of the ALJ’s decision.

160.312 Secretarial action regarding complaints and
160.550 Stay of the Secretary’s decision.

compliance reviews.
160.552 Harmless error.

160.314 Investigational subpoenas and inquiries.

160.316 Refraining from intimidation or retaliation.
Authority: 42 U.S.C. 1302(a), 42 U.S.C. 1320d
1320d-8, and sec. 264 of Pub. L. 104-191, 110 Stat.
Subpart D—Imposition of Civil Money Penalties 2033-2034 (42 U.S.C. 1320d-2(note)) and 5 U.S.C.
552.
160.402 Basis for a civil money penalty.

160.404 Amount of a civil money penalty.
Subpart A—General Provisions
160.406 Violations of an identical requirement or

prohibition.
§ 160.101 Statutory basis and purpose.
160.408 Factors considered in determining the
The requirements of this subchapter implement
amount of a civil money penalty.
sections 1171 through 1179 of the Social Security Act
160.410 Affirmative defenses.
(the Act), as added by section 262 of Public Law
160.412 Waiver.
104–191, and section 264 of Public Law 104–191.
160.414 Limitations.

160.416 Authority to settle.
§ 160.102 Applicability.
160.418 Penalty not exclusive.
(a) Except as otherwise provided, the standards,
160.420 Notice of proposed determination.
requirements, and implementation specifications
160.422 Failure to request a hearing.
adopted under this subchapter apply to the following
160.424 Collection of penalty.
entities:
160.426 Notification of the public and other agencies.
(1) A health plan.
(2) A health care clearinghouse.
Subpart E—Procedures for Hearings (3) A health care provider who transmits any

-1

March 2006

health information in electronic form in connection or from another business associate of such covered
with a transaction covered by this subchapter. entity or arrangement, to the person.
(b) To the extent required under the Social (2) A covered entity participating in an organized
Security Act, 42 U.S.C. 1320a–7c(a)(5), nothing in health care arrangement that performs a function or
this subchapter shall be construed to diminish the activity as described by paragraph (1)(i) of this
authority of any Inspector General, including such definition for or on behalf of such organized health
authority as provided in the Inspector General Act of care arrangement, or that provides a service as
1978, as amended (5 U.S.C. App.). described in paragraph (1)(ii) of this definition to or
for such organized health care arrangement, does not,
[65 FR 82798, Dec. 28, 2000, as amended at 67 FR simply through the performance of such function or
53266, Aug. 14, 2002] activity or the provision of such service, become a
business associate of other covered entities
§ 160.103 Definitions. participating in such organized health care
Except as otherwise provided, the following arrangement.
definitions apply to this subchapter: (3) A covered entity may be a business associate
Act means the Social Security Act. of another covered entity.
ANSI stands for the American National Standards CMS stands for Centers for Medicare & Medicaid
Institute. Services within the Department of Health and Human
Business associate: Services.
(1) Except as provided in paragraph (2) of this Compliance date means the date by which a
definition, business associate means, with respect to a covered entity must comply with a standard,
covered entity, a person who: implementation specification, requirement, or
(i) On behalf of such covered entity or of an modification adopted under this subchapter.
organized health care arrangement (as defined in Covered entity means:
§164.501 of this subchapter) in which the covered (1) A health plan.
entity participates, but other than in the capacity of a (2) A health care clearinghouse.
member of the workforce of such covered entity or (3) A health care provider who transmits any
arrangement, performs, or assists in the performance health information in electronic form in connection
of: with a transaction covered by this subchapter.
(A) A function or activity involving the use or Disclosure means the release, transfer, provision
disclosure of individually identifiable health of, access to, or divulging in any other manner of
information, including claims processing or information outside the entity holding the
administration, data analysis, processing or information.
administration, utilization review, quality assurance, EIN stands for the employer identification number
billing, benefit management, practice management, assigned by the Internal Revenue Service, U.S.
and repricing; or Department of the Treasury. The EIN is the taxpayer
(B) Any other function or activity regulated by identifying number of an individual or other entity
this subchapter; or (whether or not an employer) assigned under one of
(ii) Provides, other than in the capacity of a the following:
member of the workforce of such covered entity, (1) 26 U.S.C. 6011(b), which is the portion of the
legal, actuarial, accounting, consulting, data Internal Revenue Code dealing with identifying the
aggregation (as defined in §164.501 of this taxpayer in tax returns and statements, or
subchapter), management, administrative, corresponding provisions of prior law.
accreditation, or financial services to or for such (2) 26 U.S.C. 6109, which is the portion of the
covered entity, or to or for an organized health care Internal Revenue Code dealing with identifying
arrangement in which the covered entity participates, numbers in tax returns, statements, and other required
where the provision of the service involves the documents.
disclosure of individually identifiable health Electronic media means:
information from such covered entity or arrangement, (1) Electronic storage media including memory

-2

March 2006

devices in computers (hard drives) and any (2) Sale or dispensing of a drug, device,
removable/transportable digital memory medium, equipment, or other item in accordance with a
such as magnetic tape or disk, optical disk, or digital prescription.
memory card; or Health care clearinghouse means a public or
(2) Transmission media used to exchange private entity, including a billing service, repricing
information already in electronic storage media. company, community health management information
Transmission media include, for example, the internet system or community health information system, and
(wide-open), extranet (using internet technology to “value-added” networks and switches, that does either
link a business with information accessible only to of the following functions:
collaborating parties), leased lines, dial-up lines, (1) Processes or facilitates the processing of
private networks, and the physical movement of health information received from another entity in a
removable/transportable electronic storage media. nonstandard format or containing nonstandard data
Certain transmissions, including of paper, via content into standard data elements or a standard
facsimile, and of voice, via telephone, are not transaction.
considered to be transmissions via electronic media, (2) Receives a standard transaction from another
because the information being exchanged did not entity and processes or facilitates the processing of
exist in electronic form before the transmission. health information into nonstandard format or
Electronic protected health information means nonstandard data content for the receiving entity.
information that comes within paragraphs (1)(i) or Health care provider means a provider of services
(1)(ii) of the definition of protected health (as defined in section 1861(u) of the Act, 42 U.S.C.
information as specified in this section. 1395x(u)), a provider of medical or health services
Employer is defined as it is in 26 U.S.C. 3401(d). (as defined in section 1861(s) of the Act, 42 U.S.C.
Group health plan (also see definition of health 1395x(s)), and any other person or organization who
plan in this section) means an employee welfare furnishes, bills, or is paid for health care in the
benefit plan (as defined in section 3(1) of the normal course of business.
Employee Retirement Income and Security Act of Health information means any information,
1974 (ERISA), 29 U.S.C. 1002(1)), including insured whether oral or recorded in any form or medium, that:
and self-insured plans, to the extent that the plan (1) Is created or received by a health care
provides medical care (as defined in section provider, health plan, public health authority,
2791(a)(2) of the Public Health Service Act (PHS employer, life insurer, school or university, or health
Act), 42 U.S.C. 300gg–91(a)(2)), including items and care clearinghouse; and
services paid for as medical care, to employees or (2) Relates to the past, present, or future physical
their dependents directly or through insurance, or mental health or condition of an individual; the
reimbursement, or otherwise, that: provision of health care to an individual; or the past,
(1) Has 50 or more participants (as defined in present, or future payment for the provision of health
section 3(7) of ERISA, 29 U.S.C. 1002(7)); or care to an individual.
(2) Is administered by an entity other than the Health insurance issuer (as defined in section
employer that established and maintains the plan. 2791(b)(2) of the PHS Act, 42 U.S.C.
HHS stands for the Department of Health and 300gg–91(b)(2) and used in the definition of health
Human Services. plan in this section) means an insurance company,
Health care means care, services, or supplies insurance service, or insurance organization
related to the health of an individual. Health care (including an HMO) that is licensed to engage in the
includes, but is not limited to, the following: business of insurance in a State and is subject to State
(1) Preventive, diagnostic, therapeutic, law that regulates insurance. Such term does not
rehabilitative, maintenance, or palliative care, and include a group health plan.
counseling, service, assessment, or procedure with Health maintenance organization (HMO) (as
respect to the physical or mental condition, or defined in section 2791(b)(3) of the PHS Act, 42
functional status, of an individual or that affects the U.S.C. 300gg–91(b)(3) and used in the definition of
structure or function of the body; and health plan in this section) means a federally qualified

-3

HIPAA Regs

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (16)

Similaire à HIPAA Regs

Similaire à HIPAA Regs (20)

Plus de GuardEra Access Solutions, Inc.

Plus de GuardEra Access Solutions, Inc. (20)

HIPAA Regs