PART 160 — GENERAL ADMINISTRATIVE REQUIREMENTS
Subpart A — General Provisions
§ 160.101 Statutory basis and purpose
§ 160.102 Applicability
§ 160.103 Definitions
Act ANSI Business associate Compliance date Covered entity Disclosure EIN Electronic media Electronic protected health information Employer Group health plan hcfa HHS Health care Health care clearinghouse Health care provider Health information Health insurance issuer Health maintenance organization (HMO) Health plan Implementation specification Individual Individually identifiable health information Modify or modification Organized health care arrangement Person Protected health information Secretary Small health plan Standard Standard setting organization (SSO) State Trading partner agreement Transaction Use Workforce
§ 160.104 Modifications
Subpart B — Preemption of State Law
§ 160.201 Applicability
§ 160.202 Definitions
Contrary More stringent Relates to the privacy of individually identifiable health information State law
§ 160.203 General rule and exceptions
§ 160.204 Process for requesting exception determinations
§ 160.205 Duration of effectiveness of exception determinations
Subpart C — Compliance and Enforcement
§ 160.300 Applicability
§ 160.302 Definitions
Administrative simplification provision ALJ Civil money penalty or penalty Respondent Violation or violate
§ 160.304 Principles for achieving compliance
(a) Cooperation
(b) Assistance
§ 160.306 Complaints to the Secretary
(a) Right to file a complaint
(b) Requirements for filing complaints
(c) Investigation
§ 160.308 Compliance reviews
§ 160.310 Responsibilities of covered entities
(a) Provide records and compliance reports
(b) Cooperate with complaint investigations and compliance reviews
(c) Permit access to information
§ 160.312 Secretarial action regarding complaints and compliance reviews
(a) Resolution where noncompliance is indicated
(b) Resolution when no violation is found
§ 160.314 Investigational subpoenas and inquiries
§ 160.316 Refraining from intimidation or retaliation
Subpart D - Imposition of Civil Money Penalties
§ 160.400 Applicability
§ 160.401 Definitions
§ 160.402 Basis for a civil money penalty
(a) General rule
(b) Violation by more than one covered entity
(c) Violation attributed to a covered entity
§ 160.404 Amount of a civil money penalty
§ 160.406 Violations of an identical requirement or prohibition
§ 160.408 Factors considered in determining the amount of a civil money penalty
§ 160.410 Affirmative defenses
Reasonable cause Reasonable diligence Willful neglect
§ 160.412 Waiver
§ 160.414 Limitations
§ 160.416 Authority to settle
§ 160.418 Penalty not exclusive
§ 160.420 Notice of proposed determination
§ 160.422 Failure to request a hearing
§ 160.424 Collection of penalty
§ 160.426 Notification of the public and other agencies
Subpart E — Procedures for Hearings
§ 160.500 Applicability
§ 160.502 Definitions
Board
§ 160.504 Hearing before an ALJ
§ 160.506 Rights of the parties
§ 160.508 Authority of the ALJ
§ 160.510 Ex parte contacts
§ 160.512 Prehearing conferences
§ 160.514 Authority to settle
§ 160.516 Discovery
§ 160.518 Exchange of witness lists, witness statements, and exhibits
§ 160.520 Subpoenas for attendance at hearing
§ 160.522 Fees
§ 160.524 Form, filing, and service of papers
(a) Forms
(b) Service
(c) Proof of service
§ 160.526 Computation of time
§ 160.528 Motions
§ 160.530 Sanctions
§ 160.532 Collateral estoppel
§ 160.534 The hearing
§ 160.536 Statistical sampling
§ 160.538 Witnesses
§ 160.540 Evidence
§ 160.542 The record
§ 160.544 Post hearing briefs
§ 160.546 ALJ's decision
§ 160.548 Appeal of the ALJ's decision
§ 160.550 Stay of the Secretary's decision
§ 160.552 Harmless error
PART 162 — ADMINISTRATIVE REQUIREMENTS
Subpart A — General Provisions
§ 162.100 Applicability
§ 162.103 Definitions
Code set Code set maintaining organization Data condition Data content Data element Data set Descriptor Designated standard maintenance organization (DSMO) Direct data entry Format HCPCS Maintain or maintenance Maximum defined data set Segment Standard transaction
Subparts B and C — [Reserved]
Subpart D — Standard Unique Health Identifier for Health Care Providers
§ 162.402 Definitions
Covered health care provider
§ 162.404 Compliance dates of the implementation of the standard unique health identifier for health care providers
(a) Health care providers
(b) Health plans
(c) Health care clearinghouses
§ 162.406 Standard unique health identifier for health care providers
(a) Standard
(b) Required and permitted uses for the NPI
§ 162.408 National provider system
§ 162.410 Implementation specifications: Health care providers
§ 162.412 Implementation specifications: Health plans
§ 162.414 Implementation specifications: Health care clearinghouses
Subpart E — [Reserved]
Subpart F — Standard Unique Health Employer Identifier
§ 162.600 Compliance dates of the implementation of the standard unique employer identifier
(a) Health care providers
(b) Health plans
(c) Health care clearinghouses
§ 162.605 Standard unique employer identifier
§ 162.610 Implementation specifications for covered entities
Subparts G and H — [Reserved]
Subpart I — General Provisions for Transactions
§ 162.900 Compliance dates for transaction standards and code sets
(a) Small health plans
(b) Covered entities that timely submitted a compliance plan
(c) Covered entities that did not timely submit a compliance plan
§ 162.910 Maintenance of standards and adoption of modifications and new standards
(a) Designation of DSMOs
(b) Maintenance of standards
(c) Process for modification of existing standards and adoption of new standards
§ 162.915 Trading partner agreements
§ 162.920 Availability of implementation specifications
(a) ASC X12N specifications
(1) The ASC X12N 837- Health Care Claim: Dental
(2) The ASC X12N 837- Health Care Claim: Professional
(3) The ASC X12N 837- Health Care Claim: Institutional
(4) The ASC X12N 835- Health Care Claim Payment/Advice
(5) ASC X12N 834- Benefit Enrollment and Maintenance
(6) The ASC X12N 820- Payroll Deducted and Other Group Premium Payment for Insurance Products
(7) The ASC X12N 278- Health Care Services Review-Request for Review and Response
(8) The ASC X12N 276/277-Health Care Claim Status Request and Response
(9) The ASC X12N 270/271-Health Care Eligibility Benefit Inquiry and Response
(b) Retail pharmacy specifications
(1) The Telecommunication Standard Implementation Guide
(2) The Batch Standard Batch Implementation Guide
(3) The National Council for Prescription Drug Programs (NCPDP) Equivalent NCPDP Batch Standard Batch Implementation Guide
§ 162.923 Requirements for covered entities
(a) General rule
(b) Exception for direct data entry transactions
(c) Use of a business associate
§ 162.925 Additional requirements for health plans
(a) General rules
(b) Coordination of benefits
(c) Code sets
§ 162.930 Additional requirements for health care clearinghouses
§ 162.940 Exceptions from standards to permit testing of proposed modifications
(a) Requests for an exception
(1) Comparison to a current standard
(2) Specifications for the proposed modification
(3) Testing of the proposed modification
(4) Trading partner concurrences
(b) Basis for granting an exception
(c) Secretary's decision on exception
(1) Exception granted
(2) Exception denied
(d) Organization's report on test results
(e) Extension allowed
Subpart J — Code Sets
§ 162.1000 General requirements
(a) Medical data code sets
(b) Nonmedical data code sets
§ 162.1002 Medical data code sets
§ 162.1011 Valid code sets
Subpart K — Health Care Claims or Equivalent Encounter Information
§ 162.1101 Health care claims or equivalent encounter information transaction
§ 162.1102 Standards for health care claims or equivalent encounter information transaction
Subpart L — Eligibility for a Health Plan
§ 162.1201 Eligibility for a health plan transaction
§ 162.1202 Standards for eligibility for a health plan transaction
Subpart M — Referral Certification and Authorization
§ 162.1301 Referral certification and authorization transaction
§ 162.1302 Standards for referral certification and authorization transaction
Subpart N — Health Care Claim Status
§ 162.1401 Health care claim status transaction
§ 162.1402 Standards for health care claim status transaction
Subpart O — Enrollment and Disenrollment in a Health Plan
§ 162.1501 Enrollment and disenrollment in a health plan transaction
§ 162.1502 Standards for enrollment and disenrollment in a health plan transaction
Subpart P — Health Care Payment and Remittance Advice
§ 162.1601 Health care payment and remittance advice transaction
§ 162.1602 Standards for health care payment and remittance advice transaction
Subpart Q — Health Plan Premium Payments
§ 162.1701 Health plan premium payments transaction
§ 162.1702 Standards for health plan premium payments transaction
Subpart R — Coordination of Benefits
§ 162.1801 Coordination of benefits transaction
§ 162.1802 Standards for coordination of benefits information transaction
PART 164 — SECURITY AND PRIVACY
Subpart A — General Provisions
§ 164.102 Statutory basis
§ 164.103 Definitions
Common control Common ownership Covered functions Health care component Hybrid entity Plan sponsor Required by law
§ 164.104 Applicability
§ 164.105 Organizational Requirements
§ 164.106 Relationship to other parts
Subpart B — [Reserved]
Subpart C — Security Standards for the Protection of Electronic Protected Health Information
§ 164.302 Applicability
§ 164.304 Definitions
Access Administrative Safeguards Authentication Availability Confidentiality Encryption Facility Information system Integrity Malicious software Password Physical safeguards Security or Security measures Security incident Technical safeguards User Workstation
§ 164.306 Security standards: General rules
§ 164.308 Administrative safeguards
§ 164.310 Physical safeguards
§ 164.312 Technical safeguards
§ 164.314 Organizational requirements
§ 164.316 Policies and procedures and documentation requirements
§ 164.318 Compliance dates for initial implementation of security standards
Subpart D — Notification in the Case of Breach of Unsecured Protected Health Information
§ 164.400 Applicability.
§ 164.402 Definitions.
§ 164.404 Notification to individuals.
§ 164.406 Notification to the media.
§ 164.408 Notification to the Secretary.
§ 164.410 Notification by a business associate.
§ 164.412 Law enforcement delay.
§ 164.414 Administrative requirements and burden of proof.
Subpart E — Privacy of Individually Identifiable Health Information
§ 164.500 Applicability
§ 164.501 Definitions
Correctional institution Data aggregation Designated record set Direct treatment relationship Health care operations Health oversight agency Indirect treatment relationship Inmate Law enforcement official Marketing Payment Psychotherapy notes Public health authority Research Treatment
§ 164.502 Uses and disclosures of protected health information: general rules
(a) Standard:
(1) Permitted uses & disclosures
(2) Required disclosures
(b) Standard: minimum necessary
(1) Minimum necessary applies
(2) Minimum necessary does not apply
(c) Standard: uses and disclosures of protected health information subject to an agreed upon restriction
(d) Standard: Uses and disclosures of de-identified protected health information
(1) Uses and disclosures to create de-identified information
(2) Uses and disclosures of de-identified information
(e) (1) Standard: disclosures to business associates
(2) Implementation specification: documentation
(f) Standard: deceased individuals
(g) (1) Standard: personal representatives
(2) Implementation specification: adults and emancipated minors
(3) Implementation specification: unemancipated minors
(4) Implementation specification: deceased individuals
(5) Implementation specification: abuse, neglect, endangerment situations
(h) Standard: confidential communications
(i) Standard: uses and disclosures consistent with notice
(j) Standard: disclosures by whistleblowers and workforce member crime victims
(1) Disclosures by whistleblowers
(2) Disclosures by workforce members who are victims of a crime
§ 164.504 Uses and disclosures: organizational requirements
(a) Definitions
Plan administration functions Summary health information Paragraphs
(b)-(d) — [Removed and Reserved]
(e) (1) Standard: business associate contracts
(2) Implementation specifications: business associate contracts
(3) Implementation specifications: other arrangements
(4) Implementation specifications: other requirements for contracts and other arrangements
(f) (1) Standard: requirements for group health plans
(2) Implementation specifications: requirements for plan documents
(3) Implementation specifications: uses and disclosures
(g) Standard: requirements for a covered entity with multiple covered functions
§ 164.506 Uses and disclosures to carry out treatment, payment, or health care operations
(a) Standard: permitted uses and disclosures
(b) Standard: consent for uses and disclosures permitted
(c) Implementation specifications: treatment, payment, or health care operations
§ 164.508 Uses and disclosures for which an authorization is required
(a) Standard: authorizations for uses and disclosures
(1) Authorization required: general rule
(2) Authorization required: psychotherapy notes
(3) Authorization required: marketing
(b) Implementation specifications: general requirements
(1) Valid authorizations
(2) Defective authorizations
(3) Compound authorizations
(4) Prohibition on conditioning of authorizations
(5) Revocation of authorizations
(6) Documentation
(c) Implementation specifications: core elements and requirements
(1) Core elements
(2) Required statements
(3) Plain language requirement
(4) Copy to the individual
§ 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object
(a) Standard: use and disclosure for facility directories
(1) Permitted uses and disclosure
(2) Opportunity to object
(3) Emergency circumstances
(b) Standard: uses and disclosures for involvement in the individual's care and notification purposes
(1) Permitted uses and disclosures
(2) Uses and disclosures with the individual present
(3) Limited uses and disclosures when the individual is not present
(4) Use and disclosures for disaster relief purposes
§ 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required 58
(a) Standard: uses and disclosures required by law
(b) Standard: uses and disclosures for public health activities
(1) Permitted disclosures
(2) Permitted uses
(c) Standard: disclosures about victims of abuse, neglect, or domestic violence
(1) Permitted disclosures
(2) Informing the individual
(d) Standard: uses and disclosures for health oversight activities
(1) Permitted disclosures
(2) Exception to health oversight activities
(3) Joint activities or investigations
(4) Permitted uses
(e) Standard: disclosures for judicial and administrative proceedings
(1) Permitted disclosures
(2) Other uses and disclosures under this section
(f) Standard: disclosures for law enforcement purposes
(1) Permitted disclosures: pursuant to process and as otherwise required by law
(2) Permitted disclosures: limited information for identification and location purposes
(3) Permitted disclosure: victims of a crime
(4) Permitted disclosure: decedents
(5) Permitted disclosure: crime on premises
(6) Permitted disclosure: reporting crime in emergencies
(g) Standard: uses and disclosures about decedents
(1) Coroners and medical examiners
(2) Funeral directors
(h) Standard: uses and disclosures for cadaveric organ, eye, or tissue donation purposes
(i) Standard: uses and disclosures for research purposes
(1) Permitted uses and disclosures
(2) Documentation of waiver approval
(j) Standard: uses and disclosures to avert a serious threat to health or safety
(1) Permitted disclosures
(2) Use or disclosure not permitted
(3) Limit on information that may be disclosed
(4) Presumption of good faith belief
(k) Standard: uses and disclosures for specialized government functions
(1) Military and veterans activities
(2) National security and intelligence activities
(3) Protective services for the President and others
(4) Medical suitability determinations
(5) Correctional institutions and other law enforcement custodial situations
(6) Covered entities that are government programs providing public benefits
(l) Standard: disclosures for workers' compensation
§ 164.514 Other requirements relating to uses & disclosures of protected health information
(a) Standard: de-identification of protected health information
(b) Implementation specifications: requirements for de-identification of protected health information
(c) Implementation specifications: re-identification
(1) Derivation
(2) Security
(d) (1) Standard: minimum necessary requirements
(2) Implementation specifications: minimum necessary uses of protected health information
(3) Implementation specification: minimum necessary disclosures of protected health information
(4) Implementation specifications: minimum necessary requests for protected health information
(5) Implementation specification: other content requirement
(e) (1) Standard: limited data set
(2) Implementation specification: limited data set
(3) Implementation specification: permitted purposes for uses and disclosures
(4) Implementation specifications: data use agreement
(f) (1) Standard: uses and disclosures for fundraising
(2) Implementation specifications: fundraising requirements
(g) Standard: uses and disclosures for underwriting and related purposes
(h) (1) Standard: verification requirements
(2) Implementation specifications: verification
§ 164.520 Notice of privacy practices for protected health information
(a) Standard: notice of privacy practices
(1) Right to notice
(2) Exception for group health plans
(3) Exception for inmates
(b) Implementation specifications: content of notice
(1) Required elements
(2) Optional elements
(3) Revisions to the notice
(c) Implementation specifications: provision of notice
(1) Specific requirements for health plans
(2) Specific requirements for certain covered health care providers
(3) Specific requirements for electronic notice
(d) Implementation specifications: joint notice by separate covered entities
(e) Implementation specifications: documentation
§ 164.522 Rights to request privacy protection for protected health information
(a) (1) Standard: right of an individual to request restriction of uses and disclosures
(2) Implementation specifications: terminating a restriction
(3) Implementation specification: documentation
(b) (1) Standard: confidential communications requirements
(2) Implementation specifications: conditions on providing confidential communications
§ 164.524 Access of individuals to protected health information
(a) Standard: access to protected health information
(1) Right of access
(2) Unreviewable grounds for denial
(3) Reviewable grounds for denial
(4) Review of a denial of access
(b) Implementation specifications: requests for access and timely action
(1) Individual's request for access
(2) Timely action by the covered entity
(c) Implementation specifications: provision of access
(1) Providing the access requested
(2) Form of access requested
(3) Time and manner of access
(4) Fees
(d) Implementation specifications: denial of access
(1) Making other information accessible
(2) Denial
(3) Other responsibility
(4) Review of denial requested
(e) Implementation specification: documentation
§ 164.526 Amendment of protected health information
(a) Standard: right to amend
(1) Right to amend
(2) Denial of amendment
(b) Implementation specifications: requests for amendment and timely action
(1) Individual's request for amendment
(2) Timely action by the covered entity
(c) Implementation specifications: accepting the amendment
(1) Making the amendment
(2) Informing the individual
(3) Informing others
(d) Implementation specifications: denying the amendment
(1) Denial
(2) Statement of disagreement
(3) Rebuttal statement
(4) Recordkeeping
(5) Future disclosures
(e) Implementation specification: actions on notices of amendment
(f) Implementation specification: documentation
§ 164.528 Accounting of disclosures of protected health information
(a) Standard: right to an accounting of disclosures of protected health information
(b) Implementation specifications: content of the accounting
(c) Implementation specifications: provision of the accounting
(d) Implementation specification: documentation
§ 164.530 Administrative requirements
(a) (1) Standard: personnel designations
(2) Implementation specification: personnel designations
(b) (1) Standard: training
(2) Implementation specifications: training
(c) (1) Standard: safeguards
(2) Implementation specification: safeguards
(d) (1) Standard: complaints to the covered entity
(2) Implementation specification: documentation of complaints
(e) (1) Standard: sanctions
(2) Implementation specification: documentation
(f) Standard: mitigation
(g) Standard: refraining from intimidating or retaliatory acts
(1) Individuals
(2) Individuals and others
(h) Standard: waiver of rights
(i) (1) Standard: policies and procedures
(2) Standard: changes to policies or procedures
(3) Implementation specification: changes in law
(4) Implementation specifications: changes to privacy practices stated in the notice
(5) Implementation specification: changes to other policies or procedures
(j) (1) Standard: documentation
(2) Implementation specification: retention period
(k) Standard: group health plans
§ 164.532 Transition provisions
(a) Standard: effect of prior authorizations
(b) Implementation specification: effect of prior authorization for purposes other than research
(c) Implementation specification: effect of prior permission for research
(d) Standard: effect of prior contracts or other arrangements with business associates
(e) Implementation specification: deemed compliance
(1) Qualification
(2) Limited deemed compliance period
(3) Covered entity responsibilities
§ 164.534 Compliance dates for initial implementation of the privacy standards
(a) Health care providers
(b) Health plans
(1) Health plans other than small health plans
(2) Small health plans
(c) Health care clearinghouses
Download our Free HIPAA Project Plan.