• Like
HIPAA Regs
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Published

Administrative simplification of the HIPAA Regulations

Administrative simplification of the HIPAA Regulations

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
533
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
4
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. U.S. Department of Health and Human Services Office for Civil Rights HIPAA Administrative Simplification Regulation Text 45 CFR Parts 160, 162, and 164(Unofficial Version, as amended through February 16, 2006)
  • 2. HIPAA Administrative Simplification Table of ContentsSection PagePART 160 – GENERAL ADMINISTRATIVE REQUIREMENTSSUBPART A – GENERAL P ROVISIONS§ 160.101 Statutory basis and purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1§ 160.102 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1§ 160.103 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 ANSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Business associate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Compliance date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 EIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Electronic media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Electronic protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Employer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Group health plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 HCFA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 HHS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Health care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Health care clearinghouse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Health care provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Health insurance issuer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Health maintenance organization (HMO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Health plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Implementation specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Individually identifiable health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Modify or modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Organized health care arrangement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Person . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Secretary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Small health plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Standard setting organization (SSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Trading partner agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -i­
  • 3. Transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Workforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6§ 160.104 Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6SUBPART B – PREEMPTION OF STATE LAW§ 160.201 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6§ 160.202 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Contrary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 More stringent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Relates to the privacy of individually identifiable health information . . . . . . . . . . . . . . . . . . . . . . 7 State law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7§ 160.203 General rule and exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7§ 160.204 Process for requesting exception determinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7§ 160.205 Duration of effectiveness of exception determinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8SUBPART C – COMPLIANCE AND ENFORCEMENT§ 160.300 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8§ 160.302 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Administrative simplification provision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 ALJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Civil money penalty or penalty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Respondent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Violation or violate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8§ 160.304 Principles for achieving compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 (a) Cooperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 (b) Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8§ 160.306 Complaints to the Secretary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 (a) Right to file a complaint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 (b) Requirements for filing complaints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 (c) Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9§ 160.308 Compliance reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 -ii­
  • 4. § 160.310 Responsibilities of covered entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 (a) Provide records and compliance reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 (b) Cooperate with complaint investigations and compliance reviews . . . . . . . . . . . . . . . . . . . . . 9 (c) Permit access to information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9§ 160.312 Secretarial action regarding complaints and compliance reviews . . . . . . . . . . . . . . . . . . . . . . 9 (a) Resolution where noncompliance is indicated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 (b) Resolution when no violation is found . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10§ 160.314 Investigational subpoenas and inquiries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10§ 160.316 Refraining from intimidation or retaliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11SUBPART D - IMPOSITION OF CIVIL MONEY PENALTIES§ 160.400 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11§ 160.402 Basis for a civil money penalty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 (a) General rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 (b) Violation by more than one covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 (c) Violation attributed to a covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11§ 160.404 Amount of a civil money penalty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12§ 160.406 Violations of an identical requirement or prohibition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12§ 160.408 Factors considered in determining the amount of a civil money penalty . . . . . . . . . . . . . . . 12§ 160.410 Affirmative defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Reasonable cause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Reasonable diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Willful neglect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12§ 160.412 Waiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13§ 160.414 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13§ 160.416 Authority to settle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13§ 160.418 Penalty not exclusive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13§ 160.420 Notice of proposed determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13§ 160.422 Failure to request a hearing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 -iii­
  • 5. § 160.424 Collection of penalty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13§ 160.426 Notification of the public and other agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14SUBPART E – PROCEDURES FOR H EARINGS§ 160.500 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14§ 160.502 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14§ 160.504 Hearing before an ALJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14§ 160.506 Rights of the parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15§ 160.508 Authority of the ALJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15§ 160.510 Ex parte contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15§ 160.512 Prehearing conferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15§ 160.514 Authority to settle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16§ 160.516 Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16§ 160.518 Exchange of witness lists, witness statements, and exhibits . . . . . . . . . . . . . . . . . . . . . . . . . . 16§ 160.520 Subpoenas for attendance at hearing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17§ 160.522 Fees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17§ 160.524 Form, filing, and service of papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 (a) Forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 (b) Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 (c) Proof of service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18§ 160.526 Computation of time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18§ 160.528 Motions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18§ 160.530 Sanctions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18§ 160.532 Collateral estoppel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18§ 160.534 The hearing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18§ 160.536 Statistical sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 -iv­
  • 6. § 160.538 Witnesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19§ 160.540 Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20§ 160.542 The record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20§ 160.544 Post hearing briefs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20§ 160.546 ALJ’s decision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20§ 160.548 Appeal of the ALJ’s decision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20§ 160.550 Stay of the Secretary’s decision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22§ 160.552 Harmless error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22PART 162 – ADMINISTRATIVE REQUIREMENTSSUBPART A – GENERAL PROVISIONS§ 162.100 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23§ 162.103 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Code set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Code set maintaining organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Data condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Data content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Data element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Descriptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Designated standard maintenance organization (DSMO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Direct data entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 HCPCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Maintain or maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Maximum defined data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Segment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Standard transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24SUBPARTS B and C – [RESERVED]SUBPART D – STANDARD UNIQUE HEALTH IDENTIFIER FOR HEALTH CARE PROVIDERS§ 162.402 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Covered health care provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 -v­
  • 7. § 162.404 Compliance dates of the implementation of the standard unique health identifier for health care providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 (a) Health care providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 (b) Health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 (c) Health care clearinghouses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24§ 162.406 Standard unique health identifier for health care providers . . . . . . . . . . . . . . . . . . . . . . . . . 24 (a) Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 (b) Required and permitted uses for the NPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24§ 162.408 National provider system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24§ 162.410 Implementation specifications: Health care providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24§ 162.412 Implementation specifications: Health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25§ 162.414 Implementation specifications: Health care clearinghouses . . . . . . . . . . . . . . . . . . . . . . . . . 25SUBPART E – [RESERVED]SUBPART F – STANDARD UNIQUE HEALTH EMPLOYER IDENTIFIER§ 162.600 Compliance dates of the implementation of the standard unique employer identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 (a) Health care providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 (b) Health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 (c) Health care clearinghouses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25§ 162.605 Standard unique employer identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25§ 162.610 Implementation specifications for covered entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25SUBPARTS G and H – [RESERVED]SUBPART I – GENERAL PROVISIONS FOR TRANSACTIONS§ 162.900 Compliance dates for transaction standards and code sets . . . . . . . . . . . . . . . . . . . . . . . . . . 25 (a) Small health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 (b) Covered entities that timely submitted a compliance plan . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 (c) Covered entities that did not timely submit a compliance plan . . . . . . . . . . . . . . . . . . . . . . . 26 -vi­
  • 8. § 162.910 Maintenance of standards and adoption of modifications and new standards . . . . . . . . . . 26 (a) Designation of DSMOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 (b) Maintenance of standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 (c) Process for modification of existing standards and adoption of new standards . . . . . . . . . . . 26§ 162.915 Trading partner agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26§ 162.920 Availability of implementation specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 (a) ASC X12N specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 (1) The ASC X12N 837- Health Care Claim: Dental . . . . . . . . . . . . . . . . . . . . . . . . . . 27 (2) The ASC X12N 837- Health Care Claim: Professional . . . . . . . . . . . . . . . . . . . . . . 27 (3) The ASC X12N 837- Health Care Claim: Institutional . . . . . . . . . . . . . . . . . . . . . . 27 (4) The ASC X12N 835- Health Care Claim Payment/Advice . . . . . . . . . . . . . . . . . . . 27 (5) ASC X12N 834- Benefit Enrollment and Maintenance . . . . . . . . . . . . . . . . . . . . . . 27 (6) The ASC X12N 820- Payroll Deducted and Other Group Premium Payment for Insurance Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 (7) The ASC X12N 278- Health Care Services Review-Request for Review and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 (8) The ASC X12N 276/277-Health Care Claim Status Request and Response . . . . . . 27 (9) The ASC X12N 270/271-Health Care Eligibility Benefit Inquiry and Response . . 27 (b) Retail pharmacy specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 (1) The Telecommunication Standard Implementation Guide . . . . . . . . . . . . . . . . . . . . 27 (2) The Batch Standard Batch Implementation Guide . . . . . . . . . . . . . . . . . . . . . . . . . . 27 (3) The National Council for Prescription Drug Programs (NCPDP) Equivalent NCPDP Batch Standard Batch Implementation Guide . . . . . . . . . . . . 28§ 162.923 Requirements for covered entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 (a) General rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 (b) Exception for direct data entry transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 (c) Use of a business associate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28§ 162.925 Additional requirements for health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 (a) General rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 (b) Coordination of benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 (c) Code sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28§ 162.930 Additional requirements for health care clearinghouses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28§ 162.940 Exceptions from standards to permit testing of proposed modifications . . . . . . . . . . . . . . . 29 (a) Requests for an exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 (1) Comparison to a current standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 (2) Specifications for the proposed modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 (3) Testing of the proposed modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 (4) Trading partner concurrences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 (b) Basis for granting an exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 -vii­
  • 9. (c) Secretary’s decision on exception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 (1) Exception granted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 (2) Exception denied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 (d) Organization’s report on test results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 (e) Extension allowed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29SUBPART J – CODE SETS§ 162.1000 General requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 (a) Medical data code sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 (b) Nonmedical data code sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30§ 162.1002 Medical data code sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30§ 162.1011 Valid code sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31SUBPART K – HEALTH CARE CLAIMS OR EQUIVALENT ENCOUNTER INFORMATION§ 162.1101 Health care claims or equivalent encounter information transaction . . . . . . . . . . . . . . . . . . 31§ 162.1102 Standards for health care claims or equivalent encounter information transaction . . . . . . 31SUBPART L – ELIGIBILITY FOR A HEALTH PLAN§ 162.1201 Eligibility for a health plan transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31§ 162.1202 Standards for eligibility for a health plan transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32SUBPART M – REFERRAL CERTIFICATION AND AUTHORIZATION§ 162.1301 Referral certification and authorization transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32§ 162.1302 Standards for referral certification and authorization transaction . . . . . . . . . . . . . . . . . . . 32SUBPART N – HEALTH CARE CLAIM STATUS§ 162.1401 Health care claim status transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33§ 162.1402 Standards for health care claim status transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33SUBPART O – ENROLLMENT AND DISENROLLMENT IN A H EALTH PLAN -viii­
  • 10. § 162.1501 Enrollment and disenrollment in a health plan transaction . . . . . . . . . . . . . . . . . . . . . . . . . . 33§ 162.1502 Standards for enrollment and disenrollment in a health plan transaction . . . . . . . . . . . . . . 33SUBPART P – HEALTH CARE P AYMENT AND REMITTANCE ADVICE§ 162.1601 Health care payment and remittance advice transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33§ 162.1602 Standards for health care payment and remittance advice transaction . . . . . . . . . . . . . . . . 33SUBPART Q – HEALTH PLAN PREMIUM PAYMENTS§ 162.1701 Health plan premium payments transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34§ 162.1702 Standards for health plan premium payments transaction . . . . . . . . . . . . . . . . . . . . . . . . . . 34SUBPART R – COORDINATION OF BENEFITS§ 162.1801 Coordination of benefits transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34§ 162.1802 Standards for coordination of benefits information transaction . . . . . . . . . . . . . . . . . . . . . . 34PART 164 – SECURITY AND PRIVACYSUBPART A – GENERAL PROVISIONS§ 164.102 Statutory basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36§ 164.103 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Common control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Common ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Covered functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Health care component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Hybrid entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Plan sponsor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Required by law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36§ 164.104 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36§ 164.105 Organizational Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36§ 164.106 Relationship to other parts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 -ix­
  • 11. SUBPART B– [RESERVED]SUBPART C – Security Standards for the Protection of Electronic Protected HealthInformation§ 164.302 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38§ 164.304 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Administrative Safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Information system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Malicious software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Physical safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Security or Security measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Security incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Technical safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39§ 164.306 Security standards: General rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39§ 164.308 Administrative safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40§ 164.310 Physical safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41§ 164.312 Technical safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42§ 164.314 Organizational requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43§ 164.316 Policies and procedures and documentation requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 44§ 164.318 Compliance dates for initial implementation of security standards . . . . . . . . . . . . . . . . . . . 44SUBPART D– [RESERVED]SUBPART E – PRIVACY OF INDIVIDUALLY IDENTIFIABLE H EALTH INFORMATION§ 164.500 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 -x­
  • 12. § 164.501 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Correctional institution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Data aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Designated record set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Direct treatment relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Health care operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Health oversight agency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Indirect treatment relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Inmate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Law enforcement official . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Payment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Psychotherapy notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Public health authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47§ 164.502 Uses and disclosures of protected health information: general rules . . . . . . . . . . . . . . . . . . 47 (a) Standard: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 (1) Permitted uses & disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 (2) Required disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 (b) Standard: minimum necessary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 (1) Minimum necessary applies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 (2) Minimum necessary does not apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 (c) Standard: uses and disclosures of protected health information subject to an agreed upon restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 (d) Standard: Uses and disclosures of de-identified protected health information . . . . . . . . . . . . 48 (1) Uses and disclosures to create de-identified information . . . . . . . . . . . . . . . . . . . . . 48 (2) Uses and disclosures of de-identified information . . . . . . . . . . . . . . . . . . . . . . . . . . 48 (e)(1) Standard: disclosures to business associates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 (2) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 (f) Standard: deceased individuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 (g)(1) Standard: personal representatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 (2) Implementation specification: adults and emancipated minors . . . . . . . . . . . . . . . . 49 (3) Implementation specification: unemancipated minors . . . . . . . . . . . . . . . . . . . . . . . 49 (4) Implementation specification: deceased individuals . . . . . . . . . . . . . . . . . . . . . . . . 49 (5) Implementation specification: abuse, neglect, endangerment situations . . . . . . . . . 50 (h) Standard: confidential communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 (i) Standard: uses and disclosures consistent with notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 (j) Standard: disclosures by whistleblowers and workforce member crime victims . . . . . . . . . . 50 (1) Disclosures by whistleblowers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 (2) Disclosures by workforce members who are victims of a crime . . . . . . . . . . . . . . . 50§ 164.504 Uses and disclosures: organizational requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 (a) Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Plan administration functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Summary health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 -xi­
  • 13. Paragraphs (b)-(d)– [Removed and Reserved] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 (e)(1) Standard: business associate contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 (2) Implementation specifications: business associate contracts . . . . . . . . . . . . . . . . . . 51 (3) Implementation specifications: other arrangements . . . . . . . . . . . . . . . . . . . . . . . . . 51 (4) Implementation specifications: other requirements for contracts and other arrangements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 (f)(1) Standard: requirements for group health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 (2) Implementation specifications: requirements for plan documents . . . . . . . . . . . . . . 52 (3) Implementation specifications: uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . 53 (g) Standard: requirements for a covered entity with multiple covered functions . . . . . . . . . . . . 53§ 164.506 Uses and disclosures to carry out treatment, payment, or health care operations . . . . . . . . 54 (a) Standard: permitted uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 (b) Standard: consent for uses and disclosures permitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 (c) Implementation specifications: treatment, payment, or health care operations . . . . . . . . . . . 54§ 164.508 Uses and disclosures for which an authorization is required . . . . . . . . . . . . . . . . . . . . . . . . . 54 (a) Standard: authorizations for uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 (1) Authorization required: general rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 (2) Authorization required: psychotherapy notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 (3) Authorization required: marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 (b) Implementation specifications: general requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 (1) Valid authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 (2) Defective authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 (3) Compound authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 (4) Prohibition on conditioning of authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 (5) Revocation of authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 (6) Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 (c) Implementation specifications: core elements and requirements . . . . . . . . . . . . . . . . . . . . . . 56 (1) Core elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 (2) Required statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 (3) Plain language requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 (4) Copy to the individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56§ 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object . . . 56 (a) Standard: use and disclosure for facility directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 (1) Permitted uses and disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 (2) Opportunity to object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 (3) Emergency circumstances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 (b) Standard: uses and disclosures for involvement in the individual’s care and notification purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 (1) Permitted uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 (2) Uses and disclosures with the individual present . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 (3) Limited uses and disclosures when the individual is not present . . . . . . . . . . . . . . . 57 (4) Use and disclosures for disaster relief purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . 57§ 164.512 Uses and disclosures for which an authorization or opportunity to -xii­
  • 14. agree or object is not required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 (a) Standard: uses and disclosures required by law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 (b) Standard: uses and disclosures for public health activities . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 (1) Permitted disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 (2) Permitted uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 (c) Standard: disclosures about victims of abuse, neglect, or domestic violence . . . . . . . . . . . . . 59 (1) Permitted disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 (2) Informing the individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 (d) Standard: uses and disclosures for health oversight activities . . . . . . . . . . . . . . . . . . . . . . . . 59 (1) Permitted disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 (2) Exception to health oversight activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 (3) Joint activities or investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 (4) Permitted uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 (e) Standard: disclosures for judicial and administrative proceedings . . . . . . . . . . . . . . . . . . . . . 60 (1) Permitted disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 (2) Other uses and disclosures under this section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 (f) Standard: disclosures for law enforcement purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 (1) Permitted disclosures: pursuant to process and as otherwise required by law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 (2) Permitted disclosures: limited information for identification and location purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 (3) Permitted disclosure: victims of a crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 (4) Permitted disclosure: decedents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 (5) Permitted disclosure: crime on premises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 (6) Permitted disclosure: reporting crime in emergencies . . . . . . . . . . . . . . . . . . . . . . . 62 (g) Standard: uses and disclosures about decedents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 (1) Coroners and medical examiners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 (2) Funeral directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 (h) Standard: uses and disclosures for cadaveric organ, eye, or tissue donation purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 (i) Standard: uses and disclosures for research purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 (1) Permitted uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 (2) Documentation of waiver approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 (j) Standard: uses and disclosures to avert a serious threat to health or safety . . . . . . . . . . . . . . . 64 (1) Permitted disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 (2) Use or disclosure not permitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 (3) Limit on information that may be disclosed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 (4) Presumption of good faith belief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 (k) Standard: uses and disclosures for specialized government functions . . . . . . . . . . . . . . . . . . 64 (1) Military and veterans activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 (2) National security and intelligence activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 (3) Protective services for the President and others . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 (4) Medical suitability determinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 (5) Correctional institutions and other law enforcement custodial situations . . . . . . . . 65 (6) Covered entities that are government programs providing public benefits . . . . . . . 65 (l) Standard: disclosures for workers’ compensation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66§ 164.514 Other requirements relating to uses & disclosures of protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 -xiii­
  • 15. (a) Standard: de-identification of protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . 66 (b) Implementation specifications: requirements for de-identification of protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 (c) Implementation specifications: re-identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 (1) Derivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 (2) Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 (d)(1) Standard: minimum necessary requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 (2) Implementation specifications: minimum necessary uses of protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 (3) Implementation specification: minimum necessary disclosures of protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 (4) Implementation specifications: minimum necessary requests for protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 (5) Implementation specification: other content requirement . . . . . . . . . . . . . . . . . . . . 67 (e)(1) Standard: limited data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 (2) Implementation specification: limited data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 (3) Implementation specification: permitted purposes for uses and disclosures . . . . . . 68 (4) Implementation specifications: data use agreement . . . . . . . . . . . . . . . . . . . . . . . . . 68 (f)(1) Standard: uses and disclosures for fundraising . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 (2) Implementation specifications: fundraising requirements . . . . . . . . . . . . . . . . . . . . 69 (g) Standard: uses and disclosures for underwriting and related purposes . . . . . . . . . . . . . . . . . . 69 (h)(1) Standard: verification requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 (2) Implementation specifications: verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69§ 164.520 Notice of privacy practices for protected health information . . . . . . . . . . . . . . . . . . . . . . . . 70 (a) Standard: notice of privacy practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 (1) Right to notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 (2) Exception for group health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 (3) Exception for inmates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 (b) Implementation specifications: content of notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 (1) Required elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 (2) Optional elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 (3) Revisions to the notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 (c) Implementation specifications: provision of notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 (1) Specific requirements for health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 (2) Specific requirements for certain covered health care providers . . . . . . . . . . . . . . . 72 (3) Specific requirements for electronic notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 (d) Implementation specifications: joint notice by separate covered entities . . . . . . . . . . . . . . . . 72 (e) Implementation specifications: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73§ 164.522 Rights to request privacy protection for protected health information . . . . . . . . . . . . . . . . 73 (a)(1) Standard: right of an individual to request restriction of uses and disclosures . . . . . . . . . 73 (2) Implementation specifications: terminating a restriction . . . . . . . . . . . . . . . . . . . . . 73 (3) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 (b)(1) Standard: confidential communications requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 (2) Implementation specifications: conditions on providing confidential communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 -xiv­
  • 16. § 164.524 Access of individuals to protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 (a) Standard: access to protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 (1) Right of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 (2) Unreviewable grounds for denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 (3) Reviewable grounds for denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 (4) Review of a denial of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 (b) Implementation specifications: requests for access and timely action . . . . . . . . . . . . . . . . . . 75 (1) Individual’s request for access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 (2) Timely action by the covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 (c) Implementation specifications: provision of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 (1) Providing the access requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 (2) Form of access requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 (3) Time and manner of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 (4) Fees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 (d) Implementation specifications: denial of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 (1) Making other information accessible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 (2) Denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 (3) Other responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 (4) Review of denial requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 (e) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76§ 164.526 Amendment of protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 (a) Standard: right to amend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 (1) Right to amend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 (2) Denial of amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 (b) Implementation specifications: requests for amendment and timely action . . . . . . . . . . . . . . 77 (1) Individual’s request for amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 (2) Timely action by the covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 (c) Implementation specifications: accepting the amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 (1) Making the amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 (2) Informing the individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 (3) Informing others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 (d) Implementation specifications: denying the amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 (1) Denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 (2) Statement of disagreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 (3) Rebuttal statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 (4) Recordkeeping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 (5) Future disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 (e) Implementation specification: actions on notices of amendment . . . . . . . . . . . . . . . . . . . . . . 78 (f) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78§ 164.528 Accounting of disclosures of protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . 78 (a) Standard: right to an accounting of disclosures of protected health information . . . . . . . . . . 78 (b) Implementation specifications: content of the accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 (c) Implementation specifications: provision of the accounting . . . . . . . . . . . . . . . . . . . . . . . . . 80 (d) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 -xv­
  • 17. § 164.530 Administrative requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 (a)(1) Standard: personnel designations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 (2) Implementation specification: personnel designations . . . . . . . . . . . . . . . . . . . . . . . 80 (b)(1) Standard: training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 (2) Implementation specifications: training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 (c)(1) Standard: safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 (2) Implementation specification: safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 (d)(1) Standard: complaints to the covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 (2) Implementation specification: documentation of complaints . . . . . . . . . . . . . . . . . . 81 (e)(1) Standard: sanctions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 (2) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 (f) Standard: mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 (g) Standard: refraining from intimidating or retaliatory acts . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 (1) Individuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 (2) Individuals and others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 (h) Standard: waiver of rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 (i)(1) Standard: policies and procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 (2) Standard: changes to policies or procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 (3) Implementation specification: changes in law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 (4) Implementation specifications: changes to privacy practices stated in the notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 (5) Implementation specification: changes to other policies or procedures . . . . . . . . . . 82 (j)(1) Standard: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 (2) Implementation specification: retention period . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 (k) Standard: group health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82§ 164.532 Transition provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 (a) Standard: effect of prior authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 (b) Implementation specification: effect of prior authorization for purposes other than research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 (c) Implementation specification: effect of prior permission for research . . . . . . . . . . . . . . . . . . 83 (d) Standard: effect of prior contracts or other arrangements with business associates . . . . . . . . 83 (e) Implementation specification: deemed compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 (1) Qualification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 (2) Limited deemed compliance period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 (3) Covered entity responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83§ 164.534 Compliance dates for initial implementation of the privacy standards . . . . . . . . . . . . . . . . 84 (a) Health care providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 (b) Health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 (1) Health plans other than small health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 (2) Small health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 (c) Health care clearinghouses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 -xvi­
  • 18. HIPAA Administrative Simplification Regulation Text March 2006PART 160 – GENERAL ADMINISTRATIVE 160.502 Definitions.REQUIREMENTS 160.504 Hearing before an ALJ. 160.506 Rights of the parties.Subpart A – General Provisions 160.508 Authority of the ALJ.160.101 Statutory basis and purpose. 160.510 Ex parte contacts.160.102 Applicability. 160.512 Prehearing conferences.160.103 Definitions. 160.514 Authority to settle.160.104 Modifications. 160.516 Discovery. 160.518 Exchange of witness lists, witnessSubpart B – Preemption of State Law statements, and exhibits.160.201 Applicability. 160.520 Subpoenas for attendance at hearing.160.202 Definitions. 160.522 Fees.160.203 General rule and exceptions. 160.524 Form, filing, and service of papers.160.204 Process for requesting exception 160.526 Computation of time. determinations. 160.528 Motions.160.205 Duration of effectiveness of exception 160.530 Sanctions. determinations. 160.532 Collateral estoppel. 160.534 The hearing.Subpart C - Compliance and Investigations 160.536 Statistical sampling.160.300 Applicability. 160.538 Witnesses.160.302 Definitions. 160.540 Evidence.160.304 Principles for achieving compliance. 160.542 The record.160.306 Complaints to the Secretary. 160.544 Post hearing briefs.160.308 Compliance reviews. 160.546 ALJ’s decision.160.310 Responsibilities of covered entities. 160.548 Appeal of the ALJ’s decision.160.312 Secretarial action regarding complaints and 160.550 Stay of the Secretary’s decision. compliance reviews. 160.552 Harmless error.160.314 Investigational subpoenas and inquiries.160.316 Refraining from intimidation or retaliation. Authority: 42 U.S.C. 1302(a), 42 U.S.C. 1320d ­ 1320d-8, and sec. 264 of Pub. L. 104-191, 110 Stat.Subpart D—Imposition of Civil Money Penalties 2033-2034 (42 U.S.C. 1320d-2(note)) and 5 U.S.C.160.400 Applicability. 552.160.402 Basis for a civil money penalty.160.404 Amount of a civil money penalty. Subpart A—General Provisions160.406 Violations of an identical requirement or prohibition. § 160.101 Statutory basis and purpose.160.408 Factors considered in determining the The requirements of this subchapter implement amount of a civil money penalty. sections 1171 through 1179 of the Social Security Act160.410 Affirmative defenses. (the Act), as added by section 262 of Public Law160.412 Waiver. 104–191, and section 264 of Public Law 104–191.160.414 Limitations.160.416 Authority to settle. § 160.102 Applicability.160.418 Penalty not exclusive. (a) Except as otherwise provided, the standards,160.420 Notice of proposed determination. requirements, and implementation specifications160.422 Failure to request a hearing. adopted under this subchapter apply to the following160.424 Collection of penalty. entities:160.426 Notification of the public and other agencies. (1) A health plan. (2) A health care clearinghouse.Subpart E—Procedures for Hearings (3) A health care provider who transmits any160.500 Applicability. -1­
  • 19. HIPAA Administrative Simplification Regulation Text March 2006health information in electronic form in connection or from another business associate of such coveredwith a transaction covered by this subchapter. entity or arrangement, to the person. (b) To the extent required under the Social (2) A covered entity participating in an organizedSecurity Act, 42 U.S.C. 1320a–7c(a)(5), nothing in health care arrangement that performs a function orthis subchapter shall be construed to diminish the activity as described by paragraph (1)(i) of thisauthority of any Inspector General, including such definition for or on behalf of such organized healthauthority as provided in the Inspector General Act of care arrangement, or that provides a service as1978, as amended (5 U.S.C. App.). described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not,[65 FR 82798, Dec. 28, 2000, as amended at 67 FR simply through the performance of such function or53266, Aug. 14, 2002] activity or the provision of such service, become a business associate of other covered entities§ 160.103 Definitions. participating in such organized health careExcept as otherwise provided, the following arrangement.definitions apply to this subchapter: (3) A covered entity may be a business associate Act means the Social Security Act. of another covered entity. ANSI stands for the American National Standards CMS stands for Centers for Medicare & MedicaidInstitute. Services within the Department of Health and Human Business associate: Services. (1) Except as provided in paragraph (2) of this Compliance date means the date by which adefinition, business associate means, with respect to a covered entity must comply with a standard,covered entity, a person who: implementation specification, requirement, or (i) On behalf of such covered entity or of an modification adopted under this subchapter.organized health care arrangement (as defined in Covered entity means:§164.501 of this subchapter) in which the covered (1) A health plan.entity participates, but other than in the capacity of a (2) A health care clearinghouse.member of the workforce of such covered entity or (3) A health care provider who transmits anyarrangement, performs, or assists in the performance health information in electronic form in connectionof: with a transaction covered by this subchapter. (A) A function or activity involving the use or Disclosure means the release, transfer, provisiondisclosure of individually identifiable health of, access to, or divulging in any other manner ofinformation, including claims processing or information outside the entity holding theadministration, data analysis, processing or information.administration, utilization review, quality assurance, EIN stands for the employer identification numberbilling, benefit management, practice management, assigned by the Internal Revenue Service, U.S.and repricing; or Department of the Treasury. The EIN is the taxpayer (B) Any other function or activity regulated by identifying number of an individual or other entitythis subchapter; or (whether or not an employer) assigned under one of (ii) Provides, other than in the capacity of a the following:member of the workforce of such covered entity, (1) 26 U.S.C. 6011(b), which is the portion of thelegal, actuarial, accounting, consulting, data Internal Revenue Code dealing with identifying theaggregation (as defined in §164.501 of this taxpayer in tax returns and statements, orsubchapter), management, administrative, corresponding provisions of prior law.accreditation, or financial services to or for such (2) 26 U.S.C. 6109, which is the portion of thecovered entity, or to or for an organized health care Internal Revenue Code dealing with identifyingarrangement in which the covered entity participates, numbers in tax returns, statements, and other requiredwhere the provision of the service involves the documents.disclosure of individually identifiable health Electronic media means:information from such covered entity or arrangement, (1) Electronic storage media including memory -2­
  • 20. HIPAA Administrative Simplification Regulation Text March 2006devices in computers (hard drives) and any (2) Sale or dispensing of a drug, device,removable/transportable digital memory medium, equipment, or other item in accordance with asuch as magnetic tape or disk, optical disk, or digital prescription.memory card; or Health care clearinghouse means a public or (2) Transmission media used to exchange private entity, including a billing service, repricinginformation already in electronic storage media. company, community health management informationTransmission media include, for example, the internet system or community health information system, and(wide-open), extranet (using internet technology to “value-added” networks and switches, that does eitherlink a business with information accessible only to of the following functions:collaborating parties), leased lines, dial-up lines, (1) Processes or facilitates the processing ofprivate networks, and the physical movement of health information received from another entity in aremovable/transportable electronic storage media. nonstandard format or containing nonstandard dataCertain transmissions, including of paper, via content into standard data elements or a standardfacsimile, and of voice, via telephone, are not transaction.considered to be transmissions via electronic media, (2) Receives a standard transaction from anotherbecause the information being exchanged did not entity and processes or facilitates the processing ofexist in electronic form before the transmission. health information into nonstandard format or Electronic protected health information means nonstandard data content for the receiving entity.information that comes within paragraphs (1)(i) or Health care provider means a provider of services(1)(ii) of the definition of protected health (as defined in section 1861(u) of the Act, 42 U.S.C.information as specified in this section. 1395x(u)), a provider of medical or health services Employer is defined as it is in 26 U.S.C. 3401(d). (as defined in section 1861(s) of the Act, 42 U.S.C. Group health plan (also see definition of health 1395x(s)), and any other person or organization whoplan in this section) means an employee welfare furnishes, bills, or is paid for health care in thebenefit plan (as defined in section 3(1) of the normal course of business.Employee Retirement Income and Security Act of Health information means any information,1974 (ERISA), 29 U.S.C. 1002(1)), including insured whether oral or recorded in any form or medium, that:and self-insured plans, to the extent that the plan (1) Is created or received by a health careprovides medical care (as defined in section provider, health plan, public health authority,2791(a)(2) of the Public Health Service Act (PHS employer, life insurer, school or university, or healthAct), 42 U.S.C. 300gg–91(a)(2)), including items and care clearinghouse; andservices paid for as medical care, to employees or (2) Relates to the past, present, or future physicaltheir dependents directly or through insurance, or mental health or condition of an individual; thereimbursement, or otherwise, that: provision of health care to an individual; or the past, (1) Has 50 or more participants (as defined in present, or future payment for the provision of healthsection 3(7) of ERISA, 29 U.S.C. 1002(7)); or care to an individual. (2) Is administered by an entity other than the Health insurance issuer (as defined in sectionemployer that established and maintains the plan. 2791(b)(2) of the PHS Act, 42 U.S.C. HHS stands for the Department of Health and 300gg–91(b)(2) and used in the definition of healthHuman Services. plan in this section) means an insurance company, Health care means care, services, or supplies insurance service, or insurance organizationrelated to the health of an individual. Health care (including an HMO) that is licensed to engage in theincludes, but is not limited to, the following: business of insurance in a State and is subject to State (1) Preventive, diagnostic, therapeutic, law that regulates insurance. Such term does notrehabilitative, maintenance, or palliative care, and include a group health plan.counseling, service, assessment, or procedure with Health maintenance organization (HMO) (asrespect to the physical or mental condition, or defined in section 2791(b)(3) of the PHS Act, 42functional status, of an individual or that affects the U.S.C. 300gg–91(b)(3) and used in the definition ofstructure or function of the body; and health plan in this section) means a federally qualified -3­
  • 21. HIPAA Administrative Simplification Regulation Text March 2006HMO, an organization recognized as an HMO under eligible individuals.State law, or a similar organization regulated for (xvii) Any other individual or group plan, orsolvency under State law in the same manner and to combination of individual or group plans, thatthe same extent as such an HMO. provides or pays for the cost of medical care (as Health plan means an individual or group plan defined in section 2791(a)(2) of the PHS Act, 42that provides, or pays the cost of, medical care (as U.S.C. 300gg–91(a)(2)).defined in section 2791(a)(2) of the PHS Act, 42 (2) Health plan excludes:U.S.C. 300gg–91(a)(2)). (i) Any policy, plan, or program to the extent that (1) Health plan includes the following, singly or it provides, or pays for the cost of, excepted benefitsin combination: that are listed in section 2791(c)(1) of the PHS Act, (i) A group health plan, as defined in this section. 42 U.S.C. 300gg–91(c)(1); and (ii) A health insurance issuer, as defined in this (ii) A government-funded program (other than onesection. listed in paragraph (1)(i)–(xvi) of this definition): (iii) An HMO, as defined in this section. (A) Whose principal purpose is other than (iv) Part A or Part B of the Medicare program providing, or paying the cost of, health care; orunder title XVIII of the Act. (B) Whose principal activity is: (v) The Medicaid program under title XIX of the (1) The direct provision of health care to persons;Act, 42 U.S.C. 1396, et seq. or (vi) An issuer of a Medicare supplemental policy (2) The making of grants to fund the direct(as defined in section 1882(g)(1) of the Act, 42 provision of health care to persons.U.S.C. 1395ss(g)(1)). Implementation specification means specific (vii) An issuer of a long-term care policy, requirements or instructions for implementing aexcluding a nursing home fixed-indemnity policy. standard. (viii) An employee welfare benefit plan or any Individual means the person who is the subject ofother arrangement that is established or maintained protected health information.for the purpose of offering or providing health Individually identifiable health information isbenefits to the employees of two or more employers. information that is a subset of health information, (ix) The health care program for active military including demographic information collected from anpersonnel under title 10 of the United States Code. individual, and: (x) The veterans health care program under 38 (1) Is created or received by a health careU.S.C. chapter 17. provider, health plan, employer, or health care (xi) The Civilian Health and Medical Program of clearinghouse; andthe Uniformed Services (CHAMPUS) (as defined in (2) Relates to the past, present, or future physical10 U.S.C. 1072(4)). or mental health or condition of an individual; the (xii) The Indian Health Service program under the provision of health care to an individual; or the past,Indian Health Care Improvement Act, 25 U.S.C. present, or future payment for the provision of health1601, et seq. care to an individual; and (xiii) The Federal Employees Health Benefits (i) That identifies the individual; orProgram under 5 U.S.C. 8902, et seq. (ii) With respect to which there is a reasonable (xiv) An approved State child health plan under basis to believe the information can be used totitle XXI of the Act, providing benefits for child identify the individual.health assistance that meet the requirements of Modify or modification refers to a change adoptedsection 2103 of the Act, 42 U.S.C. 1397, et seq. by the Secretary, through regulation, to a standard or (xv) The Medicare+Choice program under Part C an implementation specification.of title XVIII of the Act, 42 U.S.C. 1395w–21 Organized health care arrangement means:through 1395w–28. (1) A clinically integrated care setting in which (xvi) A high risk pool that is a mechanism individuals typically receive health care from moreestablished under State law to provide health than one health care provider;insurance coverage or comparable coverage to (2) An organized system of health care in which -4­
  • 22. HIPAA Administrative Simplification Regulation Text March 2006more than one covered entity participates and in (ii) Maintained in electronic media; orwhich the participating covered entities: (iii) Transmitted or maintained in any other form (i) Hold themselves out to the public as or medium.participating in a joint arrangement; and (2) Protected health information excludes (ii) Participate in joint activities that include at individually identifiable health information in:least one of the following: (i) Education records covered by the Family (A) Utilization review, in which health care Educational Rights and Privacy Act, as amended, 20decisions by participating covered entities are U.S.C. 1232g;reviewed by other participating covered entities or by (ii) Records described at 20 U.S.C.a third party on their behalf; 1232g(a)(4)(B)(iv); and (B) Quality assessment and improvement (iii) Employment records held by a covered entityactivities, in which treatment provided by in its role as employer.participating covered entities is assessed by other Secretary means the Secretary of Health andparticipating covered entities or by a third party on Human Services or any other officer or employee oftheir behalf; or HHS to whom the authority involved has been (C) Payment activities, if the financial risk for delegated.delivering health care is shared, in part or in whole, Small health plan means a health plan with annualby participating covered entities through the joint receipts of $5 million or less.arrangement and if protected health information Standard means a rule, condition, or requirement:created or received by a covered entity is reviewed by (1) Describing the following information forother participating covered entities or by a third party products, systems, services or practices:on their behalf for the purpose of administering the (i) Classification of components.sharing of financial risk. (ii) Specification of materials, performance, or (3) A group health plan and a health insurance operations; orissuer or HMO with respect to such group health (iii) Delineation of procedures; orplan, but only with respect to protected health (2) With respect to the privacy of individuallyinformation created or received by such health identifiable health information.insurance issuer or HMO that relates to individuals Standard setting organization (SSO) means anwho are or who have been participants or organization accredited by the American Nationalbeneficiaries in such group health plan; Standards Institute that develops and maintains (4) A group health plan and one or more other standards for information transactions or datagroup health plans each of which are maintained by elements, or any other standard that is necessary for,the same plan sponsor; or or will facilitate the implementation of, this part. (5) The group health plans described in paragraph State refers to one of the following:(4) of this definition and health insurance issuers or (1) For a health plan established or regulated byHMOs with respect to such group health plans, but Federal law, State has the meaning set forth in theonly with respect to protected health information applicable section of the United States Code for suchcreated or received by such health insurance issuers health plan.or HMOs that relates to individuals who are or have (2) For all other purposes, State means any of thebeen participants or beneficiaries in any of such several States, the District of Columbia, thegroup health plans. Commonwealth of Puerto Rico, the Virgin Islands, “Person” means a natural person, trust or estate, and Guam.partnership, corporation, professional association or Trading partner agreement means an agreementcorporation, or other entity, public or private. related to the exchange of information in electronic Protected health information means individually transactions, whether the agreement is distinct or partidentifiable health information: of a larger agreement, between each party to the (1) Except as provided in paragraph (2) of this agreement. (For example, a trading partner agreementdefinition, that is: may specify, among other things, the duties and (i) Transmitted by electronic media; responsibilities of each party to the agreement in -5­
  • 23. HIPAA Administrative Simplification Regulation Text March 2006conducting a standard transaction.) modified under this section. Transaction means the transmission of (1) The compliance date for a modification is noinformation between two parties to carry out financial earlier than 180 days after the effective date of theor administrative activities related to health care. It final rule in which the Secretary adopts theincludes the following types of information modification.transmissions: (2) The Secretary may consider the extent of the (1) Health care claims or equivalent encounter modification and the time needed to comply with theinformation. modification in determining the compliance date for (2) Health care payment and remittance advice. the modification. (3) Coordination of benefits. (3) The Secretary may extend the compliance date (4) Health care claim status. for small health plans, as the Secretary determines is (5) Enrollment and disenrollment in a health plan. appropriate. (6) Eligibility for a health plan. (7) Health plan premium payments. [65 FR 82798, Dec. 28, 2000, as amended at 67 FR (8) Referral certification and authorization. 38019, May 31, 2002] (9) First report of injury. (10) Health claims attachments. Subpart B—Preemption of State Law (11) Other transactions that the Secretary mayprescribe by regulation. § 160.201 Applicability. Use means, with respect to individually The provisions of this subpart implement sectionidentifiable health information, the sharing, 1178 of the Act, as added by section 262 of Publicemployment, application, utilization, examination, or Law 104–191.analysis of such information within an entity thatmaintains such information. § 160.202 Definitions. Workforce means employees, volunteers, trainees, For purposes of this subpart, the following terms haveand other persons whose conduct, in the performance the following meanings:of work for a covered entity, is under the direct Contrary, when used to compare a provision ofcontrol of such entity, whether or not they are paid by State law to a standard, requirement, orthe covered entity. implementation specification adopted under this subchapter, means:[65 FR 82798, Dec. 28, 2000, as amended at 67 FR (1) A covered entity would find it impossible to38019, May 31, 2002; 67 FR 53266, Aug. 14, 2002; comply with both the State and federal requirements;68 FR 8374, Feb. 20, 2003; 71 FR 8424, Feb. 16, or2006] (2) The provision of State law stands as an obstacle to the accomplishment and execution of the§ 160.104 Modifications. full purposes and objectives of part C of title XI of (a) Except as provided in paragraph (b) of this the Act or section 264 of Pub. L. 104–191, assection, the Secretary may adopt a modification to a applicable.standard or implementation specification adopted More stringent means, in the context of aunder this subchapter no more frequently than once comparison of a provision of State law and aevery 12 months. standard, requirement, or implementation (b) The Secretary may adopt a modification at any specification adopted under subpart E of part 164 oftime during the first year after the standard or this subchapter, a State law that meets one or more ofimplementation specification is initially adopted, if the following criteria:the Secretary determines that the modification is (1) With respect to a use or disclosure, the lawnecessary to permit compliance with the standard or prohibits or restricts a use or disclosure inimplementation specification. circumstances under which such use or disclosure (c) The Secretary will establish the compliance otherwise would be permitted under this subchapter,date for any standard or implementation specification except if the disclosure is: -6­
  • 24. HIPAA Administrative Simplification Regulation Text March 2006 (i) Required by the Secretary in connection with specification adopted under this subchapter that isdetermining whether a covered entity is in compliance contrary to a provision of State law preempts thewith this subchapter; or provision of State law. This general rule applies, (ii) To the individual who is the subject of the except if one or more of the following conditions isindividually identifiable health information. met: (2) With respect to the rights of an individual, (a) A determination is made by the Secretarywho is the subject of the individually identifiable under §160.204 that the provision of State law:health information, regarding access to or amendment (1) Is necessary:of individually identifiable health information, (i) To prevent fraud and abuse related to thepermits greater rights of access or amendment, as provision of or payment for health care;applicable. (ii) To ensure appropriate State regulation of (3) With respect to information to be provided to insurance and health plans to the extent expresslyan individual who is the subject of the individually authorized by statute or regulation;identifiable health information about a use, a (iii) For State reporting on health care delivery ordisclosure, rights, and remedies, provides the greater costs; oramount of information. (iv) For purposes of serving a compelling need (4) With respect to the form, substance, or the related to public health, safety, or welfare, and, if aneed for express legal permission from an individual, standard, requirement, or implementationwho is the subject of the individually identifiable specification under part 164 of this subchapter is athealth information, for use or disclosure of issue, if the Secretary determines that the intrusionindividually identifiable health information, provides into privacy is warranted when balanced against therequirements that narrow the scope or duration, need to be served; orincrease the privacy protections afforded (such as by (2) Has as its principal purpose the regulation ofexpanding the criteria for), or reduce the coercive the manufacture, registration, distribution, dispensing,effect of the circumstances surrounding the express or other control of any controlled substances (aslegal permission, as applicable. defined in 21 U.S.C. 802), or that is deemed a (5) With respect to recordkeeping or requirements controlled substance by State law.relating to accounting of disclosures, provides for the (b) The provision of State law relates to theretention or reporting of more detailed information or privacy of individually identifiable health informationfor a longer duration. and is more stringent than a standard, requirement, or (6) With respect to any other matter, provides implementation specification adopted under subpart Egreater privacy protection for the individual who is of part 164 of this subchapter.the subject of the individually identifiable health (c) The provision of State law, including Stateinformation. procedures established under such law, as applicable, Relates to the privacy of individually identifiable provides for the reporting of disease or injury, childhealth information means, with respect to a State law, abuse, birth, or death, or for the conduct of publicthat the State law has the specific purpose of health surveillance, investigation, or intervention.protecting the privacy of health information or affects (d) The provision of State law requires a healththe privacy of health information in a direct, clear, plan to report, or to provide access to, information forand substantial way. the purpose of management audits, financial audits, State law means a constitution, statute, regulation, program monitoring and evaluation, or the licensurerule, common law, or other State action having the or certification of facilities or individuals.force and effect of law. [65 FR 82798, Dec. 28, 2000, as amended at 67 FR[65 FR 82798, Dec. 28, 2000, as amended at 67 FR 53266, Aug. 14, 2002]53266, Aug. 14, 2002] § 160.204 Process for requesting exception§ 160.203 General rule and exceptions. determinations.A standard, requirement, or implementation (a) A request to except a provision of State law -7­
  • 25. HIPAA Administrative Simplification Regulation Text March 2006from preemption under §160.203(a) may be Source: 71 FR 8424, Feb. 16, 2006, unlesssubmitted to the Secretary. A request by a State must otherwise noted.be submitted through its chief elected official, or hisor her designee. The request must be in writing and § 160.300 Applicability.include the following information: This subpart applies to actions by the Secretary, (1) The State law for which the exception is covered entities, and others with respect torequested; ascertaining the compliance by covered entities with, (2) The particular standard, requirement, or and the enforcement of, the applicable provisions ofimplementation specification for which the exception this part 160 and parts 162 and 164 of thisis requested; subchapter. (3) The part of the standard or other provision thatwill not be implemented based on the exception or the § 160.302 Definitions.additional data to be collected based on the As used in this subpart and subparts D and E of thisexception, as appropriate; part, the following terms have the following (4) How health care providers, health plans, and meanings:other entities would be affected by the exception; Administrative simplification provision means any (5) The reasons why the State law should not be requirement or prohibition established by:preempted by the federal standard, requirement, or (1) 42 U.S.C. 1320d—1320d–4, 1320d–7, andimplementation specification, including how the State 1320d–8;law meets one or more of the criteria at §160.203(a); (2) Section 264 of Pub. L. 104–191; orand (3) This subchapter. (6) Any other information the Secretary may ALJ means Administrative Law Judge.request in order to make the determination. Civil money penalty or penalty means the amount (b) Requests for exception under this section must determined under §160.404 of this part and includesbe submitted to the Secretary at an address that will the plural of these terms.be published in the Federal Register. Until the Respondent means a covered entity upon whichSecretarys determination is made, the standard, the Secretary has imposed, or proposes to impose, arequirement, or implementation specification under civil money penalty.this subchapter remains in effect. Violation or violate means, as the context may (c) The Secretarys determination under this require, failure to comply with an administrativesection will be made on the basis of the extent to simplification provision.which the information provided and other factorsdemonstrate that one or more of the criteria at § 160.304 Principles for achieving compliance.§160.203(a) has been met. (a) Cooperation. The Secretary will, to the extent practicable, seek the cooperation of covered entities§ 160.205 Duration of effectiveness of exception in obtaining compliance with the applicabledeterminations. administrative simplification provisions.An exception granted under this subpart remains in (b) Assistance. The Secretary may provideeffect until: technical assistance to covered entities to help them (a) Either the State law or the federal standard, comply voluntarily with the applicable administrativerequirement, or implementation specification that simplification provisions.provided the basis for the exception is materiallychanged such that the ground for the exception no § 160.306 Complaints to the Secretary.longer exists; or (a) Right to file a complaint. A person who (b) The Secretary revokes the exception, based on believes a covered entity is not complying with thea determination that the ground supporting the need administrative simplification provisions may file afor the exception no longer exists. complaint with the Secretary. (b) Requirements for filing complaints.Subpart C—Compliance and Investigations Complaints under this section must meet the -8­
  • 26. HIPAA Administrative Simplification Regulation Text March 2006following requirements: (1) A covered entity must permit access by the (1) A complaint must be filed in writing, either on Secretary during normal business hours to itspaper or electronically. facilities, books, records, accounts, and other sources (2) A complaint must name the person that is the of information, including protected healthsubject of the complaint and describe the acts or information, that are pertinent to ascertainingomissions believed to be in violation of the applicable compliance with the applicable administrativeadministrative simplification provision(s). simplification provisions. If the Secretary determines (3) A complaint must be filed within 180 days of that exigent circumstances exist, such as whenwhen the complainant knew or should have known documents may be hidden or destroyed, a coveredthat the act or omission complained of occurred, entity must permit access by the Secretary at any timeunless this time limit is waived by the Secretary for and without notice.good cause shown. (2) If any information required of a covered entity (4) The Secretary may prescribe additional under this section is in the exclusive possession ofprocedures for the filing of complaints, as well as the any other agency, institution, or person and the otherplace and manner of filing, by notice in the Federal agency, institution, or person fails or refuses toRegister. furnish the information, the covered entity must so (c) Investigation. The Secretary may investigate certify and set forth what efforts it has made to obtaincomplaints filed under this section. Such investigation the information.may include a review of the pertinent policies, (3) Protected health information obtained by theprocedures, or practices of the covered entity and of Secretary in connection with an investigation orthe circumstances regarding any alleged violation. At compliance review under this subpart will not bethe time of initial written communication with the disclosed by the Secretary, except if necessary forcovered entity about the complaint, the Secretary will ascertaining or enforcing compliance with thedescribe the act(s) and/or omission(s) that are the applicable administrative simplification provisions, orbasis of the complaint. if otherwise required by law.§ 160.308 Compliance reviews. § 160.312 Secretarial action regardingThe Secretary may conduct compliance reviews to complaints and compliance reviews.determine whether covered entities are complying (a) Resolution when noncompliance is indicated.with the applicable administrative simplification (1) If an investigation of a complaint pursuant toprovisions. §160.306 or a compliance review pursuant to §160.308 indicates noncompliance, the Secretary will§ 160.310 Responsibilities of covered entities. attempt to reach a resolution of the matter satisfactory (a) Provide records and compliance reports. A to the Secretary by informal means. Informal meanscovered entity must keep such records and submit may include demonstrated compliance or a completedsuch compliance reports, in such time and manner corrective action plan or other agreement.and containing such information, as the Secretary (2) If the matter is resolved by informal means,may determine to be necessary to enable the Secretary the Secretary will so inform the covered entity and, ifto ascertain whether the covered entity has complied the matter arose from a complaint, the complainant, inor is complying with the applicable administrative writing.simplification provisions. (3) If the matter is not resolved by informal (b) Cooperate with complaint investigations and means, the Secretary will—compliance reviews. A covered entity must cooperate (i) So inform the covered entity and provide thewith the Secretary, if the Secretary undertakes an covered entity an opportunity to submit writteninvestigation or compliance review of the policies, evidence of any mitigating factors or affirmativeprocedures, or practices of the covered entity to defenses for consideration under §§160.408 anddetermine whether it is complying with the applicable 160.410 of this part. The covered entity must submitadministrative simplification provisions. any such evidence to the Secretary within 30 days (c) Permit access to information. (computed in the same manner as prescribed under -9­
  • 27. HIPAA Administrative Simplification Regulation Text March 2006§160.526 of this part) of receipt of such notification; subpoena at its last principal place of business; orand (ii) Registered or certified mail addressed to the (ii) If, following action pursuant to paragraph natural person at his or her last known dwelling place(a)(3)(i) of this section, the Secretary finds that a civil or to the entity at its last known principal place ofmoney penalty should be imposed, inform the business.covered entity of such finding in a notice of proposed (3) A verified return by the natural person servingdetermination in accordance with §160.420 of this the subpoena setting forth the manner of service or, inpart. the case of service by registered or certified mail, the (b) Resolution when no violation is found. signed return post office receipt, constitutes proof ofIf, after an investigation pursuant to §160.306 or a service.compliance review pursuant to §160.308, the (4) Witnesses are entitled to the same fees andSecretary determines that further action is not mileage as witnesses in the district courts of thewarranted, the Secretary will so inform the covered United States (28 U.S.C. 1821 and 1825). Fees needentity and, if the matter arose from a complaint, the not be paid at the time the subpoena is served.complainant, in writing. (5) A subpoena under this section is enforceable through the district court of the United States for the§ 160.314 Investigational subpoenas and district where the subpoenaed natural person residesinquiries. or is found or where the entity transacts business. (a) The Secretary may issue subpoenas in (b) Investigational inquiries are non-publicaccordance with 42 U.S.C. 405(d) and (e), investigational proceedings conducted by the1320a–7a(j), and 1320d–5 to require the attendance Secretary.and testimony of witnesses and the production of any (1) Testimony at investigational inquiries will beother evidence during an investigation or compliance taken under oath or affirmation.review pursuant to this part. For purposes of this (2) Attendance of non-witnesses is discretionaryparagraph, a person other than a natural person is with the Secretary, except that a witness is entitled totermed an “entity.” be accompanied, represented, and advised by an (1) A subpoena issued under this paragraph attorney.must— (3) Representatives of the Secretary are entitled to (i) State the name of the person (including the attend and ask questions.entity, if applicable) to whom the subpoena is (4) A witness will have the opportunity to clarifyaddressed; his or her answers on the record following (ii) State the statutory authority for the subpoena; questioning by the Secretary. (iii) Indicate the date, time, and place that the (5) Any claim of privilege must be asserted by thetestimony will take place; witness on the record. (iv) Include a reasonably specific description of (6) Objections must be asserted on the record.any documents or items required to be produced; and Errors of any kind that might be corrected if promptly (v) If the subpoena is addressed to an entity, presented will be deemed to be waived unlessdescribe with reasonable particularity the subject reasonable objection is made at the investigationalmatter on which testimony is required. In that event, inquiry. Except where the objection is on the groundsthe entity must designate one or more natural persons of privilege, the question will be answered on thewho will testify on its behalf, and must state as to record, subject to objection.each such person that persons name and address and (7) If a witness refuses to answer any question notthe matters on which he or she will testify. The privileged or to produce requested documents ordesignated person must testify as to matters known or items, or engages in conduct likely to delay orreasonably available to the entity. obstruct the investigational inquiry, the Secretary may (2) A subpoena under this section must be served seek enforcement of the subpoena under paragraphby— (a)(5) of this section. (i) Delivering a copy to the natural person named (8) The proceedings will be recorded andin the subpoena or to the entity named in the transcribed. The witness is entitled to a copy of the -10­
  • 28. HIPAA Administrative Simplification Regulation Text March 2006transcript, upon payment of prescribed costs, except has a good faith belief that the practice opposed isthat, for good cause, the witness may be limited to unlawful, and the manner of opposition is reasonableinspection of the official transcript of his or her and does not involve a disclosure of protected healthtestimony. information in violation of subpart E of part 164 of (9)(i) The transcript will be submitted to the this subchapter.witness for signature. (A) Where the witness will be provided a copy of Subpart D—Imposition of Civil Money Penaltiesthe transcript, the transcript will be submitted to the Source: 71 FR 8426, Feb. 16, 2006, unlesswitness for signature. The witness may submit to the otherwise noted.Secretary written proposed corrections to thetranscript, with such corrections attached to the § 160.400 Applicability.transcript. If the witness does not return a signed copy This subpart applies to the imposition of a civilof the transcript or proposed corrections within 30 money penalty by the Secretary under 42 U.S.C.days (computed in the same manner as prescribed 1320d–5.under §160.526 of this part) of its being submitted tohim or her for signature, the witness will be deemed § 160.402 Basis for a civil money penalty.to have agreed that the transcript is true and accurate. (a) General rule. Subject to §160.410, the (B) Where, as provided in paragraph (b)(8) of this Secretary will impose a civil money penalty upon asection, the witness is limited to inspecting the covered entity if the Secretary determines that thetranscript, the witness will have the opportunity at the covered entity has violated an administrativetime of inspection to propose corrections to the simplification provision.transcript, with corrections attached to the transcript. (b) Violation by more than one covered entity.The witness will also have the opportunity to sign the (1) Except as provided in paragraph (b)(2) of thistranscript. If the witness does not sign the transcript section, if the Secretary determines that more thanor offer corrections within 30 days (computed in the one covered entity was responsible for a violation, thesame manner as prescribed under §160.526 of this Secretary will impose a civil money penalty againstpart) of receipt of notice of the opportunity to inspect each such covered entity.the transcript, the witness will be deemed to have (2) A covered entity that is a member of anagreed that the transcript is true and accurate. affiliated covered entity, in accordance with (ii) The Secretarys proposed corrections to the §164.105(b) of this subchapter, is jointly andrecord of transcript will be attached to the transcript. severally liable for a civil money penalty for a (c) Consistent with §160.310(c)(3), testimony and violation of part 164 of this subchapter based on another evidence obtained in an investigational inquiry act or omission of the affiliated covered entity, unlessmay be used by HHS in any of its activities and may it is established that another member of the affiliatedbe used or offered into evidence in any administrative covered entity was responsible for the violation.or judicial proceeding. (c) Violation attributed to a covered entity. A covered entity is liable, in accordance with the federal§ 160.316 Refraining from intimidation or common law of agency, for a civil money penalty forretaliation. a violation based on the act or omission of any agentA covered entity may not threaten, intimidate, coerce, of the covered entity, including a workforce member,harass, discriminate against, or take any other acting within the scope of the agency, unless—retaliatory action against any individual or other (1) The agent is a business associate of theperson for— covered entity; (a) Filing of a complaint under §160.306; (2) The covered entity has complied, with respect (b) Testifying, assisting, or participating in an to such business associate, with the applicableinvestigation, compliance review, proceeding, or requirements of §§164.308(b) and 164.502(e) of thishearing under this part; or subchapter; and (c) Opposing any act or practice made unlawful (3) The covered entity did not—by this subchapter, provided the individual or person (i) Know of a pattern of activity or practice of the -11­
  • 29. HIPAA Administrative Simplification Regulation Text March 2006business associate, and (2) Whether the violation caused physical harm; (ii) Fail to act as required by §§164.314(a)(1)(ii) (3) Whether the violation hindered or facilitatedand 164.504(e)(1)(ii) of this subchapter, as an individuals ability to obtain health care; andapplicable. (4) Whether the violation resulted in financial § 160.404 Amount of a civil money penalty. harm. (a) The amount of a civil money penalty will be (c) The degree of culpability of the covered entity,determined in accordance with paragraph (b) of this including but not limited to:section and §§160.406, 160.408, and 160.412. (1) Whether the violation was intentional; and (b) The amount of a civil money penalty that may (2) Whether the violation was beyond the directbe imposed is subject to the following limitations: control of the covered entity. (1) The Secretary may not impose a civil money (d) Any history of prior compliance with thepenalty— administrative simplification provisions, including (i) In the amount of more than $100 for each violations, by the covered entity, including but notviolation; or limited to: (ii) In excess of $25,000 for identical violations (1) Whether the current violation is the same orduring a calendar year (January 1 through the similar to prior violation(s);following December 31). (2) Whether and to what extent the covered entity (2) If a requirement or prohibition in one has attempted to correct previous violations;administrative simplification provision is repeated in (3) How the covered entity has responded toa more general form in another administrative technical assistance from the Secretary provided insimplification provision in the same subpart, a civil the context of a compliance effort; andmoney penalty may be imposed for a violation of only (4) How the covered entity has responded to priorone of these administrative simplification provisions. complaints. (e) The financial condition of the covered entity,§ 160.406 Violations of an identical requirement including but not limited to:or prohibition. (1) Whether the covered entity had financialThe Secretary will determine the number of violations difficulties that affected its ability to comply;of an administrative simplification provision based on (2) Whether the imposition of a civil moneythe nature of the covered entitys obligation to act or penalty would jeopardize the ability of the coverednot act under the provision that is violated, such as its entity to continue to provide, or to pay for, healthobligation to act in a certain manner, or within a care; andcertain time, or to act or not act with respect to (3) The size of the covered entity.certain persons. In the case of continuing violation of (f) Such other matters as justice may require.a provision, a separate violation occurs each day thecovered entity is in violation of the provision. § 160.410 Affirmative defenses. (a) As used in this section, the following terms§ 160.408 Factors considered in determining the have the following meanings:amount of a civil money penalty. Reasonable cause means circumstances thatIn determining the amount of any civil money would make it unreasonable for the covered entity,penalty, the Secretary may consider as aggravating or despite the exercise of ordinary business care andmitigating factors, as appropriate, any of the prudence, to comply with the administrativefollowing: simplification provision violated. (a) The nature of the violation, in light of the Reasonable diligence means the business care andpurpose of the rule violated. prudence expected from a person seeking to satisfy a (b) The circumstances, including the legal requirement under similar circumstances.consequences, of the violation, including but not Willful neglect means conscious, intentionallimited to: failure or reckless indifference to the obligation to (1) The time period during which the violation(s) comply with the administrative simplificationoccurred; provision violated. -12­
  • 30. HIPAA Administrative Simplification Regulation Text March 2006 (b) The Secretary may not impose a civil money § 160.420 Notice of proposed determination.penalty on a covered entity for a violation if the (a) If a penalty is proposed in accordance withcovered entity establishes that an affirmative defense this part, the Secretary must deliver, or send byexists with respect to the violation, including the certified mail with return receipt requested, to thefollowing: respondent, written notice of the Secretarys intent to (1) The violation is an act punishable under 42 impose a penalty. This notice of proposedU.S.C. 1320d–6; determination must include— (2) The covered entity establishes, to the (1) Reference to the statutory basis for thesatisfaction of the Secretary, that it did not have penalty;knowledge of the violation, determined in accordance (2) A description of the findings of fact regardingwith the federal common law of agency, and, by the violations with respect to which the penalty isexercising reasonable diligence, would not have proposed (except that, in any case where theknown that the violation occurred; or Secretary is relying upon a statistical sampling study (3) The violation is— in accordance with §160.536 of this part, the notice (i) Due to reasonable cause and not willful must provide a copy of the study relied upon by theneglect; and Secretary); (ii) Corrected during either: (3) The reason(s) why the violation(s) subject(s) (A) The 30-day period beginning on the date the the respondent to a penalty;covered entity liable for the penalty knew, or by (4) The amount of the proposed penalty;exercising reasonable diligence would have known, (5) Any circumstances described in §160.408 thatthat the violation occurred; or were considered in determining the amount of the (B) Such additional period as the Secretary proposed penalty; anddetermines to be appropriate based on the nature and (6) Instructions for responding to the notice,extent of the failure to comply. including a statement of the respondents right to a hearing, a statement that failure to request a hearing§ 160.412 Waiver. within 90 days permits the imposition of the proposedFor violations described in §160.410(b)(3)(i) that are penalty without the right to a hearing under §160.504not corrected within the period described in or a right of appeal under §160.548 of this part, and§160.410(b)(3)(ii), the Secretary may waive the civil the address to which the hearing request must be sent.money penalty, in whole or in part, to the extent that (b) The respondent may request a hearing beforepayment of the penalty would be excessive relative to an ALJ on the proposed penalty by filing a request inthe violation. accordance with §160.504 of this part.§ 160.414 Limitations. § 160.422 Failure to request a hearing.No action under this subpart may be entertained If the respondent does not request a hearing withinunless commenced by the Secretary, in accordance the time prescribed by §160.504 of this part and thewith §160.420, within 6 years from the date of the matter is not settled pursuant to §160.416, theoccurrence of the violation. Secretary will impose the proposed penalty or any lesser penalty permitted by 42 U.S.C. 1320d–5. The§ 160.416 Authority to settle. Secretary will notify the respondent by certified mail,Nothing in this subpart limits the authority of the return receipt requested, of any penalty that has beenSecretary to settle any issue or case or to compromise imposed and of the means by which the respondentany penalty. may satisfy the penalty, and the penalty is final on receipt of the notice. The respondent has no right to§ 160.418 Penalty not exclusive. appeal a penalty under §160.548 of this part withExcept as otherwise provided by 42 U.S.C. respect to which the respondent has not timely1320d-5(b)(1), a penalty imposed under this part is in requested a hearing.addition to any other penalty prescribed by law. § 160.424 Collection of penalty. -13­
  • 31. HIPAA Administrative Simplification Regulation Text March 2006 (a) Once a determination of the Secretary to Departmental Appeals Board, in the Office of theimpose a penalty has become final, the penalty will be Secretary, who issue decisions in panels of three.collected by the Secretary, subject to the firstsentence of 42 U.S.C. 1320a–7a(f). § 160.504 Hearing before an ALJ. (b) The penalty may be recovered in a civil action (a) A respondent may request a hearing before anbrought in the United States district court for the ALJ. The parties to the hearing proceeding consistdistrict where the respondent resides, is found, or is of—located. (1) The respondent; and (c) The amount of a penalty, when finally (2) The officer(s) or employee(s) of HHS todetermined, or the amount agreed upon in whom the enforcement authority involved has beencompromise, may be deducted from any sum then or delegated.later owing by the United States, or by a State agency, (b) The request for a hearing must be made into the respondent. writing signed by the respondent or by the (d) Matters that were raised or that could have respondents attorney and sent by certified mail,been raised in a hearing before an ALJ, or in an return receipt requested, to the address specified inappeal under 42 U.S.C. 1320a–7a(e), may not be the notice of proposed determination. The request forraised as a defense in a civil action by the United a hearing must be mailed within 90 days after noticeStates to collect a penalty under this part. of the proposed determination is received by the respondent. For purposes of this section, the§ 160.426 Notification of the public and other respondents date of receipt of the notice of proposedagencies. determination is presumed to be 5 days after the dateWhenever a proposed penalty becomes final, the of the notice unless the respondent makes aSecretary will notify, in such manner as the Secretary reasonable showing to the contrary to the ALJ.deems appropriate, the public and the following (c) The request for a hearing must clearly andorganizations and entities thereof and the reason it directly admit, deny, or explain each of the findingswas imposed: the appropriate State or local medical of fact contained in the notice of proposedor professional organization, the appropriate State determination with regard to which the respondentagency or agencies administering or supervising the has any knowledge. If the respondent has noadministration of State health care programs (as knowledge of a particular finding of fact and sodefined in 42 U.S.C. 1320a–7(h)), the appropriate states, the finding shall be deemed denied. Theutilization and quality control peer review request for a hearing must also state theorganization, and the appropriate State or local circumstances or arguments that the respondentlicensing agency or organization (including the alleges constitute the grounds for any defense and theagency specified in 42 U.S.C. 1395aa(a), factual and legal basis for opposing the penalty,1396a(a)(33)). except that a respondent may raise an affirmative defense under §160.410(b)(1) at any time.Subpart E—Procedures for Hearings (d) The ALJ must dismiss a hearing requestSource: 71 FR 8428, Feb. 16, 2006, unless where—otherwise noted. (1) On motion of the Secretary, the ALJ determines that the respondents hearing request is not§ 160.500 Applicability. timely filed as required by paragraphs (b) or does notThis subpart applies to hearings conducted relating to meet the requirements of paragraph (c) of thisthe imposition of a civil money penalty by the section;Secretary under 42 U.S.C. 1320d–5. (2) The respondent withdraws the request for a hearing;§ 160.502 Definitions. (3) The respondent abandons the request for aAs used in this subpart, the following term has the hearing; orfollowing meaning: (4) The respondents hearing request fails to raise Board means the members of the HHS any issue that may properly be addressed in a hearing. -14­
  • 32. HIPAA Administrative Simplification Regulation Text March 2006§ 160.506 Rights of the parties. (10) Receive, rule on, exclude, or limit evidence; (a) Except as otherwise limited by this subpart, (11) Upon motion of a party, take official noticeeach party may— of facts; (1) Be accompanied, represented, and advised by (12) Conduct any conference, argument or hearingan attorney; in person or, upon agreement of the parties, by (2) Participate in any conference held by the ALJ; telephone; and (3) Conduct discovery of documents as permitted (13) Upon motion of a party, decide cases, inby this subpart; whole or in part, by summary judgment where there is (4) Agree to stipulations of fact or law that will be no disputed issue of material fact. A summarymade part of the record; judgment decision constitutes a hearing on the record (5) Present evidence relevant to the issues at the for the purposes of this subpart.hearing; (c) The ALJ— (6) Present and cross-examine witnesses; (1) May not find invalid or refuse to follow (7) Present oral arguments at the hearing as Federal statutes, regulations, or Secretarialpermitted by the ALJ; and delegations of authority and must give deference to (8) Submit written briefs and proposed findings of published guidance to the extent not inconsistent withfact and conclusions of law after the hearing. statute or regulation; (b) A party may appear in person or by a (2) May not enter an order in the nature of arepresentative. Natural persons who appear as an directed verdict;attorney or other representative must conform to the (3) May not compel settlement negotiations;standards of conduct and ethics required of (4) May not enjoin any act of the Secretary; orpractitioners before the courts of the United States. (5) May not review the exercise of discretion by (c) Fees for any services performed on behalf of a the Secretary with respect to whether to grant anparty by an attorney are not subject to the provisions extension under §160.410(b)(3)(ii)(B) of this part orof 42 U.S.C. 406, which authorizes the Secretary to to provide technical assistance under 42 U.S.C.specify or limit their fees. 1320d–5(b)(3)(B).§ 160.508 Authority of the ALJ. § 160.510 Ex parte contacts. (a) The ALJ must conduct a fair and impartial No party or person (except employees of the ALJshearing, avoid delay, maintain order, and ensure that office) may communicate in any way with the ALJ ona record of the proceeding is made. any matter at issue in a case, unless on notice and (b) The ALJ may— opportunity for both parties to participate. This (1) Set and change the date, time and place of the provision does not prohibit a party or person fromhearing upon reasonable notice to the parties; inquiring about the status of a case or asking routine (2) Continue or recess the hearing in whole or in questions concerning administrative functions orpart for a reasonable period of time; procedures. (3) Hold conferences to identify or simplify theissues, or to consider other matters that may aid in the § 160.512 Prehearing conferences.expeditious disposition of the proceeding; (a) The ALJ must schedule at least one prehearing (4) Administer oaths and affirmations; conference, and may schedule additional prehearing (5) Issue subpoenas requiring the attendance of conferences as appropriate, upon reasonable notice,witnesses at hearings and the production of which may not be less than 14 business days, to thedocuments at or in relation to hearings; parties. (6) Rule on motions and other procedural matters; (b) The ALJ may use prehearing conferences to (7) Regulate the scope and timing of documentary discuss the following—discovery as permitted by this subpart; (1) Simplification of the issues; (8) Regulate the course of the hearing and the (2) The necessity or desirability of amendments toconduct of representatives, parties, and witnesses; the pleadings, including the need for a more definite (9) Examine witnesses; statement; -15­
  • 33. HIPAA Administrative Simplification Regulation Text March 2006 (3) Stipulations and admissions of fact or as to the the disclosure of interview reports or statementscontents and authenticity of documents; obtained by any party, or on behalf of any party, of (4) Whether the parties can agree to submission of persons who will not be called as witnesses by thatthe case on a stipulated record; party, or analyses and summaries prepared in (5) Whether a party chooses to waive appearance conjunction with the investigation or litigation of theat an oral hearing and to submit only documentary case, or any otherwise privileged documents.evidence (subject to the objection of the other party) (e)(1) When a request for production ofand written argument; documents has been received, within 30 days the (6) Limitation of the number of witnesses; party receiving that request must either fully respond (7) Scheduling dates for the exchange of witness to the request, or state that the request is beinglists and of proposed exhibits; objected to and the reasons for that objection. If (8) Discovery of documents as permitted by this objection is made to part of an item or category, thesubpart; part must be specified. Upon receiving any (9) The time and place for the hearing; objections, the party seeking production may then, (10) The potential for the settlement of the case within 30 days or any other time frame set by theby the parties; and ALJ, file a motion for an order compelling discovery. (11) Other matters as may tend to encourage the The party receiving a request for production may alsofair, just and expeditious disposition of the file a motion for protective order any time before theproceedings, including the protection of privacy of date the production is due.individually identifiable health information that may (2) The ALJ may grant a motion for protectivebe submitted into evidence or otherwise used in the order or deny a motion for an order compellingproceeding, if appropriate. discovery if the ALJ finds that the discovery sought— (c) The ALJ must issue an order containing the (i) Is irrelevant;matters agreed upon by the parties or ordered by the (ii) Is unduly costly or burdensome;ALJ at a prehearing conference. (iii) Will unduly delay the proceeding; or (iv) Seeks privileged information.§ 160.514 Authority to settle. (3) The ALJ may extend any of the time framesThe Secretary has exclusive authority to settle any set forth in paragraph (e)(1) of this section.issue or case without the consent of the ALJ. (4) The burden of showing that discovery should be allowed is on the party seeking discovery.§ 160.516 Discovery. (a) A party may make a request to another party § 160.518 Exchange of witness lists, witnessfor production of documents for inspection and statements, and exhibits.copying that are relevant and material to the issues (a) The parties must exchange witness lists, copiesbefore the ALJ. of prior written statements of proposed witnesses, and (b) For the purpose of this section, the term copies of proposed hearing exhibits, including copies“documents” includes information, reports, answers, of any written statements that the party intends torecords, accounts, papers and other data and offer in lieu of live testimony in accordance withdocumentary evidence. Nothing contained in this §160.538, not more than 60, and not less than 15,section may be interpreted to require the creation of a days before the scheduled hearing, except that if adocument, except that requested data stored in an respondent intends to introduce the evidence of aelectronic data storage system must be produced in a statistical expert, the respondent must provide theform accessible to the requesting party. Secretarial party with a copy of the statistical experts (c) Requests for documents, requests for report not less than 30 days before the scheduledadmissions, written interrogatories, depositions and hearing.any forms of discovery, other than those permitted (b)(1) If, at any time, a party objects to theunder paragraph (a) of this section, are not proposed admission of evidence not exchanged inauthorized. accordance with paragraph (a) of this section, the (d) This section may not be construed to require ALJ must determine whether the failure to comply -16­
  • 34. HIPAA Administrative Simplification Regulation Text March 2006with paragraph (a) of this section should result in the good cause shown. That motion must—exclusion of that evidence. (1) Specify any evidence to be produced; (2) Unless the ALJ finds that extraordinary (2) Designate the witnesses; andcircumstances justified the failure timely to exchange (3) Describe the address and location withthe information listed under paragraph (a) of this sufficient particularity to permit those witnesses to besection, the ALJ must exclude from the partys found.case-in-chief— (e) The subpoena must specify the time and place (i) The testimony of any witness whose name does at which the witness is to appear and any evidence thenot appear on the witness list; and witness is to produce. (ii) Any exhibit not provided to the opposing (f) Within 15 days after the written motionparty as specified in paragraph (a) of this section. requesting issuance of a subpoena is served, any party (3) If the ALJ finds that extraordinary may file an opposition or other response.circumstances existed, the ALJ must then determine (g) If the motion requesting issuance of awhether the admission of that evidence would cause subpoena is granted, the party seeking the subpoenasubstantial prejudice to the objecting party. must serve it by delivery to the person named, or by (i) If the ALJ finds that there is no substantial certified mail addressed to that person at the personsprejudice, the evidence may be admitted. last dwelling place or principal place of business. (ii) If the ALJ finds that there is substantial (h) The person to whom the subpoena is directedprejudice, the ALJ may exclude the evidence, or, if he may file with the ALJ a motion to quash the subpoenaor she does not exclude the evidence, must postpone within 10 days after service.the hearing for such time as is necessary for the (i) The exclusive remedy for contumacy by, orobjecting party to prepare and respond to the refusal to obey a subpoena duly served upon, anyevidence, unless the objecting party waives person is specified in 42 U.S.C. 405(e).postponement. (c) Unless the other party objects within a § 160.522 Fees.reasonable period of time before the hearing, The party requesting a subpoena must pay the cost ofdocuments exchanged in accordance with paragraph the fees and mileage of any witness subpoenaed in the(a) of this section will be deemed to be authentic for amounts that would be payable to a witness in athe purpose of admissibility at the hearing. proceeding in United States District Court. A check for witness fees and mileage must accompany the§ 160.520 Subpoenas for attendance at hearing. subpoena when served, except that, when a subpoena (a) A party wishing to procure the appearance and is issued on behalf of the Secretary, a check fortestimony of any person at the hearing may make a witness fees and mileage need not accompany themotion requesting the ALJ to issue a subpoena if the subpoena.appearance and testimony are reasonably necessaryfor the presentation of a partys case. § 160.524 Form, filing, and service of papers. (b) A subpoena requiring the attendance of a (a) Forms.person in accordance with paragraph (a) of this (1) Unless the ALJ directs the parties to dosection may also require the person (whether or not otherwise, documents filed with the ALJ must includethe person is a party) to produce relevant and material an original and two copies.evidence at or before the hearing. (2) Every pleading and paper filed in the (c) When a subpoena is served by a respondent on proceeding must contain a caption setting forth thea particular employee or official or particular office title of the action, the case number, and a designationof HHS, the Secretary may comply by designating of the paper, such as motion to quash subpoena.any knowledgeable HHS representative to appear and (3) Every pleading and paper must be signed bytestify. and must contain the address and telephone number (d) A party seeking a subpoena must file a written of the party or the person on whose behalf the papermotion not less than 30 days before the date fixed for was filed, or his or her representative.the hearing, unless otherwise allowed by the ALJ for (4) Papers are considered filed when they are -17­
  • 35. HIPAA Administrative Simplification Regulation Text March 2006mailed. except upon consent of the parties or following a (b) Service. A party filing a document with the hearing on the motion, but may overrule or deny theALJ or the Board must, at the time of filing, serve a motion without awaiting a response.copy of the document on the other party. Service (e) The ALJ must make a reasonable effort toupon any party of any document must be made by dispose of all outstanding motions before thedelivering a copy, or placing a copy of the document beginning of the hearing.in the United States mail, postage prepaid andaddressed, or with a private delivery service, to the § 160.530 Sanctions.partys last known address. When a party is The ALJ may sanction a person, including any partyrepresented by an attorney, service must be made or attorney, for failing to comply with an order orupon the attorney in lieu of the party. procedure, for failing to defend an action or for other (c) Proof of service. A certificate of the natural misconduct that interferes with the speedy, orderly orperson serving the document by personal delivery or fair conduct of the hearing. The sanctions mustby mail, setting forth the manner of service, reasonably relate to the severity and nature of theconstitutes proof of service. failure or misconduct. The sanctions may include— (a) In the case of refusal to provide or permit§ 160.526 Computation of time. discovery under the terms of this part, drawing (a) In computing any period of time under this negative factual inferences or treating the refusal assubpart or in an order issued thereunder, the time an admission by deeming the matter, or certain facts,begins with the day following the act, event or to be established;default, and includes the last day of the period unless (b) Prohibiting a party from introducing certainit is a Saturday, Sunday, or legal holiday observed by evidence or otherwise supporting a particular claim orthe Federal Government, in which event it includes defense;the next business day. (c) Striking pleadings, in whole or in part; (b) When the period of time allowed is less than 7 (d) Staying the proceedings;days, intermediate Saturdays, Sundays, and legal (e) Dismissal of the action;holidays observed by the Federal Government must (f) Entering a decision by default;be excluded from the computation. (g) Ordering the party or attorney to pay the (c) Where a document has been served or issued attorneys fees and other costs caused by the failure orby placing it in the mail, an additional 5 days must be misconduct; andadded to the time permitted for any response. This (h) Refusing to consider any motion or otherparagraph does not apply to requests for hearing action that is not filed in a timely manner.under §160.504. § 160.532 Collateral estoppel.§ 160.528 Motions. When a final determination that the respondent (a) An application to the ALJ for an order or violated an administrative simplification provisionruling must be by motion. Motions must state the has been rendered in any proceeding in which therelief sought, the authority relied upon and the facts respondent was a party and had an opportunity to bealleged, and must be filed with the ALJ and served on heard, the respondent is bound by that determinationall other parties. in any proceeding under this part. (b) Except for motions made during a prehearingconference or at the hearing, all motions must be in § 160.534 The hearing.writing. The ALJ may require that oral motions be (a) The ALJ must conduct a hearing on the recordreduced to writing. in order to determine whether the respondent should (c) Within 10 days after a written motion is be found liable under this part.served, or such other time as may be fixed by the (b) (1) The respondent has the burden of goingALJ, any party may file a response to the motion. forward and the burden of persuasion with respect to (d) The ALJ may not grant a written motion any:before the time for filing responses has expired, (i) Affirmative defense pursuant to §160.410 of -18­
  • 36. HIPAA Administrative Simplification Regulation Text March 2006this part; statistical methods, constitutes prima facie evidence (ii) Challenge to the amount of a proposed penalty of the number of violations and the existence ofpursuant to §§160.404–160.408 of this part, including factors material to the proposed civil money penaltyany factors raised as mitigating factors; or as described in §§160.406 and 160.408. (iii) Claim that a proposed penalty should be (b) Once the Secretary has made a prima faciereduced or waived pursuant to §160.412 of this part. case, as described in paragraph (a) of this section, the (2) The Secretary has the burden of going forward burden of going forward shifts to the respondent toand the burden of persuasion with respect to all other produce evidence reasonably calculated to rebut theissues, including issues of liability and the existence findings of the statistical sampling study. Theof any factors considered as aggravating factors in Secretary will then be given the opportunity to rebutdetermining the amount of the proposed penalty. this evidence. (3) The burden of persuasion will be judged by apreponderance of the evidence. § 160.538 Witnesses. (c) The hearing must be open to the public unless (a) Except as provided in paragraph (b) of thisotherwise ordered by the ALJ for good cause shown. section, testimony at the hearing must be given orally (d)(1) Subject to the 15-day rule under by witnesses under oath or affirmation.§160.518(a) and the admissibility of evidence under (b) At the discretion of the ALJ, testimony of§160.540, either party may introduce, during its case witnesses other than the testimony of expert witnessesin chief, items or information that arose or became may be admitted in the form of a written statement.known after the date of the issuance of the notice of The ALJ may, at his or her discretion, admit priorproposed determination or the request for hearing, as sworn testimony of experts that has been subject toapplicable. Such items and information may not be adverse examination, such as a deposition or trialadmitted into evidence, if introduced— testimony. Any such written statement must be (i) By the Secretary, unless they are material and provided to the other party, along with the last knownrelevant to the acts or omissions with respect to which address of the witness, in a manner that allowsthe penalty is proposed in the notice of proposed sufficient time for the other party to subpoena thedetermination pursuant to §160.420 of this part, witness for cross-examination at the hearing. Priorincluding circumstances that may increase penalties; written statements of witnesses proposed to testify ator the hearing must be exchanged as provided in (ii) By the respondent, unless they are material §160.518.and relevant to an admission, denial or explanation of (c) The ALJ must exercise reasonable controla finding of fact in the notice of proposed over the mode and order of interrogating witnessesdetermination under §160.420 of this part, or to a and presenting evidence so as to:specific circumstance or argument expressly stated in (1) Make the interrogation and presentationthe request for hearing under §160.504, including effective for the ascertainment of the truth;circumstances that may reduce penalties. (2) Avoid repetition or needless consumption of (2) After both parties have presented their cases, time; andevidence may be admitted in rebuttal even if not (3) Protect witnesses from harassment or unduepreviously exchanged in accordance with §160.518. embarrassment. (d) The ALJ must permit the parties to conduct§ 160.536 Statistical sampling. cross-examination of witnesses as may be required for (a) In meeting the burden of proof set forth in a full and true disclosure of the facts.§160.534, the Secretary may introduce the results of a (e) The ALJ may order witnesses excluded so thatstatistical sampling study as evidence of the number they cannot hear the testimony of other witnesses,of violations under §160.406 of this part, or the except that the ALJ may not order to be excluded—factors considered in determining the amount of the (1) A party who is a natural person;civil money penalty under §160.408 of this part. Such (2) In the case of a party that is not a naturalstatistical sampling study, if based upon an person, the officer or employee of the party appearingappropriate sampling and computed by valid for the entity pro se or designated as the partys -19­
  • 37. HIPAA Administrative Simplification Regulation Text March 2006representative; or the transcript unless, for good cause shown by the (3) A natural person whose presence is shown by party, the payment is waived by the ALJ or the Board,a party to be essential to the presentation of its case, as appropriate.including a person engaged in assisting the attorney (b) The transcript of the testimony, exhibits, andfor the Secretary. other evidence admitted at the hearing, and all papers and requests filed in the proceeding constitute the§ 160.540 Evidence. record for decision by the ALJ and the Secretary. (a) The ALJ must determine the admissibility of (c) The record may be inspected and copied (uponevidence. payment of a reasonable fee) by any person, unless (b) Except as provided in this subpart, the ALJ is otherwise ordered by the ALJ for good cause shown.not bound by the Federal Rules of Evidence. (d) For good cause, the ALJ may orderHowever, the ALJ may apply the Federal Rules of appropriate redactions made to the record.Evidence where appropriate, for example, to excludeunreliable evidence. § 160.544 Post hearing briefs. (c) The ALJ must exclude irrelevant or immaterial The ALJ may require the parties to file post-hearingevidence. briefs. In any event, any party may file a post-hearing (d) Although relevant, evidence may be excluded brief. The ALJ must fix the time for filing the briefs.if its probative value is substantially outweighed by The time for filing may not exceed 60 days from thethe danger of unfair prejudice, confusion of the date the parties receive the transcript of the hearingissues, or by considerations of undue delay or or, if applicable, the stipulated record. The briefs mayneedless presentation of cumulative evidence. be accompanied by proposed findings of fact and (e) Although relevant, evidence must be excluded conclusions of law. The ALJ may permit the partiesif it is privileged under Federal law. to file reply briefs. (f) Evidence concerning offers of compromise orsettlement are inadmissible to the extent provided in § 160.546 ALJs decision.Rule 408 of the Federal Rules of Evidence. (a) The ALJ must issue a decision, based only on (g) Evidence of crimes, wrongs, or acts other than the record, which must contain findings of fact andthose at issue in the instant case is admissible in order conclusions of law.to show motive, opportunity, intent, knowledge, (b) The ALJ may affirm, increase, or reduce thepreparation, identity, lack of mistake, or existence of penalties imposed by the Secretary.a scheme. This evidence is admissible regardless of (c) The ALJ must issue the decision to bothwhether the crimes, wrongs, or acts occurred during parties within 60 days after the time for submission ofthe statute of limitations period applicable to the acts post-hearing briefs and reply briefs, if permitted, hasor omissions that constitute the basis for liability in expired. If the ALJ fails to meet the deadlinethe case and regardless of whether they were contained in this paragraph, he or she must notify thereferenced in the Secretarys notice of proposed parties of the reason for the delay and set a newdetermination under §160.420 of this part. deadline. (h) The ALJ must permit the parties to introduce (d) Unless the decision of the ALJ is timelyrebuttal witnesses and evidence. appealed as provided for in §160.548, the decision of (i) All documents and other evidence offered or the ALJ will be final and binding on the parties 60taken for the record must be open to examination by days from the date of service of the ALJs decision.both parties, unless otherwise ordered by the ALJ forgood cause shown. § 160.548 Appeal of the ALJs decision. (a) Any party may appeal the decision of the ALJ§ 160.542 The record. to the Board by filing a notice of appeal with the (a) The hearing must be recorded and transcribed. Board within 30 days of the date of service of theTranscripts may be obtained following the hearing ALJ decision. The Board may extend the initial 30from the ALJ. A party that requests a transcript of day period for a period of time not to exceed 30 dayshearing proceedings must pay the cost of preparing if a party files with the Board a request for an -20­
  • 38. HIPAA Administrative Simplification Regulation Text March 2006extension within the initial 30 day period and shows (2) The Board will reconsider its decision only ifgood cause. it determines that the decision contains a clear error (b) If a party files a timely notice of appeal with of fact or error of law. New evidence will not be athe Board, the ALJ must forward the record of the basis for reconsideration unless the partyproceeding to the Board. demonstrates that the evidence is newly discovered (c) A notice of appeal must be accompanied by a and was not previously available.written brief specifying exceptions to the initial (3) A party may file a motion for reconsiderationdecision and reasons supporting the exceptions. Any with the Board before the date the decision becomesparty may file a brief in opposition to the exceptions, final under paragraph (j)(1) of this section. A motionwhich may raise any relevant issue not addressed in for reconsideration must be accompanied by a writtenthe exceptions, within 30 days of receiving the notice brief specifying any alleged error of fact or law and,of appeal and the accompanying brief. The Board if the party is relying on additional evidence,may permit the parties to file reply briefs. explaining why the evidence was not previously (d) There is no right to appear personally before available. Any party may file a brief in oppositionthe Board or to appeal to the Board any interlocutory within 15 days of receiving the motion forruling by the ALJ. reconsideration and the accompanying brief unless (e) Except for an affirmative defense under this time limit is extended by the Board for good§160.410(b)(1) of this part, the Board may not cause shown. Reply briefs are not permitted.consider any issue not raised in the parties briefs, nor (4) The Board must rule on the motion forany issue in the briefs that could have been raised reconsideration not later than 30 days from the datebefore the ALJ but was not. the opposition brief is due. If the Board denies the (f) If any party demonstrates to the satisfaction of motion, the decision issued under paragraph (i) of thisthe Board that additional evidence not presented at section becomes the final decision of the Secretary onsuch hearing is relevant and material and that there the date of service of the ruling. If the Board grantswere reasonable grounds for the failure to adduce the motion, the Board will issue a reconsideredsuch evidence at the hearing, the Board may remand decision, after such procedures as the Boardthe matter to the ALJ for consideration of such determines necessary to address the effect of anyadditional evidence. error. The Boards decision on reconsideration (g) The Board may decline to review the case, or becomes the final decision of the Secretary on themay affirm, increase, reduce, reverse or remand any date of service of the decision, except with respect topenalty determined by the ALJ. a decision to remand to the ALJ. (h) The standard of review on a disputed issue of (5) If service of a ruling or decision issued underfact is whether the initial decision of the ALJ is this section is by mail, the date of service will besupported by substantial evidence on the whole deemed to be 5 days from the date of mailing.record. The standard of review on a disputed issue of (k)(1) A respondents petition for judicial reviewlaw is whether the decision is erroneous. must be filed within 60 days of the date on which the (i) Within 60 days after the time for submission of decision of the Board becomes the final decision ofbriefs and reply briefs, if permitted, has expired, the the Secretary under paragraph (j) of this section.Board must serve on each party to the appeal a copy (2) In compliance with 28 U.S.C. 2112(a), a copyof the Boards decision and a statement describing the of any petition for judicial review filed in any U.S.right of any respondent who is penalized to seek Court of Appeals challenging the final decision of thejudicial review. Secretary must be sent by certified mail, return (j)(1) The Boards decision under paragraph (i) of receipt requested, to the General Counsel of HHS.this section, including a decision to decline review of The petition copy must be a copy showing that it hasthe initial decision, becomes the final decision of the been time-stamped by the clerk of the court when theSecretary 60 days after the date of service of the original was filed with the court.Boards decision, except with respect to a decision to (3) If the General Counsel of HHS received tworemand to the ALJ or if reconsideration is requested or more petitions within 10 days after the finalunder this paragraph. decision of the Secretary, the General Counsel will -21­
  • 39. HIPAA Administrative Simplification Regulation Text March 2006notify the U.S. Judicial Panel on Multidistrict § 162.410 Implementation specifications: HealthLitigation of any petitions that were received within care providers.the 10 day period. § 162.412 Implementation specifications: Health plans.§ 160.550 Stay of the Secretarys decision. § 162.414 Implementation specifications: Health (a) Pending judicial review, the respondent may care clearinghouses.file a request for stay of the effective date of anypenalty with the ALJ. The request must be Subpart E [Reserved]accompanied by a copy of the notice of appeal filedwith the Federal court. The filing of the request Subpart F—Standard Unique Employer Identifierautomatically stays the effective date of the penalty § 162.600 Compliance dates of the implementationuntil such time as the ALJ rules upon the request. of the standard unique employer identifier. (b) The ALJ may not grant a respondents request § 162.605 Standard unique employer identifier.for stay of any penalty unless the respondent posts a § 162.610 Implementation specifications forbond or provides other adequate security. covered entities. (c) The ALJ must rule upon a respondents requestfor stay within 10 days of receipt. Subparts G–H [Reserved]§ 160.552 Harmless error. Subpart I—General Provisions for TransactionsNo error in either the admission or the exclusion of § 162.900 Compliance dates for transactionevidence, and no error or defect in any ruling or order standards and code sets.or in any act done or omitted by the ALJ or by any of § 162.910 Maintenance of standards and adoption ofthe parties is ground for vacating, modifying or modifications and new standards.otherwise disturbing an otherwise appropriate ruling § 162.915 Trading partner agreements.or order or act, unless refusal to take such action § 162.920 Availability of implementationappears to the ALJ or the Board inconsistent with specifications.substantial justice. The ALJ and the Board at every § 162.923 Requirements for covered entities.stage of the proceeding must disregard any error or § 162.925 Additional requirements for health plans.defect in the proceeding that does not affect the § 162.930 Additional rules for health caresubstantial rights of the parties. clearinghouses. § 162.940 Exceptions from standards to permitPART 162—ADMINISTRATIVE testing of proposed modifications.REQUIREMENTS Subpart J—Code SetsSubpart A—General Provisions § 162.1000 General requirements.§ 162.100 Applicability. § 162.1002 Medical data code sets.§ 162.103 Definitions. § 162.1011 Valid code sets.Subparts B–C [Reserved] Subpart K—Health Care Claims or Equivalent Encounter InformationSubpart D—Standard Unique Health Identifier § 162.1101 Health care claims or equivalentfor Health Care Providers encounter information transaction.§ 162.402 Definitions. § 162.1102 Standards for health care claims or§ 162.404 Compliance dates of the implementation equivalent encounter information transaction.of the standard unique health identifier for health careproviders. Subpart L—Eligibility for a Health Plan§ 162.406 Standard unique health identifier for § 162.1201 Eligibility for a health plan transaction.health care providers. § 162.1202 Standards for eligibility for a health plan§ 162.408 National Provider System. transaction. -22­
  • 40. HIPAA Administrative Simplification Regulation Text March 2006Subpart M—Referral Certification and Covered entities (as defined in §160.103 of thisAuthorization subchapter) must comply with the applicable§ 162.1301 Referral certification and authorization requirements of this part.transaction.§ 162.1302 Standards for referral certification and § 162.103 Definitions.authorization transaction. For purposes of this part, the following definitions apply:Subpart N—Health Care Claim Status Code set means any set of codes used to encode§ 162.1401 Health care claim status transaction. data elements, such as tables of terms, medical§ 162.1402 Standards for health care claim status concepts, medical diagnostic codes, or medicaltransaction. procedure codes. A code set includes the codes and the descriptors of the codes.Subpart O—Enrollment and Disenrollment in a Code set maintaining organization means anHealth Plan organization that creates and maintains the code sets§ 162.1501 Enrollment and disenrollment in a health adopted by the Secretary for use in the transactionsplan transaction. for which standards are adopted in this part.§ 162.1502 Standards for enrollment and Data condition means the rule that describes thedisenrollment in a health plan transaction. circumstances under which a covered entity must use a particular data element or segment.Subpart P—Health Care Payment and Remittance Data content means all the data elements andAdvice code sets inherent to a transaction, and not related to§ 162.1601 Health care payment and remittance the format of the transaction. Data elements that areadvice transaction. related to the format are not data content.§ 162.1602 Standards for health care payment and Data element means the smallest named unit ofremittance advice transaction. information in a transaction. Data set means a semantically meaningful unit ofSubpart Q—Health Plan Premium Payments information exchanged between two parties to a§ 162.1701 Health plan premium payments transaction.transaction. Descriptor means the text defining a code.§ 162.1702 Standards for health plan premium Designated standard maintenance organizationpayments transaction. (DSMO) means an organization designated by the Secretary under §162.910(a).Subpart R—Coordination of Benefits Direct data entry means the direct entry of data§ 162.1801 Coordination of benefits transaction. (for example, using dumb terminals or web browsers)§ 162.1802 Standards for coordination of benefits that is immediately transmitted into a health plansinformation transaction. computer. Format refers to those data elements that provideAuthority: Secs. 1171 through 1179 of the Social or control the enveloping or hierarchical structure, orSecurity Act (42 U.S.C. 1320d–1320d–8), as added assist in identifying data content of, a transaction.by sec. 262 of Pub. L. 104–191, 110 Stat. HCPCS stands for the Health2021–2031, and sec. 264 of Pub. L. 104–191, 110 [Care Financing Administration] Common ProcedureStat. 2033–2034 (42 U.S.C. 1320d–2 (note)). Coding System. Maintain or maintenance refers to activitiesSource: 65 FR 50367, Aug. 17, 2000, unless necessary to support the use of a standard adopted byotherwise noted. the Secretary, including technical corrections to an implementation specification, and enhancements orSubpart A—General Provisions expansion of a code set. This term excludes the activities related to the adoption of a new standard or§ 162.100 Applicability. implementation specification, or modification to an -23­
  • 41. HIPAA Administrative Simplification Regulation Text March 2006adopted standard or implementation specification. Provider Identifier (NPI). The NPI is a 10-position Maximum defined data set means all of the numeric identifier, with a check digit in the 10threquired data elements for a particular standard based position, and no intelligence about the health careon a specific implementation specification. provider in the number. Segment means a group of related data elements (b) Required and permitted uses for the NPI.in a transaction. (1) The NPI must be used as stated in §162.410, Standard transaction means a transaction that §162.412, and §162.414.complies with the applicable standard adopted under (2) The NPI may be used for any other lawfulthis part. purpose.[65 FR 50367, Aug. 17, 2000, as amended at 68 FR § 162.408 National Provider System.8374, Feb. 20, 2003] National Provider System. The National Provider System (NPS) shall do the following:Subparts B–C [Reserved] (a) Assign a single, unique NPI to a health care provider, provided that—Subpart D—Standard Unique Health Identifier (1) The NPS may assign an NPI to a subpart of afor Health Care Providers health care provider in accordance with paragraph (g); andSource: 69 FR 3468, Jan. 23, 2004, unless (2) The Secretary has sufficient information tootherwise noted. permit the assignment to be made. (b) Collect and maintain information about each§ 162.402 Definitions. health care provider that has been assigned an NPI Covered health care provider means a health care and perform tasks necessary to update thatprovider that meets the definition at paragraph (3) of information.the definition of “covered entity” at §160.103 of this (c) If appropriate, deactivate an NPI upon receiptsubchapter. of appropriate information concerning the dissolution of the health care provider that is an organization, the§ 162.404 Compliance dates of the death of the health care provider who is an individual,implementation of the standard unique health or other circumstances justifying deactivation.identifier for health care providers. (d) If appropriate, reactivate a deactivated NPI (a) Health care providers. A covered health care upon receipt of appropriate information.provider must comply with the implementation (e) Not assign a deactivated NPI to any otherspecifications in §162.410 no later than May 23, health care provider.2007. (f) Disseminate NPS information upon approved (b) Health plans. A health plan must comply with requests.the implementation specifications in §162.412 no (g) Assign an NPI to a subpart of a health carelater than one of the following dates: provider on request if the identifying data for the (1) A health plan that is not a small health subpart are unique.plan—May 23, 2007. (2) A small health plan—May 23, 2008. § 162.410 Implementation specifications: Health (c) Health care clearinghouses. A health care care providers.clearinghouse must comply with the implementation (a) A covered entity that is a covered health carespecifications in §162.414 no later than May 23, provider must:2007. (1) Obtain, by application if necessary, an NPI from the National Provider System (NPS) for itself or§ 162.406 Standard unique health identifier for for any subpart of the covered entity that would be ahealth care providers. covered health care provider if it were a separate (a) Standard. The standard unique health legal entity. A covered entity may obtain an NPI foridentifier for health care providers is the National any other subpart that qualifies for the assignment of -24­
  • 42. HIPAA Administrative Simplification Regulation Text March 2006an NPI. § 162.600 Compliance dates of the (2) Use the NPI it obtained from the NPS to implementation of the standard unique employeridentify itself on all standard transactions that it identifier.conducts where its health care provider identifier is (a) Health care providers. Health care providersrequired. must comply with the requirements of this subpart no (3) Disclose its NPI, when requested, to any entity later than July 30, 2004.that needs the NPI to identify that covered health care (b) Health plans. A health plan must comply withprovider in a standard transaction. the requirements of this subpart no later than one of (4) Communicate to the NPS any changes in its the following dates:required data elements in the NPS within 30 days of (1) Health plans other than small healththe change. plans—July 30, 2004. (5) If it uses one or more business associates to (2) Small health plans—August 1, 2005.conduct standard transactions on its behalf, require its (c) Health care clearinghouses. Health carebusiness associate(s) to use its NPI and other NPIs clearinghouses must comply with the requirements ofappropriately as required by the transactions that the this subpart no later than July 30, 2004.business associate(s) conducts on its behalf. (6) If it has been assigned NPIs for one or more § 162.605 Standard unique employer identifier.subparts, comply with the requirements of paragraphs The Secretary adopts the EIN as the standard unique(a)(2) through (a)(5) of this section with respect to employer identifier provided for by 42 U.S.C.each of those NPIs. 1320d–2(b). (b) A health care provider that is not a coveredentity may obtain, by application if necessary, an NPI § 162.610 Implementation specifications forfrom the NPS. covered entities. (a) The standard unique employer identifier of an§ 162.412 Implementation specifications: Health employer of a particular employee is the EIN thatplans. appears on that employees IRS Form W–2, Wage (a) A health plan must use the NPI of any health and Tax Statement, from the employer.care provider (or subpart(s), if applicable) that has (b) A covered entity must use the standard uniquebeen assigned an NPI to identify that health care employer identifier (EIN) of the appropriate employerprovider on all standard transactions where that in standard transactions that require an employerhealth care providers identifier is required. identifier to identify a person or entity as an (b) A health plan may not require a health care employer, including where situationally required.provider that has been assigned an NPI to obtain an (c) Required and permitted uses for the Employeradditional NPI. Identifier. (1) The Employer Identifier must be used as§ 162.414 Implementation specifications: Health stated in §162.610(b).care clearinghouses. (2) The Employer Identifier may be used for anyA health care clearinghouse must use the NPI of any other lawful purpose.health care provider (or subpart(s), if applicable) thathas been assigned an NPI to identify that health care [67 FR 38020, May 31, 2002, as amended at 69 FRprovider on all standard transactions where that 3469, Jan. 23, 2004]health care providers identifier is required. Subparts G–H [Reserved]Subpart E [Reserved] Subpart I—General Provisions for TransactionsSubpart F—Standard Unique Employer Identifier § 162.900 Compliance dates for transactionSource: 67 FR 38020, May 31, 2002, unless standards and code sets.otherwise noted. (a) Small health plans. All small health plans -25­
  • 43. HIPAA Administrative Simplification Regulation Text March 2006must comply with applicable requirements of subparts new standard, only if the recommendation isI through R of this part no later than October 16, developed through a process that provides for the2003. following: (b) Covered entities that timely submitted a (1) Open public access.compliance plan. Any covered entity, other than a (2) Coordination with other DSMOs.small health plan, that timely submitted a compliance (3) An appeals process for each of the following,plan with the Secretary under the provisions of if dissatisfied with the decision on the request:section 2 of Pub. L. 107–105, 115 Stat. 1003 (ASCA) (i) The requestor of the proposed modification.must comply with the applicable requirements of (ii) A DSMO that participated in the review andsubparts I through R of this part no later than October analysis of the request for the proposed modification,16, 2003. or the proposed new standard. (c) Covered entities that did not timely submit a (4) Expedited process to address content needscompliance plan. Any covered entity, other than a identified within the industry, if appropriate.small health plan, that did not timely submit a (5) Submission of the recommendation to thecompliance plan under the provisions of section 2 of National Committee on Vital and Health StatisticsPub. L. 107-105, 115 Stat. 1003 (ASCA) must (NCVHS).comply with the applicable requirements of subparts Ithrough R of this part— § 162.915 Trading partner agreements. (1) Beginning on October 16, 2002, and ending A covered entity must not enter into a trading partneron October 15, 2003— agreement that would do any of the following: (i) For the corresponding time period; or (a) Change the definition, data condition, or use of (ii) For the time period beginning on October 16, a data element or segment in a standard.2003. (b) Add any data elements or segments to the (2) Beginning on and after October 16, 2003, for maximum defined data set.the corresponding time period. (c) Use any code or data elements that are either marked “not used” in the standards implementation[68 FR 8396, Feb. 20, 2003] specification or are not in the standards implementation specification(s).§ 162.910 Maintenance of standards and (d) Change the meaning or intent of the standardsadoption of modifications and new standards. implementation specification(s). (a) Designation of DSMOs. (1) The Secretary may designate as a DSMO an § 162.920 Availability of implementationorganization that agrees to conduct, to the satisfaction specifications.of the Secretary, the following functions: A person or an organization may directly request (i) Maintain standards adopted under this copies of the implementation standards described insubchapter. subparts I through R of this part from the publishers (ii) Receive and process requests for adopting a listed in this section. The Director of the Office of thenew standard or modifying an adopted standard. Federal Register approves the implementation (2) The Secretary designates a DSMO by notice in specifications described in this section forthe Federal Register. incorporation by reference in subparts I through R of (b) Maintenance of standards. Maintenance of a this part in accordance with 5 U.S.C. 552(a) and 1standard by the appropriate DSMO constitutes CFR part 51. The implementation specificationsmaintenance of the standard for purposes of this part, described in this paragraph are also available forif done in accordance with the processes the Secretary inspection by the public at the Centers for Medicaremay require. & Medicaid Services, 7500 Security Boulevard, (c) Process for modification of existing standards Baltimore, Maryland 21244 or at the Nationaland adoption of new standards. The Secretary Archives and Records Administration (NARA). Forconsiders a recommendation for a proposed information on the availability of this material atmodification to an existing standard, or a proposed NARA, call 202–741–6030, or go to: -26­
  • 44. HIPAA Administrative Simplification Regulation Text March 2006http://www.archives.gov/federal_register/code_of_fed October 2002, Washington Publishing Company,eral_regulations/ibr_locations.html. Copy requests 004010X095A1, as referenced in §162.1502.must be accompanied by the name of the standard, (6) The ASC X12N 820—Payroll Deducted andnumber, if applicable, and version number. Other Group Premium Payment for InsuranceImplementation specifications are available for the Products, Version 4010, May 2000, Washingtonfollowing transactions: Publishing Company, 004010X061, and Addenda to (a) ASC X12N specifications. The implementation Payroll Deducted and Other Group Premium Paymentspecifications for ASC X12N standards may be for Insurance Products, Version 4010, October 2002,obtained from the Washington Publishing Company, Washington Publishing Company, 004010X061A1,PMB 161, 5284 Randolph Road, Rockville, MD, as referenced in §162.1702.20852–2116; Telephone (301) 949–9740; and FAX: (7) The ASC X12N 278—Health Care Services(301) 949–9742. They are also available through the Review—Request for Review and Response, VersionWashington Publishing Company on the Internet 4010, May 2000, Washington Publishing Company,athttp://www.wpc-edi.com/. The transaction 004010X094 and Addenda to Health Care Servicesimplementation specifications are as follows: Review—Request for Review and Response, Version (1) The ASC X12N 837—Health Care Claim: 4010, October 2002, Washington PublishingDental, Version 4010, May 2000, Washington Company, 004010X094A1, as referenced inPublishing Company, 004010X097 and Addenda to §162.1302.Health Care Claim: Dental, Version 4010, October (8) The ASC X12N–276/277 Health Care Claim2002, Washington Publishing Company, Status Request and Response, Version 4010, May004010X097A1, as referenced in §162.1102 and 2000, Washington Publishing Company,§162.1802. 004010X093 and Addenda to Health Care Claim (2) The ASC X12N 837—Health Care Claim: Status Request and Response, Version 4010, OctoberProfessional, Volumes 1 and 2, Version 4010, May 2002, Washington Publishing Company,2000, Washington Publishing Company, 004010X093A1, as referenced in §162.1402.004010X098 and Addenda to Health Care Claim: (9) The ASC X12N 270/271—Health CareProfessional, Volumes 1 and 2, Version 4010, Eligibility Benefit Inquiry and Response, VersionOctober 2002, Washington Publishing Company, 4010, May 2000, Washington Publishing Company,004010X098A1, as referenced in §162.1102 and 004010X092 and Addenda to Health Care Eligibility§162.1802. Benefit Inquiry and Response, Version 4010, October (3) The ASC X12N 837—Health Care Claim: 2002, Washington Publishing Company,Institutional, Volumes 1 and 2, Version 4010, May 004010X092A1, as referenced in §162.1202.2000, Washington Publishing Company, (b) Retail pharmacy specifications. The004010X096 and Addenda to Health Care Claim: implementation specifications for retail pharmacyInstitutional, Volumes 1 and 2, Version 4010, standards may be obtained for a fee from the NationalOctober 2002, Washington Publishing Company, Council for Prescription Drug Programs (NCPDP),004010X096A1 as referenced in §162.1102 and 9240 E. Raintree Drive, Scottsdale, AZ 85260;§162.1802. Telephone (480) 477–1000; and FAX (480) (4) The ASC X12N 835—Health Care Claim 767–1042. They may also be obtained through thePayment/Advice, Version 4010, May 2000, Internet at http://www.ncpdp.org. The transactionWashington Publishing Company, 004010X091, and implementation specifications are as follows:Addenda to Health Care Claim Payment/Advice, (1) The Telecommunication StandardVersion 4010, October 2002, Washington Publishing Implementation Guide Version 5, Release 1 (VersionCompany, 004010X091A1 as referenced in 5.1), September 1999, National Council for§162.1602. Prescription Drug Programs, as referenced in (5) ASC X12N 834—Benefit Enrollment and §162.1102, §162.1202, §162.1302, §162.1602, andMaintenance, Version 4010, May 2000, Washington §162.1802.Publishing Company, 004010X095 and Addenda to (2) The Batch Standard Batch ImplementationBenefit Enrollment and Maintenance, Version 4010, Guide, Version 1, Release 1 (Version 1.1), January -27­
  • 45. HIPAA Administrative Simplification Regulation Text March 20062000, supporting Telecommunication Standard must do so.Implementation Guide, Version 5, Release 1 (Version (2) A health plan may not delay or reject a5.1) for the NCPDP Data Record in the Detail Data transaction, or attempt to adversely affect the otherRecord, National Council for Prescription Drug entity or the transaction, because the transaction is aPrograms, as referenced in §162.1102, §162.1202, standard transaction.§162.1302, and §162.1802. (3) A health plan may not reject a standard (3) The National Council for Prescription Drug transaction on the basis that it contains data elementsPrograms (NCPDP) equivalent NCPDP Batch not needed or used by the health plan (for example,Standard Batch Implementation Guide, Version 1, coordination of benefits information).Release 0, February 1, 1996, as referenced in (4) A health plan may not offer an incentive for a§162.1102, §162.1202, §162.1602, and §162.1802. health care provider to conduct a transaction covered by this part as a transaction described under the[68 FR 8396, Feb. 20, 2003, as amended at 69 FR exception provided for in §162.923(b).18803, Apr. 9, 2004] (5) A health plan that operates as a health care clearinghouse, or requires an entity to use a health§ 162.923 Requirements for covered entities. care clearinghouse to receive, process, or transmit a (a) General rule. Except as otherwise provided in standard transaction may not charge fees or costs inthis part, if a covered entity conducts with another excess of the fees or costs for normalcovered entity (or within the same covered entity), telecommunications that the entity incurs when itusing electronic media, a transaction for which the directly transmits, or receives, a standard transactionSecretary has adopted a standard under this part, the to, or from, a health plan.covered entity must conduct the transaction as a (b) Coordination of benefits. If a health planstandard transaction. receives a standard transaction and coordinates (b) Exception for direct data entry transactions. benefits with another health plan (or another payer), itA health care provider electing to use direct data must store the coordination of benefits data it needsentry offered by a health plan to conduct a transaction to forward the standard transaction to the other healthfor which a standard has been adopted under this part plan (or other payer).must use the applicable data content and data (c) Code sets. A health plan must meet each of thecondition requirements of the standard when following requirements:conducting the transaction. The health care provider (1) Accept and promptly process any standardis not required to use the format requirements of the transaction that contains codes that are valid, asstandard. provided in subpart J of this part. (c) Use of a business associate. A covered entity (2) Keep code sets for the current billing periodmay use a business associate, including a health care and appeals periods still open to processing under theclearinghouse, to conduct a transaction covered by terms of the health plans coverage.this part. If a covered entity chooses to use a businessassociate to conduct all or part of a transaction on § 162.930 Additional rules for health carebehalf of the covered entity, the covered entity must clearinghouses.require the business associate to do the following: When acting as a business associate for another (1) Comply with all applicable requirements of covered entity, a health care clearinghouse maythis part. perform the following functions: (2) Require any agent or subcontractor to comply (a) Receive a standard transaction on behalf of thewith all applicable requirements of this part. covered entity and translate it into a nonstandard transaction (for example, nonstandard format and/or§ 162.925 Additional requirements for health nonstandard data content) for transmission to theplans. covered entity. (a) General rules. (b) Receive a nonstandard transaction (for (1) If an entity requests a health plan to conduct a example, nonstandard format and/or nonstandard datatransaction as a standard transaction, the health plan content) from the covered entity and translate it into a -28­
  • 46. HIPAA Administrative Simplification Regulation Text March 2006standard transaction for transmission on behalf of the including any additional system requirements.covered entity. (3) Testing of the proposed modification. Provide an explanation, no more than 5 pages in length, of§ 162.940 Exceptions from standards to permit how the organization intends to test the standard,testing of proposed modifications. including the number and types of health plans and (a) Requests for an exception. An organization health care providers expected to be involved in themay request an exception from the use of a standard test, geographical areas, and beginning and endingfrom the Secretary to test a proposed modification to dates of the test.that standard. For each proposed modification, the (4) Trading partner concurrences. Provideorganization must meet the following requirements: written concurrences from trading partners who (1) Comparison to a current standard. Provide a would agree to participate in the test.detailed explanation, no more than 10 pages in length, (b) Basis for granting an exception. The Secretaryof how the proposed modification would be a may grant an initial exception, for a period not tosignificant improvement to the current standard in exceed 3 years, based on, but not limited to, theterms of the following principles: following criteria: (i) Improve the efficiency and effectiveness of the (1) An assessment of whether the proposedhealth care system by leading to cost reductions for, modification demonstrates a significant improvementor improvements in benefits from, electronic health to the current standard.care transactions. (2) The extent and length of time of the exception. (ii) Meet the needs of the health data standards (3) Consultations with DSMOs.user community, particularly health care providers, (c) Secretarys decision on exception. Thehealth plans, and health care clearinghouses. Secretary makes a decision and notifies the (iii) Be uniform and consistent with the other organization requesting the exception whether thestandards adopted under this part and, as appropriate, request is granted or denied.with other private and public sector health data (1) Exception granted. If the Secretary grants anstandards. exception, the notification includes the following (iv) Have low additional development and information:implementation costs relative to the benefits of using (i) The length of time for which the exceptionthe standard. applies. (v) Be supported by an ANSI-accredited SSO or (ii) The trading partners and geographical areasother private or public organization that would the Secretary approves for testing.maintain the standard over time. (iii) Any other conditions for approving the (vi) Have timely development, testing, exception.implementation, and updating procedures to achieve (2) Exception denied. If the Secretary does notadministrative simplification benefits faster. grant an exception, the notification explains the (vii) Be technologically independent of the reasons the Secretary considers the proposedcomputer platforms and transmission protocols used modification would not be a significant improvementin electronic health transactions, unless they are to the current standard and any other rationale for theexplicitly part of the standard. denial. (viii) Be precise, unambiguous, and as simple as (d) Organizations report on test results. Withinpossible. 90 days after the test is completed, an organization (ix) Result in minimum data collection and that receives an exception must submit a report on thepaperwork burdens on users. results of the test, including a cost-benefit analysis, to (x) Incorporate flexibility to adapt more easily to a location specified by the Secretary by notice in thechanges in the health care infrastructure (such as new Federal Register.services, organizations, and provider types) and (e) Extension allowed. If the report submitted ininformation technology. accordance with paragraph (d) of this section (2) Specifications for the proposed modification. recommends a modification to the standard, theProvide specifications for the proposed modification, Secretary, on request, may grant an extension to the -29­
  • 47. HIPAA Administrative Simplification Regulation Text March 2006period granted for the exception. (i) Drugs (ii) Biologics.Subpart J—Code Sets (4) Code on Dental Procedures and Nomenclature, as maintained and distributed by the§ 162.1000 General requirements. American Dental Association, for dental services.When conducting a transaction covered by this part, a (5) The combination of Health Care Financingcovered entity must meet the following requirements: Administration Common Procedure Coding System (a) Medical data code sets. Use the applicable (HCPCS), as maintained and distributed by HHS, andmedical data code sets described in §162.1002 as Current Procedural Terminology, Fourth Editionspecified in the implementation specification adopted (CPT–4), as maintained and distributed by theunder this part that are valid at the time the health American Medical Association, for physician servicescare is furnished. and other health care services. These services include, (b) Nonmedical data code sets. Use the but are not limited to, the following:nonmedical data code sets as described in the (i) Physician services.implementation specifications adopted under this part (ii) Physical and occupational therapy services.that are valid at the time the transaction is initiated. (iii) Radiologic procedures. (iv) Clinical laboratory tests.§ 162.1002 Medical data code sets. (v) Other medical diagnostic procedures.The Secretary adopts the following maintaining (vi) Hearing and vision services.organizations code sets as the standard medical data (vii) Transportation services including ambulance.code sets: (6) The Health Care Financing Administration (a) For the period from October 16, 2002 through Common Procedure Coding System (HCPCS), asOctober 15, 2003: maintained and distributed by HHS, for all other (1) International Classification of Diseases, 9th substances, equipment, supplies, or other items usedEdition, Clinical Modification, (ICD–9–CM), in health care services. These items include, but areVolumes 1 and 2 (including The Official ICD–9–CM not limited to, the following:Guidelines for Coding and Reporting), as maintained (i) Medical supplies.and distributed by HHS, for the following conditions: (ii) Orthotic and prosthetic devices. (i) Diseases. (iii) Durable medical equipment. (ii) Injuries. (b) For the period on and after October 16, 2003: (iii) Impairments. (1) The code sets specified in paragraphs (a)(1), (iv) Other health problems and their (a)(2),(a)(4), and (a)(5) of this section.manifestations. (2) National Drug Codes (NDC), as maintained (v) Causes of injury, disease, impairment, or other and distributed by HHS, for reporting the followinghealth problems. by retail pharmacies: (2) International Classification of Diseases, 9th (i) Drugs.Edition, Clinical Modification, Volume 3 Procedures (ii) Biologics.(including The Official ICD–9–CM Guidelines for (3) The Healthcare Common Procedure CodingCoding and Reporting), as maintained and distributed System (HCPCS), as maintained and distributed byby HHS, for the following procedures or other actions HHS, for all other substances, equipment, supplies, ortaken for diseases, injuries, and impairments on other items used in health care services, with thehospital inpatients reported by hospitals: exception of drugs and biologics. These items (i) Prevention. include, but are not limited to, the following: (ii) Diagnosis. (i) Medical supplies. (iii) Treatment. (ii) Orthotic and prosthetic devices. (iv) Management. (iii) Durable medical equipment. (3) National Drug Codes (NDC), as maintainedand distributed by HHS, in collaboration with drug [65 FR 50367, Aug. 17, 2000, as amended at 68 FRmanufacturers, for the following: 8397, Feb. 20, 2003] -30­
  • 48. HIPAA Administrative Simplification Regulation Text March 2006§ 162.1011 Valid code sets. Volumes 1 and 2, Version 4010, May 2000,Each code set is valid within the dates specified by Washington Publishing Company, 004010X096.the organization responsible for maintaining that code (Incorporated by reference in §162.920).set. (b) For the period on and after October 16, 2003: (1) Retail pharmacy drugs claims. The NationalSubpart K—Health Care Claims or Equivalent Council for Prescription Drug Programs (NCPDP)Encounter Information Telecommunication Standards Implementaiton Guide, Version 5, Release 1, September 1999, and§ 162.1101 Health care claims or equivalent equivalent NCPDP Batch Standards Batchencounter information transaction. Implementation Guide, Version 1, Release 1,The health care claims or equivalent encounter (Version 1.1), January 2000, supportinginformation transaction is the transmission of either Telecomunication Version 5.1 for the NCPDP Dataof the following: Record in the Detail Data Record. (Incorporated by (a) A request to obtain payment, and the necessary reference in §162.920).accompanying information from a health care (2) Dental, health care claims. The ASC X12Nprovider to a health plan, for health care. 837—Health Care Claim: Dental, Version 4010, May (b) If there is no direct claim, because the 2000, Washington Publishing Company,reimbursement contract is based on a mechanism 004010X097. and Addenda to Health Care Claim:other than charges or reimbursement rates for specific Dental, Version 4010, October 2002, Washingtonservices, the transaction is the transmission of Publishing Company, 004010X097A1. (Incorporatedencounter information for the purpose of reporting by reference in §162.920).health care. (3) Professional health care claims. The ASC X12N 837—Health Care Claims: Professional,§ 162.1102 Standards for health care claims or Volumes 1 and 2, Version 4010, may 2000,equivalent encounter information transaction. Washington Publishing Company, 004010X098 andThe Secretary adopts the following standards for the Addenda to Health Care Claims: Professional,health care claims or equivalent encounter Volumes 1 and 2, Version 4010, October 2002,information transaction: Washington Publishing Company, 004010x098A1. (a) For the period from October 16, 2002 through (Incorporated by reference in §162.920).October 15, 2003: (4) Institutional health care claims. The ASC (1) Retail pharmacy drug claims. The National X12N 837—Health Care Claim: Institutional,Council for Prescription Drug Programs (NCPDP) Volumes 1 and 2, Version 4010, May 2000,Telecommunication Standard Implementation Guide, Washington Publishing Company, 004010X096 andVersion 5, Release 1, September 1999, and Addenda to Health Care Claim: Institutional,equivalent NCPDP Batch Standard Batch Volumes 1 and 2, Version 4010, October 2002,Implementation Guide, Version 1, Release 0 February Washington Publishing Company, 004010X096A1.1, 1996. (Incorporated by reference in §162.920). (Incorporated by reference in §162.920). (2) Dental health care claims. The ASC X12N837—Health Care Claim: Dental, Version 4010, May [68 FR 8397, Feb. 20, 2003; 68 FR 11445, Mar. 10,2000, Washington Publishing Company, 2003]004010X097. (Incorporated by reference in§162.920). Subpart L—Eligibility for a Health Plan (3) Professional health care claims. The ASCX12N 837—Health Care Claim: Professional, § 162.1201 Eligibility for a health planVolumes 1 and 2, Version 4010, May 2000, transaction.Washington Publishing Company, 004010X098. The eligibility for a health plan transaction is the(Incorporated by reference in §162.920). transmission of either of the following: (4) Institutional health care claims. The ASC (a) An inquiry from a health care provider to aX12N 837—Health Care Claim: Institutional, health plan, or from one health plan to another health -31­
  • 49. HIPAA Administrative Simplification Regulation Text March 2006plan, to obtain any of the following information about [68 FR 8398, Feb. 20, 2003; 68 FR 11445, Mar. 10,a benefit plan for an enrollee: 2003] (1) Eligibility to receive health care under thehealth plan. Subpart M—Referral Certification and (2) Coverage of health care under the health plan. Authorization (3) Benefits associated with the benefit plan. (b) A response from a health plan to a health care § 162.1301 Referral certification andproviders (or another health plans) inquiry described authorization transaction.in paragraph (a) of this section. The referral certification and authorization transaction is any of the following transmissions:§ 162.1202 Standards for eligibility for a health (a) A request for the review of health care toplan transaction. obtain an authorization for the health care.The Secretary adopts the following standards for the (b) A request to obtain authorization for referringeligibility for a health plan transaction: an individual to another health care provider. (a) For the period from October 16, 2002 through (c) A response to a request described in paragraphOctober 15, 2003: (a) or paragraph (b) of this section. (1) Retail pharmacy drugs. The National Councilfor Prescription Drug Programs Telecommunications § 162.1302 Standards for referral certificationStandards Implementaiton Guide, Version 5, Release and authorization transaction.1, September 1999, and equivalent NCPDP Batch The Secretary adopts the following standards for theStandards Batch Implementation Guide, Version 1, referral certification and authorization transaction:Release 0, February 1, 1996. (Incorporated by (a) For the period from October 16, 2002, throughreference in §162.920). October 15, 2003: The ASC X12N 278—Health Care (2) Dental, professional, and institutional health Services Review—Request for Review and Response,care eligibility benefit inquiry and response. The Version 4010, May 2000, Washington PublishingASC X12N 270/271—Health Care Eligibility Benefit Company, 004010X094. (Incorporated by referenceInquiry and Response, Version 4010, May 2000, in §162.920).Washington Publishing Company,004010X092. (b) For the period on and after October 16, 2003:(Incorporated by reference in §162.920). (1) Retail pharmacy drug referral certification (b) For the period on and after October 16, 2003: and authorization. The NCPDP Telecommunication (1) Retail pharmacy drugs. The National Council Standard Implementation Guide, Version 5, Release 1for Prescription Drug Programs Telecommunication (Version 5.1), September 1999, and equivalentStandard Implementation Guide, Version 5, Release 1 NCPDP Batch Standard Batch Implementation(Version 5.1), September 1999, and equivalent Guide, Version 1, Release 1 (Version 1.1), JanuaryNCPDP Batch Standard Batch Implementation 2000, supporting Telecommunications StandardGuide, Version 1, Release 1 (Version 1.1), January Implementation Guide, Version 5, Release 1 (Version2000 supporting Telecommunications Standard 5.1) for the NCPDP Data Record in the Detail DataImplementation Guide, Version 5, Release 1 (Version Record. (Incorporated by reference in §162.920).5.1) for the NCPDP Data Record in the Detail Data (2) Dental, professional, and institutional referralRecord. (Incorporated by reference in §162.920). certification and authorization. The ASC X12N (2) Dental, professional, and institutional health 278—Health Care Services Review—Request forcare eligibility benefit inquiry and response. The ASC Review and Response, Version 4010, May 2000,X12N 270/271—Health Care Eligibility Benefit Washington Publishing Company, 004010X094 andInquiry and Response, Version 4010, May 2000, Addenda to Health Care Services Review—RequestWashington Publishing Company, 004010X092 and for Review and Response, Version 4010, OctoberAddenda to Health Care Eligibility Benefit Inquiry 2002, Washington Publishing Company,and Response, Version 4010, October 2002, 004010X094A1. (Incorporated by reference inWashington Publishing Company, 004010X092A1. §162.920).(Incorporated by reference in §162.920). -32­
  • 50. HIPAA Administrative Simplification Regulation Text March 2006[68 FR 8398, Feb. 20, 2003] October 15, 2003: ASC X12N 834—Benefit Enrollment and Maintenance, Version 4010, MaySubpart N—Health Care Claim Status 2000, Washington Publishing Company, 004010X095. (Incorporated by reference in§ 162.1401 Health care claim status transaction. §162.920).A health care claim status transaction is the (b) For the period on and after October 16, 2003:transmission of either of the following: ASC X12N 834—Benefit Enrollment and (a) An inquiry to determine the status of a health Maintenance, Version 4010, May 2000, Washingtoncare claim. Publishing Company, 004010X095 and Addenda to (b) A response about the status of a health care Benefit Enrollment and Maintenance, Version 4010,claim. October 2002, Washington Publishing Company, 004010X095A1. (Incorporated by reference in§ 162.1402 Standards for health care claim status §162.920).transaction.The Secretary adopts the following standards for the [68 FR 8398, Feb. 20, 2003]health care claim status transaction: (a) For the period from October 16, 2002 through Subpart P—Health Care Payment and RemittanceOctober 15, 2003: The ASC X12N–276/277 Health AdviceCare Claim Status Request and Response, Version4010, May 2000, Washington Publishing Company, § 162.1601 Health care payment and remittance004010X093. (Incorporated by reference in advice transaction.§162.920). The health care payment and remittance advice (b) For the period on and after October 16, 2003: transaction is the transmission of either of theThe ASC X12N–276/277 Health Care Claim Status following for health care:Request and Response, Version 4010, May 2000, (a) The transmission of any of the following fromWashington Publishing Company, 004010X093 and a health plan to a health care providers financialAddenda to Health Care Claim Status Request and institution:Response, Version 4010, October 2002, Washington (1) Payment.Publishing Company, 004010X093A1. (Incorporated (2) Information about the transfer of funds.by reference in §162.920). (3) Payment processing information. (b) The transmission of either of the following[68 FR 8398, Feb. 20, 2003] from a health plan to a health care provider: (1) Explanation of benefits.Subpart O—Enrollment and Disenrollment in a (2) Remittance advice.Health Plan § 162.1602 Standards for health care payment§ 162.1501 Enrollment and disenrollment in a and remittance advice transaction.health plan transaction. The Secretary adopts the following standards for theThe enrollment and disenrollment in a health plan health care payment and remittance advicetransaction is the transmission of subscriber transaction.enrollment information to a health plan to establish or (a) For the period from October 16, 2002 throughterminate insurance coverage. October 15, 2003: (1) Retail pharmacy drug claims and remittance§ 162.1502 Standards for enrollment and advice. The NCPDP Telecommunication Standarddisenrollment in a health plan transaction. Implementation Guide, Version 5 Release 1,The Secretary adopts the following standards for the September 1999, and equivalent NCPDP Batchenrollment and disenrollment in a health plan Standard Batch Implementation Guide, Version 1transaction. Release 0, February 1, 1996. (Incorporated by (a) For the period from October 16, 2002 through reference in §162.920). -33­
  • 51. HIPAA Administrative Simplification Regulation Text March 2006 (2) Dental, professional, and institutional health The ASC X12N 820—Payroll Deducted and Othercare claims and remittance advice. The ASC X12N Group Premium Payment for Insurance Products,835—Health Care Claim Payment/Advice, Version Version 4010, May 2000, Washington Publishing4010, May 2000, Washington Publishing Company, Company, 004010X061, and Addenda to Payroll004010X091. (Incorporated by reference in Deducted and Other Group Premium Payment for§162.920). Insurance Products, Version 4010, October 2002, (b) For the period on and after October 16, 2003: Washington Publishing Company, 004010X061A1.Health care claims and remittance advice. The ASC (Incorporated by reference in §162.920).X12N 835—Health Care Claim Payment/Advice,Version 4010, May 2000, Washington Publishing [68 FR 8399, Feb. 20, 2003]Company, 004010X091, and Addenda to Health CareClaim Payment/Advice, Version 4010, October 2002, Subpart R—Coordination of BenefitsWashington Publishing Company, 004010X091A1.(Incorporated by reference in §162.920). § 162.1801 Coordination of benefits transaction. The coordination of benefits transaction is the[68 FR 8398, Feb. 20, 2003] transmission from any entity to a health plan for the purpose of determining the relative paymentSubpart Q—Health Plan Premium Payments responsibilities of the health plan, of either of the following for health care:§ 162.1701 Health plan premium payments (a) Claims.transaction. (b) Payment information.The health plan premium payment transaction is thetransmission of any of the following from the entity § 162.1802 Standards for coordination of benefitsthat is arranging for the provision of health care or is information transaction.providing health care coverage payments for an The Secretary adopts the following standards for theindividual to a health plan: coordination of benefits information transaction. (a) Payment. (a) For the period from October 16, 2002 through (b) Information about the transfer of funds. October 15, 2003: (c) Detailed remittance information about (1) Retail pharmacy drug claims. The Nationalindividuals for whom premiums are being paid. Council for Prescription Drug Programs (d) Payment processing information to transmit Telecommunication Standard Implementation Guide,health care premium payments including any of the Version 5, Release 1, September 1999, andfollowing: equivalent NCPDP Batch Standard Batch (1) Payroll deductions. Implementation Guide, Version 1, Release 0, (2) Other group premium payments. February 1, 1996. (Incorporated by reference in (3) Associated group premium payment §162.920).information. (2) Dental health care claims. The ASC X12N 837—Health Care Claim: Dental, Version 4010, May§ 162.1702 Standards for health plan premium 2000, Washington Publishing Company,payments transaction. 004010X097. (Incorporated by reference inThe Secretary adopts the following standards for the §162.920).health care premium payments transaction. (3) Professional health care claims. The ASC (a) For the period from October 16, 2002 through X12N 837—Health Care Claim: Professional,October 15, 2003: The ASC X12N 820—Payroll Volumes 1 and 2, Version 4010, May 2000,Deducted and Other Group Premium Payment for Washington Publishing Company, 004010X098.Insurance Products, Version 4010, May 2000, (Incorporated by reference in §162.920).Washington Publishing Company, 04010X061. (4) Institutional health care claims. The ASC(Incorporated by reference in §162.920). X12N 837—Health Care Claim: Institutional, (b) For the period on and after October 16, 2003: Volumes 1 and 2, Version 4010, May 2000, -34­
  • 52. HIPAA Administrative Simplification Regulation Text March 2006Washington Publishing Company, 004010X096. Subpart B [Reserved](Incorporated by reference in §162.920). (b) For the period on and after October 16, 2003: Subpart C—Security Standards for the Protection (1) Retail pharmacy drug claims. The National of Electronic Protected Health InformationCouncil for Prescription Drug ProgramsTelecommunication Standard Implementation Guide, § 164.302 Applicability.Version 5, Release 1 (Version 5.1), September 1999, § 164.304 Definitions.and equivalent NCPDP Batch Standard Batch § 164.306 Security standards: General rules.Implementation Guide, Version 1, Release 1 (Version § 164.308 Administrative safeguards.1.1), January 2000, supporting Telecommunications § 164.310 Physical safeguards.Standard Implementation Guide, Version 5, Release 1 § 164.312 Technical safeguards.(Version 5.1) for the NCPDP Data Record in the § 164.314 Organizational requirements.Detail Data Record. (Incorporated by reference in § 164.316 Policies and procedures and§162.920). documentation requirements. (2) Dental health care claims. The ASC X12N § 164.318 Compliance dates for the initial837—Health Care Claim: Dental, Version 4010, May implementation of the security standards.2000, Washington Publishing Company,004010X097 and Addenda to Health Care Claim: Appendix A to Subpart C of Part 164—SecurityDental, Version 4010, October 2002, Washington Standards: Matrix [Omitted]Publishing Company, 004010X097A1. (Incorporatedby reference in §162.920). Subpart D [Reserved] (3) Professional health care claims. The ASCX12N 837—Health Care Claim: Professional, Subpart E—Privacy of Individually IdentifiableVolumes 1 and 2, Version 4010, May 2000, Health InformationWashington Publishing Company, 004010X098 andAddenda to Health Care Claim: Professional, § 164.500 Applicability.Volumes 1 and 2, Version 4010, October 2002, § 164.501 Definitions.Washington Publishing Company, 004010X098A1. § 164.502 Uses and disclosures of protected health(Incorporated by reference in §162.920). information: general rules. (4) Institutional health care claims. The ASC § 164.504 Uses and disclosures: OrganizationalX12N 837—Health Care Claim: Institutional, requirements.Volumes 1 and 2, Version 4010, May 2000, § 164.506 Uses and disclosures to carry outWashington Publishing Company, 004010X096 and treatment, payment, or health care operations.Addenda to Health Care Claim: Institutional, § 164.508 Uses and disclosures for which anVolumes 1 and 2, Version 4010, October 2002, authorization is required.Washington Publishing Company, 004010X096A1. § 164.510 Uses and disclosures requiring an(Incorporated by reference in §162.920). opportunity for the individual to agree or to object. § 164.512 Uses and disclosures for which an[68 FR 8399, Feb. 20, 2003] authorization or opportunity to agree or object is not required.PART 164—SECURITY AND PRIVACY § 164.514 Other requirements relating to uses and disclosures of protected health information.Subpart A—General Provisions § 164.520 Notice of privacy practices for protected health information.§ 164.102 Statutory basis. § 164.522 Rights to request privacy protection for§ 164.103 Definitions. protected health information.§ 164.104 Applicability. § 164.524 Access of individuals to protected health§ 164.105 Organizational requirements. information.§ 164.106 Relationship to other parts. § 164.526 Amendment of protected health -35­
  • 53. HIPAA Administrative Simplification Regulation Text March 2006information. Required by law means a mandate contained in§ 164.528 Accounting of disclosures of protected law that compels an entity to make a use or disclosurehealth information. of protected health information and that is§ 164.530 Administrative requirements. enforceable in a court of law. Required by law§ 164.532 Transition provisions. includes, but is not limited to, court orders and§ 164.534 Compliance dates for initial court-ordered warrants; subpoenas or summonsimplementation of the privacy standards. issued by a court, grand jury, a governmental or tribal inspector general, or an administrative bodyAuthority: 42 U.S.C. 1320d–1320d–8 and sec. 264, authorized to require the production of information; aPub. L. No. 104–191, 110 Stat. 2033–2034 (42 civil or an authorized investigative demand; MedicareU.S.C. 1320d–2 (note)). conditions of participation with respect to health care providers participating in the program; and statutes orSubpart A—General Provisions regulations that require the production of information, including statutes or regulations that require such§ 164.102 Statutory basis. information if payment is sought under a governmentThe provisions of this part are adopted pursuant to program providing public benefits.the Secretarys authority to prescribe standards,requirements, and implementation specifications [68 FR 8374, Feb. 20, 2003]under part C of title XI of the Act and section 264 ofPublic Law 104–191. § 164.104 Applicability. (a) Except as otherwise provided, the standards,[65 FR 82802, Dec. 28, 2000, as amended at 67 FR requirements, and implementation specifications53266, Aug. 14, 2002] adopted under this part apply to the following entities:§ 164.103 Definitions. (1) A health plan.As used in this part, the following terms have the (2) A health care clearinghouse.following meanings: (3) A health care provider who transmits any Common control exists if an entity has the power, health information in electronic form in connectiondirectly or indirectly, significantly to influence or with a transaction covered by this subchapter.direct the actions or policies of another entity. (b) When a health care clearinghouse creates or Common ownership exists if an entity or entities receives protected health information as a businesspossess an ownership or equity interest of 5 percent associate of another covered entity, or other than as aor more in another entity. business associate of a covered entity, the Covered functions means those functions of a clearinghouse must comply with §164.105 relating tocovered entity the performance of which makes the organizational requirements for covered entities,entity a health plan, health care provider, or health including the designation of health care componentscare clearinghouse. of a covered entity. Health care component means a component orcombination of components of a hybrid entity [68 FR 8375, Feb. 20, 2003]designated by the hybrid entity in accordance with§164.105(a)(2)(iii)(C). § 164.105 Organizational requirements. Hybrid entity means a single legal entity: (a)(1) Standard: Health care component. If a (1) That is a covered entity; covered entity is a hybrid entity, the requirements of (2) Whose business activities include both subparts C and E of this part, other than thecovered and non-covered functions; and requirements of this section, §164.314, and §164.504, (3) That designates health care components in apply only to the health care component(s) of theaccordance with paragraph §164.105(a)(2)(iii)(C). entity, as specified in this section. Plan sponsor is defined as defined at section (2) Implementation specifications:3(16)(B) of ERISA, 29 U.S.C. 1002(16)(B). (i) Application of other provisions. In applying a -36­
  • 54. HIPAA Administrative Simplification Regulation Text March 2006provision of subparts C and E of this part, other than maintains, or transmits electronic protected healththe requirements of this section, §164.314, and information on behalf of the health care component is§164.504, to a hybrid entity: in compliance with subpart C of this part; and (A) A reference in such provision to a “covered (E) If a person performs duties for both the healthentity” refers to a health care component of the care component in the capacity of a member of thecovered entity; workforce of such component and for another (B) A reference in such provision to a “health component of the entity in the same capacity withplan,” “covered health care provider,” or “health care respect to that component, such workforce memberclearinghouse,” refers to a health care component of must not use or disclose protected health informationthe covered entity if such health care component created or received in the course of or incident to theperforms the functions of a health plan, health care members work for the health care component in aprovider, or health care clearinghouse, as applicable; way prohibited by subpart E of this part. (C) A reference in such provision to “protected (iii) Responsibilities of the covered entity. Ahealth information” refers to protected health covered entity that is a hybrid entity has the followinginformation that is created or received by or on behalf responsibilities:of the health care component of the covered entity; (A) For purposes of subpart C of part 160 of thisand subchapter, pertaining to compliance and (D) A reference in such provision to “electronic enforcement, the covered entity has the responsibilityprotected health information” refers to electronic of complying with subpart E of this part.protected health information that is created, received, (B) The covered entity is responsible formaintained, or transmitted by or on behalf of the complying with §164.316(a) and §164.530(i),health care component of the covered entity. pertaining to the implementation of policies and (ii) Safeguard requirements. The covered entity procedures to ensure compliance with applicablethat is a hybrid entity must ensure that a health care requirements of this section and subparts C and E ofcomponent of the entity complies with the applicable this part, including the safeguard requirements inrequirements of this section and subparts C and E of paragraph (a)(2)(ii) of this section.this part. In particular, and without limiting this (C) The covered entity is responsible forrequirement, such covered entity must ensure that: designating the components that are part of one or (A) Its health care component does not disclose more health care components of the covered entityprotected health information to another component of and documenting the designation in accordance withthe covered entity in circumstances in which subpart paragraph (c) of this section, provided that, if theE of this part would prohibit such disclosure if the covered entity designates a health care component orhealth care component and the other component were components, it must include any component thatseparate and distinct legal entities; would meet the definition of covered entity if it were (B) Its health care component protects electronic a separate legal entity. Health care component(s) alsoprotected health information with respect to another may include a component only to the extent that itcomponent of the covered entity to the same extent performs:that it would be required under subpart C of this part (1) Covered functions; orto protect such information if the health care (2) Activities that would make such component acomponent and the other component were separate business associate of a component that performsand distinct legal entities; covered functions if the two components were (C) A component that is described by paragraph separate legal entities.(a)(2)(iii)(C)(2) of this section does not use or (b)(1) Standard: Affiliated covered entities.disclose protected health information that it creates or Legally separate covered entities that are affiliatedreceives from or on behalf of the health care may designate themselves as a single covered entitycomponent in a way prohibited by subpart E of this for purposes of subparts C and E of this part.part; (2) Implementation specifications: (D) A component that is described by paragraph (i) Requirements for designation of an affiliated(a)(2)(iii)(C)(2) of this section that creates, receives, covered entity. (A) Legally separate covered entities -37­
  • 55. HIPAA Administrative Simplification Regulation Text March 2006may designate themselves (including any health care § 164.302 Applicability.component of such covered entity) as a single A covered entity must comply with the applicableaffiliated covered entity, for purposes of subparts C standards, implementation specifications, andand E of this part, if all of the covered entities requirements of this subpart with respect to electronicdesignated are under common ownership or control. protected health information. (B) The designation of an affiliated covered entitymust be documented and the documentation § 164.304 Definitions.maintained as required by paragraph (c) of this As used in this subpart, the following terms have thesection. following meanings: (ii) Safeguard requirements. An affiliated covered Access means the ability or the means necessaryentity must ensure that: to read, write, modify, or communicate (A) The affiliated covered entitys creation, data/information or otherwise use any systemreceipt, maintenance, or transmission of electronic resource. (This definition applies to “access” as usedprotected health information complies with the in this subpart, not as used in subpart E of this part.)applicable requirements of subpart C of this part; Administrative safeguards are administrative (B) The affiliated covered entitys use and actions, and policies and procedures, to manage thedisclosure of protected health information comply selection, development, implementation, andwith the applicable requirements of subpart E of this maintenance of security measures to protectpart; and electronic protected health information and to manage (C) If the affiliated covered entity combines the the conduct of the covered entitys workforce infunctions of a health plan, health care provider, or relation to the protection of that information.health care clearinghouse, the affiliated covered entity Authentication means the corroboration that acomplies with §164.308(a)(4)(ii)(A) and person is the one claimed.§164.504(g), as applicable. Availability means the property that data or (c)(1) Standard: Documentation. A covered entity information is accessible and useable upon demandmust maintain a written or electronic record of a by an authorized person.designation as required by paragraphs (a) or (b) of Confidentiality means the property that data orthis section. information is not made available or disclosed to (2) Implementation specification: Retention unauthorized persons or processes.period. A covered entity must retain the Encryption means the use of an algorithmicdocumentation as required by paragraph (c)(1) of this process to transform data into a form in which there issection for 6 years from the date of its creation or the a low probability of assigning meaning without use ofdate when it last was in effect, whichever is later. a confidential process or key. Facility means the physical premises and the[68 FR 8375, Feb. 20, 2003] interior and exterior of a building(s). Information system means an interconnected set§ 164.106 Relationship to other parts. of information resources under the same directIn complying with the requirements of this part, management control that shares commoncovered entities are required to comply with the functionality. A system normally includes hardware,applicable provisions of parts 160 and 162 of this software, information, data, applications,subchapter. communications, and people. Integrity means the property that data orSubpart B [Reserved] information have not been altered or destroyed in an unauthorized manner.Subpart C—Security Standards for the Protection Malicious software means software, for example,of Electronic Protected Health Information a virus, designed to damage or disrupt a system.Authority: 42 U.S.C. 1320d-2 and 1320d-4. Password means confidential authenticationSource: 68 FR 8376, Feb. 20, 2003, unless information composed of a string of characters.otherwise noted. Physical safeguards are physical measures, -38­
  • 56. HIPAA Administrative Simplification Regulation Text March 2006policies, and procedures to protect a covered entitys (ii) The covered entitys technical infrastructure,electronic information systems and related buildings hardware, and software security capabilities.and equipment, from natural and environmental (iii) The costs of security measures.hazards, and unauthorized intrusion. (iv) The probability and criticality of potential Security or Security measures encompass all of risks to electronic protected health information.the administrative, physical, and technical safeguards (c) Standards. A covered entity must comply within an information system. the standards as provided in this section and in Security incident means the attempted or §164.308, §164.310, §164.312, §164.314, andsuccessful unauthorized access, use, disclosure, §164.316 with respect to all electronic protectedmodification, or destruction of information or health information.interference with system operations in an information (d) Implementation specifications. In this subpart:system. (1) Implementation specifications are required or Technical safeguards means the technology and addressable. If an implementation specification isthe policy and procedures for its use that protect required, the word “Required” appears in parentheseselectronic protected health information and control after the title of the implementation specification. Ifaccess to it. an implementation specification is addressable, the User means a person or entity with authorized word “Addressable” appears in parentheses after theaccess. title of the implementation specification. Workstation means an electronic computing (2) When a standard adopted in §164.308,device, for example, a lap or desk computer, or any §164.310, §164.312, §164.314, or §164.316 includesother device that performs similar functions, and required implementation specifications, a coveredelectronic media stored in its immediate environment. entity must implement the implementation specifications.§ 164.306 Security standards: General rules. (3) When a standard adopted in §164.308, (a) General requirements. Covered entities must §164.310, §164.312, §164.314, or §164.316 includesdo the following: addressable implementation specifications, a covered (1) Ensure the confidentiality, integrity, and entity must—availability of all electronic protected health (i) Assess whether each implementationinformation the covered entity creates, receives, specification is a reasonable and appropriatemaintains, or transmits. safeguard in its environment, when analyzed with (2) Protect against any reasonably anticipated reference to the likely contribution to protecting thethreats or hazards to the security or integrity of such entitys electronic protected health information; andinformation. (ii) As applicable to the entity— (3) Protect against any reasonably anticipated uses (A) Implement the implementation specification ifor disclosures of such information that are not reasonable and appropriate; orpermitted or required under subpart E of this part. (B) If implementing the implementation (4) Ensure compliance with this subpart by its specification is not reasonable and appropriate—workforce. (1) Document why it would not be reasonable and (b) Flexibility of approach. appropriate to implement the implementation (1) Covered entities may use any security specification; and,measures that allow the covered entity to reasonably (2) Implement an equivalent alternative measure ifand appropriately implement the standards and reasonable and appropriate.implementation specifications as specified in this (e) Maintenance. Security measures implementedsubpart. to comply with standards and implementation (2) In deciding which security measures to use, a specifications adopted under §164.105 and thiscovered entity must take into account the following subpart must be reviewed and modified as needed tofactors: continue provision of reasonable and appropriate (i) The size, complexity, and capabilities of the protection of electronic protected health informationcovered entity. as described at §164.316. -39­
  • 57. HIPAA Administrative Simplification Regulation Text March 2006[68 FR 8376, Feb. 20, 2003; 68 FR 17153, Apr. 8, that the access of a workforce member to electronic2003] protected health information is appropriate. (C) Termination procedures (Addressable).§ 164.308 Administrative safeguards. Implement procedures for terminating access to (a) A covered entity must, in accordance with electronic protected health information when the§164.306: employment of a workforce member ends or as (1)(i) Standard: Security management process. required by determinations made as specified inImplement policies and procedures to prevent, detect, paragraph (a)(3)(ii)(B) of this section.contain, and correct security violations. (4)(i) Standard: Information access management. (ii) Implementation specifications: Implement policies and procedures for authorizing (A) Risk analysis (Required). Conduct an accurate access to electronic protected health information thatand thorough assessment of the potential risks and are consistent with the applicable requirements ofvulnerabilities to the confidentiality, integrity, and subpart E of this part.availability of electronic protected health information (ii) Implementation specifications:held by the covered entity. (A) Isolating health care clearinghouse functions (B) Risk management (Required). Implement (Required). If a health care clearinghouse is part of asecurity measures sufficient to reduce risks and larger organization, the clearinghouse mustvulnerabilities to a reasonable and appropriate level implement policies and procedures that protect theto comply with §164.306(a). electronic protected health information of the (C) Sanction policy (Required). Apply clearinghouse from unauthorized access by the largerappropriate sanctions against workforce members organization.who fail to comply with the security policies and (B) Access authorization (Addressable).procedures of the covered entity. Implement policies and procedures for granting (D) Information system activity review access to electronic protected health information, for(Required). Implement procedures to regularly review example, through access to a workstation, transaction,records of information system activity, such as audit program, process, or other mechanism.logs, access reports, and security incident tracking (C) Access establishment and modificationreports. (Addressable). Implement policies and procedures (2) Standard: Assigned security responsibility. that, based upon the entitys access authorizationIdentify the security official who is responsible for policies, establish, document, review, and modify athe development and implementation of the policies users right of access to a workstation, transaction,and procedures required by this subpart for the entity. program, or process. (3)(i) Standard: Workforce security. Implement (5)(i) Standard: Security awareness and training.policies and procedures to ensure that all members of Implement a security awareness and training programits workforce have appropriate access to electronic for all members of its workforce (includingprotected health information, as provided under management).paragraph (a)(4) of this section, and to prevent those (ii) Implementation specifications. Implement:workforce members who do not have access under (A) Security reminders (Addressable). Periodicparagraph (a)(4) of this section from obtaining access security updates.to electronic protected health information. (B) Protection from malicious software (ii) Implementation specifications: (Addressable). Procedures for guarding against, (A) Authorization and/or supervision detecting, and reporting malicious software.(Addressable). Implement procedures for the (C) Log-in monitoring (Addressable). Proceduresauthorization and/or supervision of workforce for monitoring log-in attempts and reportingmembers who work with electronic protected health discrepancies.information or in locations where it might be (D) Password management (Addressable).accessed. Procedures for creating, changing, and safeguarding (B) Workforce clearance procedure passwords.(Addressable). Implement procedures to determine (6)(i) Standard: Security incident procedures. -40­
  • 58. HIPAA Administrative Simplification Regulation Text March 2006Implement policies and procedures to address behalf only if the covered entity obtains satisfactorysecurity incidents. assurances, in accordance with §164.314(a) that the (ii) Implementation specification: Response and business associate will appropriately safeguard theReporting (Required). Identify and respond to information.suspected or known security incidents; mitigate, to (2) This standard does not apply with respect to—the extent practicable, harmful effects of security (i) The transmission by a covered entity ofincidents that are known to the covered entity; and electronic protected health information to a healthdocument security incidents and their outcomes. care provider concerning the treatment of an (7)(i) Standard: Contingency plan. Establish (and individual.implement as needed) policies and procedures for (ii) The transmission of electronic protectedresponding to an emergency or other occurrence (for health information by a group health plan or an HMOexample, fire, vandalism, system failure, and natural or health insurance issuer on behalf of a group healthdisaster) that damages systems that contain electronic plan to a plan sponsor, to the extent that theprotected health information. requirements of §164.314(b) and §164.504(f) apply (ii) Implementation specifications: and are met; or (A) Data backup plan (Required). Establish and (iii) The transmission of electronic protectedimplement procedures to create and maintain health information from or to other agenciesretrievable exact copies of electronic protected health providing the services at §164.502(e)(1)(ii)(C), wheninformation. the covered entity is a health plan that is a (B) Disaster recovery plan (Required). Establish government program providing public benefits, if the(and implement as needed) procedures to restore any requirements of §164.502(e)(1)(ii)(C) are met.loss of data. (3) A covered entity that violates the satisfactory (C) Emergency mode operation plan (Required). assurances it provided as a business associate ofEstablish (and implement as needed) procedures to another covered entity will be in noncompliance withenable continuation of critical business processes for the standards, implementation specifications, andprotection of the security of electronic protected requirements of this paragraph and §164.314(a).health information while operating in emergency (4) Implementation specifications: Writtenmode. contract or other arrangement (Required). Document (D) Testing and revision procedures the satisfactory assurances required by paragraph(Addressable). Implement procedures for periodic (b)(1) of this section through a written contract ortesting and revision of contingency plans. other arrangement with the business associate that (E) Applications and data criticality analysis meets the applicable requirements of §164.314(a).(Addressable). Assess the relative criticality ofspecific applications and data in support of other § 164.310 Physical safeguards.contingency plan components. A covered entity must, in accordance with §164.306: (8) Standard: Evaluation. Perform a periodic (a)(1) Standard: Facility access controls.technical and nontechnical evaluation, based initially Implement policies and procedures to limit physicalupon the standards implemented under this rule and access to its electronic information systems and thesubsequently, in response to environmental or facility or facilities in which they are housed, whileoperational changes affecting the security of ensuring that properly authorized access is allowed.electronic protected health information, that (2) Implementation specifications:establishes the extent to which an entitys security (i) Contingency operations (Addressable).policies and procedures meet the requirements of this Establish (and implement as needed) procedures thatsubpart. allow facility access in support of restoration of lost (b)(1) Standard: Business associate contracts and data under the disaster recovery plan and emergencyother arrangements. A covered entity, in accordance mode operations plan in the event of an emergency.with §164.306, may permit a business associate to (ii) Facility security plan (Addressable).create, receive, maintain, or transmit electronic Implement policies and procedures to safeguard theprotected health information on the covered entitys facility and the equipment therein from unauthorized -41­
  • 59. HIPAA Administrative Simplification Regulation Text March 2006physical access, tampering, and theft. technical policies and procedures for electronic (iii) Access control and validation procedures information systems that maintain electronic(Addressable). Implement procedures to control and protected health information to allow access only tovalidate a persons access to facilities based on their those persons or software programs that have beenrole or function, including visitor control, and control granted access rights as specified in §164.308(a)(4).of access to software programs for testing and (2) Implementation specifications:revision. (i) Unique user identification (Required). Assign (iv) Maintenance records (Addressable). a unique name and/or number for identifying andImplement policies and procedures to document tracking user identity.repairs and modifications to the physical components (ii) Emergency access procedure (Required).of a facility which are related to security (for Establish (and implement as needed) procedures forexample, hardware, walls, doors, and locks). obtaining necessary electronic protected health (b) Standard: Workstation use. Implement information during an emergency.policies and procedures that specify the proper (iii) Automatic logoff (Addressable). Implementfunctions to be performed, the manner in which those electronic procedures that terminate an electronicfunctions are to be performed, and the physical session after a predetermined time of inactivity.attributes of the surroundings of a specific (iv) Encryption and decryption (Addressable).workstation or class of workstation that can access Implement a mechanism to encrypt and decryptelectronic protected health information. electronic protected health information. (c) Standard: Workstation security. Implement (b) Standard: Audit controls. Implementphysical safeguards for all workstations that access hardware, software, and/or procedural mechanismselectronic protected health information, to restrict that record and examine activity in informationaccess to authorized users. systems that contain or use electronic protected health (d)(1) Standard: Device and media controls. information.Implement policies and procedures that govern the (c)(1) Standard: Integrity. Implement policies andreceipt and removal of hardware and electronic media procedures to protect electronic protected healththat contain electronic protected health information information from improper alteration or destruction.into and out of a facility, and the movement of these (2) Implementation specification: Mechanism toitems within the facility. authenticate electronic protected health information (2) Implementation specifications: (Addressable). Implement electronic mechanisms to (i) Disposal (Required). Implement policies and corroborate that electronic protected healthprocedures to address the final disposition of information has not been altered or destroyed in anelectronic protected health information, and/or the unauthorized manner.hardware or electronic media on which it is stored. (d) Standard: Person or entity authentication. (ii) Media re-use (Required). Implement Implement procedures to verify that a person or entityprocedures for removal of electronic protected health seeking access to electronic protected healthinformation from electronic media before the media information is the one claimed.are made available for re-use. (e)(1) Standard: Transmission security. (iii) Accountability (Addressable). Maintain a Implement technical security measures to guardrecord of the movements of hardware and electronic against unauthorized access to electronic protectedmedia and any person responsible therefore. health information that is being transmitted over an (iv) Data backup and storage (Addressable). electronic communications network.Create a retrievable, exact copy of electronic (2) Implementation specifications:protected health information, when needed, before (i) Integrity controls (Addressable). Implementmovement of equipment. security measures to ensure that electronically transmitted electronic protected health information is§ 164.312 Technical safeguards. not improperly modified without detection untilA covered entity must, in accordance with §164.306: disposed of. (a)(1) Standard: Access control. Implement (ii) Encryption (Addressable). Implement a -42­
  • 60. HIPAA Administrative Simplification Regulation Text March 2006mechanism to encrypt electronic protected health (1) It enters into a memorandum of understandinginformation whenever deemed appropriate. with the business associate that contains terms that accomplish the objectives of paragraph (a)(2)(i) of§ 164.314 Organizational requirements. this section; or (a)(1) Standard: Business associate contracts or (2) Other law (including regulations adopted byother arrangements. the covered entity or its business associate) contains (i) The contract or other arrangement between the requirements applicable to the business associate thatcovered entity and its business associate required by accomplish the objectives of paragraph (a)(2)(i) of§164.308(b) must meet the requirements of paragraph this section.(a)(2)(i) or (a)(2)(ii) of this section, as applicable. (B) If a business associate is required by law to (ii) A covered entity is not in compliance with the perform a function or activity on behalf of a coveredstandards in §164.502(e) and paragraph (a) of this entity or to provide a service described in thesection if the covered entity knew of a pattern of an definition of business associate as specified inactivity or practice of the business associate that §160.103 of this subchapter to a covered entity, theconstituted a material breach or violation of the covered entity may permit the business associate tobusiness associates obligation under the contract or create, receive, maintain, or transmit electronicother arrangement, unless the covered entity took protected health information on its behalf to thereasonable steps to cure the breach or end the extent necessary to comply with the legal mandateviolation, as applicable, and, if such steps were without meeting the requirements of paragraphunsuccessful— (a)(2)(i) of this section, provided that the covered (A) Terminated the contract or arrangement, if entity attempts in good faith to obtain satisfactoryfeasible; or assurances as required by paragraph (a)(2)(ii)(A) of (B) If termination is not feasible, reported the this section, and documents the attempt and theproblem to the Secretary. reasons that these assurances cannot be obtained. (2) Implementation specifications (Required). (C) The covered entity may omit from its other (i) Business associate contracts. The contract arrangements authorization of the termination of thebetween a covered entity and a business associate contract by the covered entity, as required bymust provide that the business associate will— paragraph (a)(2)(i)(D) of this section if such (A) Implement administrative, physical, and authorization is inconsistent with the statutorytechnical safeguards that reasonably and obligations of the covered entity or its businessappropriately protect the confidentiality, integrity, associate.and availability of the electronic protected health (b)(1) Standard: Requirements for group healthinformation that it creates, receives, maintains, or plans. Except when the only electronic protectedtransmits on behalf of the covered entity as required health information disclosed to a plan sponsor isby this subpart; disclosed pursuant to §164.504(f)(1)(ii) or (iii), or as (B) Ensure that any agent, including a authorized under §164.508, a group health plan mustsubcontractor, to whom it provides such information ensure that its plan documents provide that the planagrees to implement reasonable and appropriate sponsor will reasonably and appropriately safeguardsafeguards to protect it; electronic protected health information created, (C) Report to the covered entity any security received, maintained, or transmitted to or by the planincident of which it becomes aware; sponsor on behalf of the group health plan. (D) Authorize termination of the contract by the (2) Implementation specifications (Required). Thecovered entity, if the covered entity determines that plan documents of the group health plan must bethe business associate has violated a material term of amended to incorporate provisions to require the planthe contract. sponsor to— (ii) Other arrangements. (A) When a covered (i) Implement administrative, physical, andentity and its business associate are both technical safeguards that reasonably andgovernmental entities, the covered entity is in appropriately protect the confidentiality, integrity,compliance with paragraph (a)(1) of this section, if— and availability of the electronic protected health -43­
  • 61. HIPAA Administrative Simplification Regulation Text March 2006information that it creates, receives, maintains, or information.transmits on behalf of the group health plan; (ii) Ensure that the adequate separation required § 164.318 Compliance dates for the initialby §164.504(f)(2)(iii) is supported by reasonable and implementation of the security standards.appropriate security measures; (a) Health plan. (iii) Ensure that any agent, including a (1) A health plan that is not a small health plansubcontractor, to whom it provides this information must comply with the applicable requirements of thisagrees to implement reasonable and appropriate subpart no later than April 20, 2005.security measures to protect the information; and (2) A small health plan must comply with the (iv) Report to the group health plan any security applicable requirements of this subpart no later thanincident of which it becomes aware. April 20, 2006. (b) Health care clearinghouse. A health care§ 164.316 Policies and procedures and clearinghouse must comply with the applicabledocumentation requirements. requirements of this subpart no later than April 20, A covered entity must, in accordance with §164.306: 2005. (a) Standard: Policies and procedures. Implement (c) Health care provider. A covered health carereasonable and appropriate policies and procedures to provider must comply with the applicablecomply with the standards, implementation requirements of this subpart no later than April 20,specifications, or other requirements of this subpart, 2005.taking into account those factors specified in§164.306(b)(2)(i), (ii), (iii), and (iv). This standard is Subpart D [Reserved]not to be construed to permit or excuse an action thatviolates any other standard, implementation Subpart E—Privacy of Individually Identifiablespecification, or other requirements of this subpart. A Health Informationcovered entity may change its policies and proceduresat any time, provided that the changes are § 164.500 Applicability.documented and are implemented in accordance with (a) Except as otherwise provided herein, thethis subpart. standards, requirements, and implementation (b)(1) Standard: Documentation. specifications of this subpart apply to covered entities (i) Maintain the policies and procedures with respect to protected health information.implemented to comply with this subpart in written (b) Health care clearinghouses must comply with(which may be electronic) form; and the standards, requirements, and implementation (ii) If an action, activity or assessment is required specifications as follows:by this subpart to be documented, maintain a written (1) When a health care clearinghouse creates or(which may be electronic) record of the action, receives protected health information as a businessactivity, or assessment. associate of another covered entity, the clearinghouse (2) Implementation specifications: must comply with: (i) Time limit (Required). Retain the (i) Section 164.500 relating to applicability;documentation required by paragraph (b)(1) of this (ii) Section 164.501 relating to definitions;section for 6 years from the date of its creation or the (iii) Section 164.502 relating to uses anddate when it last was in effect, whichever is later. disclosures of protected health information, except (ii) Availability (Required). Make documentation that a clearinghouse is prohibited from using oravailable to those persons responsible for disclosing protected health information other than asimplementing the procedures to which the permitted in the business associate contract underdocumentation pertains. which it created or received the protected health (iii) Updates (Required). Review documentation information;periodically, and update as needed, in response to (iv) Section 164.504 relating to the organizationalenvironmental or operational changes affecting the requirements for covered entities;security of the electronic protected health (v) Section 164.512 relating to uses and -44­
  • 62. HIPAA Administrative Simplification Regulation Text March 2006disclosures for which individual authorization or an with the protected health information received by theopportunity to agree or object is not required, except business associate in its capacity as a businessthat a clearinghouse is prohibited from using or associate of another covered entity, to permit datadisclosing protected health information other than as analyses that relate to the health care operations ofpermitted in the business associate contract under the respective covered entities.which it created or received the protected health Designated record set means:information; (1) A group of records maintained by or for a (vi) Section 164.532 relating to transition covered entity that is:requirements; and (i) The medical records and billing records about (vii) Section 164.534 relating to compliance dates individuals maintained by or for a covered health carefor initial implementation of the privacy standards. provider; (2) When a health care clearinghouse creates or (ii) The enrollment, payment, claims adjudication,receives protected health information other than as a and case or medical management record systemsbusiness associate of a covered entity, the maintained by or for a health plan; orclearinghouse must comply with all of the standards, (iii) Used, in whole or in part, by or for therequirements, and implementation specifications of covered entity to make decisions about individuals.this subpart. (2) For purposes of this paragraph, the term (c) The standards, requirements, and record means any item, collection, or grouping ofimplementation specifications of this subpart do not information that includes protected health informationapply to the Department of Defense or to any other and is maintained, collected, used, or disseminated byfederal agency, or non-governmental organization or for a covered entity.acting on its behalf, when providing health care to Direct treatment relationship means a treatmentoverseas foreign national beneficiaries. relationship between an individual and a health care provider that is not an indirect treatment relationship.[65 FR 82802, Dec. 28, 2000, as amended at 67 FR Health care operations means any of the53266, Aug. 14, 2002; 68 FR 8381, Feb. 20, 2003] following activities of the covered entity to the extent that the activities are related to covered functions:§ 164.501 Definitions. (1) Conducting quality assessment andAs used in this subpart, the following terms have the improvement activities, including outcomesfollowing meanings: evaluation and development of clinical guidelines, Correctional institution means any penal or provided that the obtaining of generalizablecorrectional facility, jail, reformatory, detention knowledge is not the primary purpose of any studiescenter, work farm, halfway house, or residential resulting from such activities; population-basedcommunity program center operated by, or under activities relating to improving health or reducingcontract to, the United States, a State, a territory, a health care costs, protocol development, casepolitical subdivision of a State or territory, or an management and care coordination, contacting ofIndian tribe, for the confinement or rehabilitation of health care providers and patients with informationpersons charged with or convicted of a criminal about treatment alternatives; and related functionsoffense or other persons held in lawful custody. Other that do not include treatment;persons held in lawful custody includes juvenile (2) Reviewing the competence or qualifications ofoffenders adjudicated delinquent, aliens detained health care professionals, evaluating practitioner andawaiting deportation, persons committed to mental provider performance, health plan performance,institutions through the criminal justice system, conducting training programs in which students,witnesses, or others awaiting charges or trial. trainees, or practitioners in areas of health care learn Data aggregation means, with respect to under supervision to practice or improve their skillsprotected health information created or received by a as health care providers, training of non-health carebusiness associate in its capacity as the business professionals, accreditation, certification, licensing,associate of a covered entity, the combining of such or credentialing activities;protected health information by the business associate (3) Underwriting, premium rating, and other -45­
  • 63. HIPAA Administrative Simplification Regulation Text March 2006activities relating to the creation, renewal or health information is relevant.replacement of a contract of health insurance or Indirect treatment relationship means ahealth benefits, and ceding, securing, or placing a relationship between an individual and a health carecontract for reinsurance of risk relating to claims for provider in which:health care (including stop-loss insurance and excess (1) The health care provider delivers health careof loss insurance), provided that the requirements of to the individual based on the orders of another health§164.514(g) are met, if applicable; care provider; and (4) Conducting or arranging for medical review, (2) The health care provider typically provideslegal services, and auditing functions, including fraud services or products, or reports the diagnosis orand abuse detection and compliance programs; results associated with the health care, directly to (5) Business planning and development, such as another health care provider, who provides theconducting cost-management and planning-related services or products or reports to the individual.analyses related to managing and operating the entity, Inmate means a person incarcerated in orincluding formulary development and administration, otherwise confined to a correctional institution.development or improvement of methods of payment Law enforcement official means an officer oror coverage policies; and employee of any agency or authority of the United (6) Business management and general States, a State, a territory, a political subdivision of aadministrative activities of the entity, including, but State or territory, or an Indian tribe, who isnot limited to: empowered by law to: (i) Management activities relating to (1) Investigate or conduct an official inquiry intoimplementation of and compliance with the a potential violation of law; orrequirements of this subchapter; (2) Prosecute or otherwise conduct a criminal, (ii) Customer service, including the provision of civil, or administrative proceeding arising from andata analyses for policy holders, plan sponsors, or alleged violation of law.other customers, provided that protected health Marketing means:information is not disclosed to such policy holder, (1) To make a communication about a product orplan sponsor, or customer. service that encourages recipients of the (iii) Resolution of internal grievances; communication to purchase or use the product or (iv) The sale, transfer, merger, or consolidation of service, unless the communication is made:all or part of the covered entity with another covered (i) To describe a health-related product or serviceentity, or an entity that following such activity will (or payment for such product or service) that isbecome a covered entity and due diligence related to provided by, or included in a plan of benefits of, thesuch activity; and covered entity making the communication, including (v) Consistent with the applicable requirements of communications about: the entities participating in a§164.514, creating de-identified health information or health care provider network or health plan network;a limited data set, and fundraising for the benefit of replacement of, or enhancements to, a health plan;the covered entity. and health-related products or services available only Health oversight agency means an agency or to a health plan enrollee that add value to, but are notauthority of the United States, a State, a territory, a part of, a plan of benefits.political subdivision of a State or territory, or an (ii) For treatment of the individual; orIndian tribe, or a person or entity acting under a grant (iii) For case management or care coordination forof authority from or contract with such public agency, the individual, or to direct or recommend alternativeincluding the employees or agents of such public treatments, therapies, health care providers, oragency or its contractors or persons or entities to settings of care to the individual.whom it has granted authority, that is authorized by (2) An arrangement between a covered entity andlaw to oversee the health care system (whether public any other entity whereby the covered entity disclosesor private) or government programs in which health protected health information to the other entity, ininformation is necessary to determine eligibility or exchange for direct or indirect remuneration, for thecompliance, or to enforce civil rights laws for which other entity or its affiliate to make a communication -46­
  • 64. HIPAA Administrative Simplification Regulation Text March 2006about its own product or service that encourages monitoring, counseling session start and stop times,recipients of the communication to purchase or use the modalities and frequencies of treatment furnished,that product or service. results of clinical tests, and any summary of the Payment means: following items: Diagnosis, functional status, the (1) The activities undertaken by: treatment plan, symptoms, prognosis, and progress to (i) A health plan to obtain premiums or to date.determine or fulfill its responsibility for coverage and Public health authority means an agency orprovision of benefits under the health plan; or authority of the United States, a State, a territory, a (ii) A health care provider or health plan to obtain political subdivision of a State or territory, or anor provide reimbursement for the provision of health Indian tribe, or a person or entity acting under a grantcare; and of authority from or contract with such public agency, (2) The activities in paragraph (1) of this including the employees or agents of such publicdefinition relate to the individual to whom health care agency or its contractors or persons or entities tois provided and include, but are not limited to: whom it has granted authority, that is responsible for (i) Determinations of eligibility or coverage public health matters as part of its official mandate.(including coordination of benefits or the Research means a systematic investigation,determination of cost sharing amounts), and including research development, testing, andadjudication or subrogation of health benefit claims; evaluation, designed to develop or contribute to (ii) Risk adjusting amounts due based on enrollee generalizable knowledge.health status and demographic characteristics; Treatment means the provision, coordination, or (iii) Billing, claims management, collection management of health care and related services byactivities, obtaining payment under a contract for one or more health care providers, including thereinsurance (including stop-loss insurance and excess coordination or management of health care by aof loss insurance), and related health care data health care provider with a third party; consultationprocessing; between health care providers relating to a patient; or (iv) Review of health care services with respect to the referral of a patient for health care from onemedical necessity, coverage under a health plan, health care provider to another.appropriateness of care, or justification of charges; (v) Utilization review activities, including [65 FR 82802, Dec. 28, 2000, as amended at 67 FRprecertification and preauthorization of services, 53266, Aug. 14, 2002; 68 FR 8381, Feb. 20, 2003]concurrent and retrospective review of services; and (vi) Disclosure to consumer reporting agencies of § 164.502 Uses and disclosures of protectedany of the following protected health information health information: general rules.relating to collection of premiums or reimbursement: (a) Standard. A covered entity may not use or (A) Name and address; disclose protected health information, except as (B) Date of birth; permitted or required by this subpart or by subpart C (C) Social security number; of part 160 of this subchapter. (D) Payment history; (1) Permitted uses and disclosures. A covered (E) Account number; and entity is permitted to use or disclose protected health (F) Name and address of the health care provider information as follows:and/or health plan. (i) To the individual; Psychotherapy notes means notes recorded (in (ii) For treatment, payment, or health careany medium) by a health care provider who is a operations, as permitted by and in compliance withmental health professional documenting or analyzing §164.506;the contents of conversation during a private (iii) Incident to a use or disclosure otherwisecounseling session or a group, joint, or family permitted or required by this subpart, provided thatcounseling session and that are separated from the the covered entity has complied with the applicablerest of the individuals medical record. Psychotherapy requirements of §164.502(b), §164.514(d), andnotes excludes medication prescription and §164.530(c) with respect to such otherwise permitted -47­
  • 65. HIPAA Administrative Simplification Regulation Text March 2006or required use or disclosure; (1) Uses and disclosures to create de-identified (iv) Pursuant to and in compliance with a valid information. A covered entity may use protectedauthorization under §164.508; health information to create information that is not (v) Pursuant to an agreement under, or as individually identifiable health information orotherwise permitted by, §164.510; and disclose protected health information only to a (vi) As permitted by and in compliance with this business associate for such purpose, whether or notsection, §164.512, or §164.514(e), (f), or (g). the de-identified information is to be used by the (2) Required disclosures. A covered entity is covered entity.required to disclose protected health information: (2) Uses and disclosures of de-identified (i) To an individual, when requested under, and information. Health information that meets therequired by §164.524 or §164.528; and standard and implementation specifications for (ii) When required by the Secretary under subpart de-identification under §164.514(a) and (b) isC of part 160 of this subchapter to investigate or considered not to be individually identifiable healthdetermine the covered entitys compliance with this information, i.e., de-identified. The requirements ofsubpart. this subpart do not apply to information that has been (b) Standard: Minimum necessary de-identified in accordance with the applicable (1) Minimum necessary applies. When using or requirements of §164.514, provided that:disclosing protected health information or when (i) Disclosure of a code or other means of recordrequesting protected health information from another identification designed to enable coded or otherwisecovered entity, a covered entity must make reasonable de-identified information to be re-identifiedefforts to limit protected health information to the constitutes disclosure of protected health information;minimum necessary to accomplish the intended andpurpose of the use, disclosure, or request. (ii) If de-identified information is re-identified, a (2) Minimum necessary does not apply. This covered entity may use or disclose such re-identifiedrequirement does not apply to: information only as permitted or required by this (i) Disclosures to or requests by a health care subpart.provider for treatment; (e)(1) Standard: Disclosures to business (ii) Uses or disclosures made to the individual, as associates.permitted under paragraph (a)(1)(i) of this section or (i) A covered entity may disclose protected healthas required by paragraph (a)(2)(i) of this section; information to a business associate and may allow a (iii) Uses or disclosures made pursuant to an business associate to create or receive protectedauthorization under §164.508; health information on its behalf, if the covered entity (iv) Disclosures made to the Secretary in obtains satisfactory assurance that the businessaccordance with subpart C of part 160 of this associate will appropriately safeguard thesubchapter; information. (v) Uses or disclosures that are required by law, as (ii) This standard does not apply:described by §164.512(a); and (A) With respect to disclosures by a covered (vi) Uses or disclosures that are required for entity to a health care provider concerning thecompliance with applicable requirements of this treatment of the individual;subchapter. (B) With respect to disclosures by a group health (c) Standard: Uses and disclosures of protected plan or a health insurance issuer or HMO with respecthealth information subject to an agreed upon to a group health plan to the plan sponsor, to therestriction. A covered entity that has agreed to a extent that the requirements of §164.504(f) apply andrestriction pursuant to §164.522(a)(1) may not use or are met; ordisclose the protected health information covered by (C) With respect to uses or disclosures by a healththe restriction in violation of such restriction, except plan that is a government program providing publicas otherwise provided in §164.522(a). benefits, if eligibility for, or enrollment in, the health (d) Standard: Uses and disclosures of plan is determined by an agency other than the agencyde-identified protected health information. administering the health plan, or if the protected -48­
  • 66. HIPAA Administrative Simplification Regulation Text March 2006health information used to determine enrollment or respect to protected health information pertaining to aeligibility in the health plan is collected by an agency health care service, if:other than the agency administering the health plan, (A) The minor consents to such health careand such activity is authorized by law, with respect to service; no other consent to such health care servicethe collection and sharing of individually identifiable is required by law, regardless of whether the consenthealth information for the performance of such of another person has also been obtained; and thefunctions by the health plan and the agency other than minor has not requested that such person be treated asthe agency administering the health plan. the personal representative; (iii) A covered entity that violates the satisfactory (B) The minor may lawfully obtain such healthassurances it provided as a business associate of care service without the consent of a parent, guardian,another covered entity will be in noncompliance with or other person acting in loco parentis, and the minor,the standards, implementation specifications, and a court, or another person authorized by law consentsrequirements of this paragraph and §164.504(e). to such health care service; or (2) Implementation specification: documentation. (C) A parent, guardian, or other person acting inA covered entity must document the satisfactory loco parentis assents to an agreement ofassurances required by paragraph (e)(1) of this confidentiality between a covered health caresection through a written contract or other written provider and the minor with respect to such healthagreement or arrangement with the business associate care service.that meets the applicable requirements of (ii) Notwithstanding the provisions of paragraph§164.504(e). (g)(3)(i) of this section: (f) Standard: Deceased individuals. A covered (A) If, and to the extent, permitted or required byentity must comply with the requirements of this an applicable provision of State or other law,subpart with respect to the protected health including applicable case law, a covered entity mayinformation of a deceased individual. disclose, or provide access in accordance with (g)(1) Standard: Personal representatives. As §164.524 to, protected health information about anspecified in this paragraph, a covered entity must, unemancipated minor to a parent, guardian, or otherexcept as provided in paragraphs (g)(3) and (g)(5) of person acting in loco parentis;this section, treat a personal representative as the (B) If, and to the extent, prohibited by anindividual for purposes of this subchapter. applicable provision of State or other law, including (2) Implementation specification: adults and applicable case law, a covered entity may notemancipated minors. If under applicable law a person disclose, or provide access in accordance withhas authority to act on behalf of an individual who is §164.524 to, protected health information about anan adult or an emancipated minor in making decisions unemancipated minor to a parent, guardian, or otherrelated to health care, a covered entity must treat such person acting in loco parentis; andperson as a personal representative under this (C) Where the parent, guardian, or other personsubchapter, with respect to protected health acting in loco parentis, is not the personalinformation relevant to such personal representation. representative under paragraphs (g)(3)(i)(A), (B), or (3)(i) Implementation specification: (C) of this section and where there is no applicableunemancipated minors. If under applicable law a access provision under State or other law, includingparent, guardian, or other person acting in loco case law, a covered entity may provide or deny accessparentis has authority to act on behalf of an under §164.524 to a parent, guardian, or other personindividual who is an unemancipated minor in making acting in loco parentis, if such action is consistentdecisions related to health care, a covered entity must with State or other applicable law, provided that suchtreat such person as a personal representative under decision must be made by a licensed health carethis subchapter, with respect to protected health professional, in the exercise of professional judgment.information relevant to such personal representation, (4) Implementation specification: Deceasedexcept that such person may not be a personal individuals. If under applicable law an executor,representative of an unemancipated minor, and the administrator, or other person has authority to act onminor has the authority to act as an individual, with behalf of a deceased individual or of the individuals -49­
  • 67. HIPAA Administrative Simplification Regulation Text March 2006estate, a covered entity must treat such person as a (A) A health oversight agency or public healthpersonal representative under this subchapter, with authority authorized by law to investigate orrespect to protected health information relevant to otherwise oversee the relevant conduct or conditionssuch personal representation. of the covered entity or to an appropriate health care (5) Implementation specification: Abuse, neglect, accreditation organization for the purpose ofendangerment situations. Notwithstanding a State law reporting the allegation of failure to meet professionalor any requirement of this paragraph to the contrary, a standards or misconduct by the covered entity; orcovered entity may elect not to treat a person as the (B) An attorney retained by or on behalf of thepersonal representative of an individual if: workforce member or business associate for the (i) The covered entity has a reasonable belief that: purpose of determining the legal options of the (A) The individual has been or may be subjected workforce member or business associate with regardto domestic violence, abuse, or neglect by such to the conduct described in paragraph (j)(1)(i) of thisperson; or section. (B) Treating such person as the personal (2) Disclosures by workforce members who arerepresentative could endanger the individual; and victims of a crime. A covered entity is not considered (ii) The covered entity, in the exercise of to have violated the requirements of this subpart if aprofessional judgment, decides that it is not in the member of its workforce who is the victim of abest interest of the individual to treat the person as the criminal act discloses protected health information toindividuals personal representative. a law enforcement official, provided that: (h) Standard: Confidential communications. A (i) The protected health information disclosed iscovered health care provider or health plan must about the suspected perpetrator of the criminal act;comply with the applicable requirements of and§164.522(b) in communicating protected health (ii) The protected health information disclosed isinformation. limited to the information listed in §164.512(f)(2)(i). (i) Standard: Uses and disclosures consistent withnotice. A covered entity that is required by §164.520 [65 FR 82802, Dec. 28, 2000, as amended at 67 FRto have a notice may not use or disclose protected 53267, Aug. 14, 2002]health information in a manner inconsistent with suchnotice. A covered entity that is required by § 164.504 Uses and disclosures: Organizational§164.520(b)(1)(iii) to include a specific statement in requirements.its notice if it intends to engage in an activity listed in (a) Definitions. As used in this section:§164.520(b)(1)(iii)(A)–(C), may not use or disclose Plan administration functions meansprotected health information for such activities, administration functions performed by the planunless the required statement is included in the notice. sponsor of a group health plan on behalf of the group (j) Standard: Disclosures by whistleblowers and health plan and excludes functions performed by theworkforce member crime victims plan sponsor in connection with any other benefit or (1) Disclosures by whistleblowers. A covered benefit plan of the plan sponsor.entity is not considered to have violated the Summary health information means information,requirements of this subpart if a member of its that may be individually identifiable healthworkforce or a business associate discloses protected information, and:health information, provided that: (1) That summarizes the claims history, claims (i) The workforce member or business associate expenses, or type of claims experienced bybelieves in good faith that the covered entity has individuals for whom a plan sponsor has providedengaged in conduct that is unlawful or otherwise health benefits under a group health plan; andviolates professional or clinical standards, or that the (2) From which the information described atcare, services, or conditions provided by the covered §164.514(b)(2)(i) has been deleted, except that theentity potentially endangers one or more patients, geographic information described inworkers, or the public; and §164.514(b)(2)(i)(B) need only be aggregated to the (ii) The disclosure is to: level of a five digit zip code. -50­
  • 68. HIPAA Administrative Simplification Regulation Text March 2006 (b)–(d) [Removed and Reserved] contract of which it becomes aware; (D) Ensure that any agents, including a (e)(1) Standard: Business associate contracts. subcontractor, to whom it provides protected health (i) The contract or other arrangement between the information received from, or created or received bycovered entity and the business associate required by the business associate on behalf of, the covered entity§164.502(e)(2) must meet the requirements of agrees to the same restrictions and conditions thatparagraph (e)(2) or (e)(3) of this section, as apply to the business associate with respect to suchapplicable. information; (ii) A covered entity is not in compliance with the (E) Make available protected health informationstandards in §164.502(e) and paragraph (e) of this in accordance with §164.524;section, if the covered entity knew of a pattern of (F) Make available protected health informationactivity or practice of the business associate that for amendment and incorporate any amendments toconstituted a material breach or violation of the protected health information in accordance withbusiness associates obligation under the contract or §164.526;other arrangement, unless the covered entity took (G) Make available the information required toreasonable steps to cure the breach or end the provide an accounting of disclosures in accordanceviolation, as applicable, and, if such steps were with §164.528;unsuccessful: (H) Make its internal practices, books, and (A) Terminated the contract or arrangement, if records relating to the use and disclosure of protectedfeasible; or health information received from, or created or (B) If termination is not feasible, reported the received by the business associate on behalf of, theproblem to the Secretary. covered entity available to the Secretary for purposes (2) Implementation specifications: Business of determining the covered entitys compliance withassociate contracts. A contract between the covered this subpart; andentity and a business associate must: (I) At termination of the contract, if feasible, (i) Establish the permitted and required uses and return or destroy all protected health informationdisclosures of such information by the business received from, or created or received by the businessassociate. The contract may not authorize the associate on behalf of, the covered entity that thebusiness associate to use or further disclose the business associate still maintains in any form andinformation in a manner that would violate the retain no copies of such information or, if such returnrequirements of this subpart, if done by the covered or destruction is not feasible, extend the protectionsentity, except that: of the contract to the information and limit further (A) The contract may permit the business uses and disclosures to those purposes that make theassociate to use and disclose protected health return or destruction of the information infeasible.information for the proper management and (iii) Authorize termination of the contract by theadministration of the business associate, as provided covered entity, if the covered entity determines thatin paragraph (e)(4) of this section; and the business associate has violated a material term of (B) The contract may permit the business the contract.associate to provide data aggregation services relating (3) Implementation specifications: Otherto the health care operations of the covered entity. arrangements. (i) If a covered entity and its business (ii) Provide that the business associate will: associate are both governmental entities: (A) Not use or further disclose the information (A) The covered entity may comply withother than as permitted or required by the contract or paragraph (e) of this section by entering into aas required by law; memorandum of understanding with the business (B) Use appropriate safeguards to prevent use or associate that contains terms that accomplish thedisclosure of the information other than as provided objectives of paragraph (e)(2) of this section.for by its contract; (B) The covered entity may comply with (C) Report to the covered entity any use or paragraph (e) of this section, if other law (includingdisclosure of the information not provided for by its regulations adopted by the covered entity or its -51­
  • 69. HIPAA Administrative Simplification Regulation Text March 2006business associate) contains requirements applicable confidentiality of the information has been breached.to the business associate that accomplish the (f)(1) Standard: Requirements for group healthobjectives of paragraph (e)(2) of this section. plans. (ii) If a business associate is required by law to (i) Except as provided under paragraph (f)(1)(ii)perform a function or activity on behalf of a covered or (iii) of this section or as otherwise authorizedentity or to provide a service described in the under §164.508, a group health plan, in order todefinition of business associate in §160.103 of this disclose protected health information to the plansubchapter to a covered entity, such covered entity sponsor or to provide for or permit the disclosure ofmay disclose protected health information to the protected health information to the plan sponsor by abusiness associate to the extent necessary to comply health insurance issuer or HMO with respect to thewith the legal mandate without meeting the group health plan, must ensure that the planrequirements of this paragraph (e), provided that the documents restrict uses and disclosures of suchcovered entity attempts in good faith to obtain information by the plan sponsor consistent with thesatisfactory assurances as required by paragraph requirements of this subpart.(e)(3)(i) of this section, and, if such attempt fails, (ii) The group health plan, or a health insurancedocuments the attempt and the reasons that such issuer or HMO with respect to the group health plan,assurances cannot be obtained. may disclose summary health information to the plan (iii) The covered entity may omit from its other sponsor, if the plan sponsor requests the summaryarrangements the termination authorization required health information for the purpose of :by paragraph (e)(2)(iii) of this section, if such (A) Obtaining premium bids from health plans forauthorization is inconsistent with the statutory providing health insurance coverage under the groupobligations of the covered entity or its business health plan; orassociate. (B) Modifying, amending, or terminating the (4) Implementation specifications: Other group health plan.requirements for contracts and other arrangements. (iii) The group health plan, or a health insurance (i) The contract or other arrangement between the issuer or HMO with respect to the group health plan,covered entity and the business associate may permit may disclose to the plan sponsor information onthe business associate to use the information received whether the individual is participating in the groupby the business associate in its capacity as a business health plan, or is enrolled in or has disenrolled from aassociate to the covered entity, if necessary: health insurance issuer or HMO offered by the plan. (A) For the proper management and (2) Implementation specifications: Requirementsadministration of the business associate; or for plan documents. The plan documents of the group (B) To carry out the legal responsibilities of the health plan must be amended to incorporatebusiness associate. provisions to: (ii) The contract or other arrangement between the (i) Establish the permitted and required uses andcovered entity and the business associate may permit disclosures of such information by the plan sponsor,the business associate to disclose the information provided that such permitted and required uses andreceived by the business associate in its capacity as a disclosures may not be inconsistent with this subpart.business associate for the purposes described in (ii) Provide that the group health plan willparagraph (e)(4)(i) of this section, if: disclose protected health information to the plan (A) The disclosure is required by law; or sponsor only upon receipt of a certification by the (B)(1) The business associate obtains reasonable plan sponsor that the plan documents have beenassurances from the person to whom the information amended to incorporate the following provisions andis disclosed that it will be held confidentially and that the plan sponsor agrees to:used or further disclosed only as required by law or (A) Not use or further disclose the informationfor the purpose for which it was disclosed to the other than as permitted or required by the planperson; and documents or as required by law; (2) The person notifies the business associate of (B) Ensure that any agents, including aany instances of which it is aware in which the subcontractor, to whom it provides protected health -52­
  • 70. HIPAA Administrative Simplification Regulation Text March 2006information received from the group health plan agree (B) Restrict the access to and use by suchto the same restrictions and conditions that apply to employees and other persons described in paragraphthe plan sponsor with respect to such information; (f)(2)(iii)(A) of this section to the plan administration (C) Not use or disclose the information for functions that the plan sponsor performs for the groupemployment-related actions and decisions or in health plan; andconnection with any other benefit or employee benefit (C) Provide an effective mechanism for resolvingplan of the plan sponsor; any issues of noncompliance by persons described in (D) Report to the group health plan any use or paragraph (f)(2)(iii)(A) of this section with the plandisclosure of the information that is inconsistent with document provisions required by this paragraph.the uses or disclosures provided for of which it (3) Implementation specifications: Uses andbecomes aware; disclosures. A group health plan may: (E) Make available protected health information (i) Disclose protected health information to a planin accordance with §164.524; sponsor to carry out plan administration functions that (F) Make available protected health information the plan sponsor performs only consistent with thefor amendment and incorporate any amendments to provisions of paragraph (f)(2) of this section;protected health information in accordance with (ii) Not permit a health insurance issuer or HMO§164.526; with respect to the group health plan to disclose (G) Make available the information required to protected health information to the plan sponsorprovide an accounting of disclosures in accordance except as permitted by this paragraph;with §164.528; (iii) Not disclose and may not permit a health (H) Make its internal practices, books, and insurance issuer or HMO to disclose protected healthrecords relating to the use and disclosure of protected information to a plan sponsor as otherwise permittedhealth information received from the group health by this paragraph unless a statement required byplan available to the Secretary for purposes of §164.520(b)(1)(iii)(C) is included in the appropriatedetermining compliance by the group health plan with notice; andthis subpart; (iv) Not disclose protected health information to (I) If feasible, return or destroy all protected the plan sponsor for the purpose ofhealth information received from the group health employment-related actions or decisions or inplan that the sponsor still maintains in any form and connection with any other benefit or employee benefitretain no copies of such information when no longer plan of the plan sponsor.needed for the purpose for which disclosure was (g) Standard: Requirements for a covered entitymade, except that, if such return or destruction is not with multiple covered functions.feasible, limit further uses and disclosures to those (1) A covered entity that performs multiplepurposes that make the return or destruction of the covered functions that would make the entity anyinformation infeasible; and combination of a health plan, a covered health care (J) Ensure that the adequate separation required in provider, and a health care clearinghouse, mustparagraph (f)(2)(iii) of this section is established. comply with the standards, requirements, and (iii) Provide for adequate separation between the implementation specifications of this subpart, asgroup health plan and the plan sponsor. The plan applicable to the health plan, health care provider, ordocuments must: health care clearinghouse covered functions (A) Describe those employees or classes of performed.employees or other persons under the control of the (2) A covered entity that performs multipleplan sponsor to be given access to the protected covered functions may use or disclose the protectedhealth information to be disclosed, provided that any health information of individuals who receive theemployee or person who receives protected health covered entitys health plan or health care providerinformation relating to payment under, health care services, but not both, only for purposes related to theoperations of, or other matters pertaining to the group appropriate function being performed.health plan in the ordinary course of business must beincluded in such description; [65 FR 82802, Dec. 28, 2000, as amended at 67 FR -53­
  • 71. HIPAA Administrative Simplification Regulation Text March 200653267, Aug. 14, 2002; 68 FR 8381, Feb. 20, 2003] organized health care arrangement may disclose protected health information about an individual to§ 164.506 Uses and disclosures to carry out another covered entity that participates in thetreatment, payment, or health care operations. organized health care arrangement for any health care (a) Standard: Permitted uses and disclosures. operations activities of the organized health careExcept with respect to uses or disclosures that require arrangement.an authorization under §164.508(a)(2) and (3), acovered entity may use or disclose protected health [67 FR 53268, Aug. 14, 2002]information for treatment, payment, or health careoperations as set forth in paragraph (c) of this section, § 164.508 Uses and disclosures for which anprovided that such use or disclosure is consistent with authorization is required.other applicable requirements of this subpart. (a) Standard: Authorizations for uses and (b) Standard: Consent for uses and disclosures disclosurespermitted. (1) Authorization required: General rule. Except (1) A covered entity may obtain consent of the as otherwise permitted or required by this subchapter,individual to use or disclose protected health a covered entity may not use or disclose protectedinformation to carry out treatment, payment, or health health information without an authorization that iscare operations. valid under this section. When a covered entity (2) Consent, under paragraph (b) of this section, obtains or receives a valid authorization for its use orshall not be effective to permit a use or disclosure of disclosure of protected health information, such useprotected health information when an authorization, or disclosure must be consistent with suchunder §164.508, is required or when another authorization.condition must be met for such use or disclosure to be (2) Authorization required: Psychotherapy notes.permissible under this subpart. Notwithstanding any provision of this subpart, other (c) Implementation specifications: Treatment, than the transition provisions in §164.532, a coveredpayment, or health care operations. entity must obtain an authorization for any use or (1) A covered entity may use or disclose protected disclosure of psychotherapy notes, except:health information for its own treatment, payment, or (i) To carry out the following treatment, payment,health care operations. or health care operations: (2) A covered entity may disclose protected health (A) Use by the originator of the psychotherapyinformation for treatment activities of a health care notes for treatment;provider. (B) Use or disclosure by the covered entity for its (3) A covered entity may disclose protected health own training programs in which students, trainees, orinformation to another covered entity or a health care practitioners in mental health learn under supervisionprovider for the payment activities of the entity that to practice or improve their skills in group, joint,receives the information. family, or individual counseling; or (4) A covered entity may disclose protected health (C) Use or disclosure by the covered entity toinformation to another covered entity for health care defend itself in a legal action or other proceedingoperations activities of the entity that receives the brought by the individual; andinformation, if each entity either has or had a (ii) A use or disclosure that is required byrelationship with the individual who is the subject of §164.502(a)(2)(ii) or permitted by §164.512(a);the protected health information being requested, the §164.512(d) with respect to the oversight of theprotected health information pertains to such originator of the psychotherapy notes;relationship, and the disclosure is: §164.512(g)(1); or §164.512(j)(1)(i). (i) For a purpose listed in paragraph (1) or (2) of (3) Authorization required: Marketing.the definition of health care operations; or (i) Notwithstanding any provision of this subpart, (ii) For the purpose of health care fraud and abuse other than the transition provisions in §164.532, adetection or compliance. covered entity must obtain an authorization for any (5) A covered entity that participates in an use or disclosure of protected health information for -54­
  • 72. HIPAA Administrative Simplification Regulation Text March 2006marketing, except if the communication is in the form another authorization for a use or disclosure ofof: psychotherapy notes; (A) A face-to-face communication made by a (iii) An authorization under this section, othercovered entity to an individual; or than an authorization for a use or disclosure of (B) A promotional gift of nominal value provided psychotherapy notes, may be combined with anyby the covered entity. other such authorization under this section, except (ii) If the marketing involves direct or indirect when a covered entity has conditioned the provisionremuneration to the covered entity from a third party, of treatment, payment, enrollment in the health plan,the authorization must state that such remuneration is or eligibility for benefits under paragraph (b)(4) ofinvolved. this section on the provision of one of the (b) Implementation specifications: General authorizations.requirements (4) Prohibition on conditioning of authorizations. (1) Valid authorizations. A covered entity may not condition the provision to (i) A valid authorization is a document that meets an individual of treatment, payment, enrollment in thethe requirements in paragraphs (a)(3)(ii), (c)(1), and health plan, or eligibility for benefits on the provision(c)(2) of this section, as applicable. of an authorization, except: (ii) A valid authorization may contain elements or (i) A covered health care provider may conditioninformation in addition to the elements required by the provision of research-related treatment onthis section, provided that such additional elements or provision of an authorization for the use or disclosureinformation are not inconsistent with the elements of protected health information for such researchrequired by this section. under this section; (2) Defective authorizations. An authorization is (ii) A health plan may condition enrollment in thenot valid, if the document submitted has any of the health plan or eligibility for benefits on provision offollowing defects: an authorization requested by the health plan prior to (i) The expiration date has passed or the an individuals enrollment in the health plan, if:expiration event is known by the covered entity to (A) The authorization sought is for the healthhave occurred; plans eligibility or enrollment determinations relating (ii) The authorization has not been filled out to the individual or for its underwriting or risk ratingcompletely, with respect to an element described by determinations; andparagraph (c) of this section, if applicable; (B) The authorization is not for a use or (iii) The authorization is known by the covered disclosure of psychotherapy notes under paragraphentity to have been revoked; (a)(2) of this section; and (iv) The authorization violates paragraph (b)(3) or (iii) A covered entity may condition the provision(4) of this section, if applicable; of health care that is solely for the purpose of creating (v) Any material information in the authorization protected health information for disclosure to a thirdis known by the covered entity to be false. party on provision of an authorization for the (3) Compound authorizations. An authorization disclosure of the protected health information to suchfor use or disclosure of protected health information third party.may not be combined with any other document to (5) Revocation of authorizations. An individualcreate a compound authorization, except as follows: may revoke an authorization provided under this (i) An authorization for the use or disclosure of section at any time, provided that the revocation is inprotected health information for a research study may writing, except to the extent that:be combined with any other type of written (i) The covered entity has taken action in reliancepermission for the same research study, including thereon; oranother authorization for the use or disclosure of (ii) If the authorization was obtained as aprotected health information for such research or a condition of obtaining insurance coverage, other lawconsent to participate in such research; provides the insurer with the right to contest a claim (ii) An authorization for a use or disclosure of under the policy or the policy itself.psychotherapy notes may only be combined with (6) Documentation. A covered entity must -55­
  • 73. HIPAA Administrative Simplification Regulation Text March 2006document and retain any signed authorization under (ii) The ability or inability to condition treatment,this section as required by §164.530(j). payment, enrollment or eligibility for benefits on the (c) Implementation specifications: Core elements authorization, by stating either:and requirements. (A) The covered entity may not condition (1) Core elements. A valid authorization under treatment, payment, enrollment or eligibility forthis section must contain at least the following benefits on whether the individual signs theelements: authorization when the prohibition on conditioning of (i) A description of the information to be used or authorizations in paragraph (b)(4) of this sectiondisclosed that identifies the information in a specific applies; orand meaningful fashion. (B) The consequences to the individual of a (ii) The name or other specific identification of refusal to sign the authorization when, in accordancethe person(s), or class of persons, authorized to make with paragraph (b)(4) of this section, the coveredthe requested use or disclosure. entity can condition treatment, enrollment in the (iii) The name or other specific identification of health plan, or eligibility for benefits on failure tothe person(s), or class of persons, to whom the obtain such authorization.covered entity may make the requested use or (iii) The potential for information discloseddisclosure. pursuant to the authorization to be subject to (iv) A description of each purpose of the redisclosure by the recipient and no longer berequested use or disclosure. The statement “at the protected by this subpart.request of the individual” is a sufficient description of (3) Plain language requirement. Thethe purpose when an individual initiates the authorization must be written in plain language.authorization and does not, or elects not to, provide a (4) Copy to the individual. If a covered entitystatement of the purpose. seeks an authorization from an individual for a use or (v) An expiration date or an expiration event that disclosure of protected health information, therelates to the individual or the purpose of the use or covered entity must provide the individual with adisclosure. The statement “end of the research study,” copy of the signed authorization.“none,” or similar language is sufficient if theauthorization is for a use or disclosure of protected [67 FR 53268, Aug. 14, 2002]health information for research, including for thecreation and maintenance of a research database or § 164.510 Uses and disclosures requiring anresearch repository. opportunity for the individual to agree or to (vi) Signature of the individual and date. If the object.authorization is signed by a personal representative of A covered entity may use or disclose protected healththe individual, a description of such representatives information, provided that the individual is informedauthority to act for the individual must also be in advance of the use or disclosure and has theprovided. opportunity to agree to or prohibit or restrict the use (2) Required statements. In addition to the core or disclosure, in accordance with the applicableelements, the authorization must contain statements requirements of this section. The covered entity mayadequate to place the individual on notice of all of the orally inform the individual of and obtain thefollowing: individuals oral agreement or objection to a use or (i) The individuals right to revoke the disclosure permitted by this section.authorization in writing, and either: (a) Standard: Use and disclosure for facility (A) The exceptions to the right to revoke and a directories.description of how the individual may revoke the (1) Permitted uses and disclosure. Except whenauthorization; or an objection is expressed in accordance with (B) To the extent that the information in paragraphs (a)(2) or (3) of this section, a coveredparagraph (c)(2)(i)(A) of this section is included in health care provider may:the notice required by §164.520, a reference to the (i) Use the following protected health informationcovered entitys notice. to maintain a directory of individuals in its facility: -56­
  • 74. HIPAA Administrative Simplification Regulation Text March 2006 (A) The individuals name; by the individual, the protected health information (B) The individuals location in the covered health directly relevant to such persons involvement withcare providers facility; the individuals care or payment related to the (C) The individuals condition described in individuals health care.general terms that does not communicate specific (ii) A covered entity may use or disclose protectedmedical information about the individual; and health information to notify, or assist in the (D) The individuals religious affiliation; and notification of (including identifying or locating), a (ii) Disclose for directory purposes such family member, a personal representative of theinformation: individual, or another person responsible for the care (A) To members of the clergy; or of the individual of the individuals location, general (B) Except for religious affiliation, to other condition, or death. Any such use or disclosure ofpersons who ask for the individual by name. protected health information for such notification (2) Opportunity to object. A covered health care purposes must be in accordance with paragraphsprovider must inform an individual of the protected (b)(2), (3), or (4) of this section, as applicable.health information that it may include in a directory (2) Uses and disclosures with the individualand the persons to whom it may disclose such present. If the individual is present for, or otherwiseinformation (including disclosures to clergy of available prior to, a use or disclosure permitted byinformation regarding religious affiliation) and paragraph (b)(1) of this section and has the capacityprovide the individual with the opportunity to restrict to make health care decisions, the covered entity mayor prohibit some or all of the uses or disclosures use or disclose the protected health information if it:permitted by paragraph (a)(1) of this section. (i) Obtains the individuals agreement; (3) Emergency circumstances. (i) If the (ii) Provides the individual with the opportunity toopportunity to object to uses or disclosures required object to the disclosure, and the individual does notby paragraph (a)(2) of this section cannot practicably express an objection; orbe provided because of the individuals incapacity or (iii) Reasonably infers from the circumstances,an emergency treatment circumstance, a covered based the exercise of professional judgment, that thehealth care provider may use or disclose some or all individual does not object to the disclosure.of the protected health information permitted by (3) Limited uses and disclosures when theparagraph (a)(1) of this section for the facilitys individual is not present. If the individual is notdirectory, if such disclosure is: present, or the opportunity to agree or object to the (A) Consistent with a prior expressed preference use or disclosure cannot practicably be providedof the individual, if any, that is known to the covered because of the individuals incapacity or anhealth care provider; and emergency circumstance, the covered entity may, in (B) In the individuals best interest as determined the exercise of professional judgment, determineby the covered health care provider, in the exercise of whether the disclosure is in the best interests of theprofessional judgment. individual and, if so, disclose only the protected (ii) The covered health care provider must inform health information that is directly relevant to thethe individual and provide an opportunity to object to persons involvement with the individuals health care.uses or disclosures for directory purposes as required A covered entity may use professional judgment andby paragraph (a)(2) of this section when it becomes its experience with common practice to makepracticable to do so. reasonable inferences of the individuals best interest (b) Standard: Uses and disclosures for in allowing a person to act on behalf of the individualinvolvement in the individuals care and notification to pick up filled prescriptions, medical supplies,purposes. X-rays, or other similar forms of protected health (1) Permitted uses and disclosures. information. (i) A covered entity may, in accordance with (4) Use and disclosures for disaster reliefparagraphs (b)(2) or (3) of this section, disclose to a purposes. A covered entity may use or disclosefamily member, other relative, or a close personal protected health information to a public or privatefriend of the individual, or any other person identified entity authorized by law or by its charter to assist in -57­
  • 75. HIPAA Administrative Simplification Regulation Text March 2006disaster relief efforts, for the purpose of coordinating surveillance, public health investigations, and publicwith such entities the uses or disclosures permitted by health interventions; or, at the direction of a publicparagraph (b)(1)(ii) of this section. The requirements health authority, to an official of a foreignin paragraphs (b)(2) and (3) of this section apply to government agency that is acting in collaborationsuch uses and disclosure to the extent that the covered with a public health authority;entity, in the exercise of professional judgment, (ii) A public health authority or other appropriatedetermines that the requirements do not interfere with government authority authorized by law to receivethe ability to respond to the emergency reports of child abuse or neglect;circumstances. (iii) A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to[65 FR 82802, Dec. 28, 2000, as amended at 67 FR an FDA-regulated product or activity for which that53270, Aug. 14, 2002] person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such§ 164.512 Uses and disclosures for which an FDA-regulated product or activity. Such purposesauthorization or opportunity to agree or object is include:not required. (A) To collect or report adverse events (or similarA covered entity may use or disclose protected health activities with respect to food or dietaryinformation without the written authorization of the supplements), product defects or problems (includingindividual, as described in §164.508, or the problems with the use or labeling of a product), oropportunity for the individual to agree or object as biological product deviations;described in §164.510, in the situations covered by (B) To track FDA-regulated products;this section, subject to the applicable requirements of (C) To enable product recalls, repairs, orthis section. When the covered entity is required by replacement, or lookback (including locating andthis section to inform the individual of, or when the notifying individuals who have received products thatindividual may agree to, a use or disclosure permitted have been recalled, withdrawn, or are the subject ofby this section, the covered entitys information and lookback); orthe individuals agreement may be given orally. (D) To conduct post marketing surveillance; (a) Standard: Uses and disclosures required by (iv) A person who may have been exposed to alaw. communicable disease or may otherwise be at risk of (1) A covered entity may use or disclose protected contracting or spreading a disease or condition, if thehealth information to the extent that such use or covered entity or public health authority is authorizeddisclosure is required by law and the use or disclosure by law to notify such person as necessary in thecomplies with and is limited to the relevant conduct of a public health intervention orrequirements of such law. investigation; or (2) A covered entity must meet the requirements (v) An employer, about an individual who is adescribed in paragraph (c), (e), or (f) of this section member of the workforce of the employer, if:for uses or disclosures required by law. (A) The covered entity is a covered health care (b) Standard: uses and disclosures for public provider who is a member of the workforce of suchhealth activities employer or who provides health care to the (1) Permitted disclosures. A covered entity may individual at the request of the employer:disclose protected health information for the public (1) To conduct an evaluation relating to medicalhealth activities and purposes described in this surveillance of the workplace; orparagraph to: (2) To evaluate whether the individual has a (i) A public health authority that is authorized by work-related illness or injury;law to collect or receive such information for the (B) The protected health information that ispurpose of preventing or controlling disease, injury, disclosed consists of findings concerning aor disability, including, but not limited to, the work-related illness or injury or a workplace-relatedreporting of disease, injury, vital events such as birth medical surveillance;or death, and the conduct of public health (C) The employer needs such findings in order to -58­
  • 76. HIPAA Administrative Simplification Regulation Text March 2006comply with its obligations, under 29 CFR parts 1904 individual and that an immediate enforcement activitythrough 1928, 30 CFR parts 50 through 90, or under that depends upon the disclosure would be materiallystate law having a similar purpose, to record such and adversely affected by waiting until the individualillness or injury or to carry out responsibilities for is able to agree to the disclosure.workplace medical surveillance; and (2) Informing the individual. A covered entity that (D) The covered health care provider provides makes a disclosure permitted by paragraph (c)(1) ofwritten notice to the individual that protected health this section must promptly inform the individual thatinformation relating to the medical surveillance of the such a report has been or will be made, except if:workplace and work-related illnesses and injuries is (i) The covered entity, in the exercise ofdisclosed to the employer: professional judgment, believes informing the (1) By giving a copy of the notice to the individual would place the individual at risk ofindividual at the time the health care is provided; or serious harm; or (2) If the health care is provided on the work site (ii) The covered entity would be informing aof the employer, by posting the notice in a prominent personal representative, and the covered entityplace at the location where the health care is reasonably believes the personal representative isprovided. responsible for the abuse, neglect, or other injury, and (2) Permitted uses. If the covered entity also is a that informing such person would not be in the bestpublic health authority, the covered entity is interests of the individual as determined by thepermitted to use protected health information in all covered entity, in the exercise of professionalcases in which it is permitted to disclose such judgment.information for public health activities under (d) Standard: Uses and disclosures for healthparagraph (b)(1) of this section. oversight activities (c) Standard: Disclosures about victims of abuse, (1) Permitted disclosures. A covered entity mayneglect or domestic violence disclose protected health information to a health (1) Permitted disclosures. Except for reports of oversight agency for oversight activities authorizedchild abuse or neglect permitted by paragraph by law, including audits; civil, administrative, or(b)(1)(ii) of this section, a covered entity may criminal investigations; inspections; licensure ordisclose protected health information about an disciplinary actions; civil, administrative, or criminalindividual whom the covered entity reasonably proceedings or actions; or other activities necessarybelieves to be a victim of abuse, neglect, or domestic for appropriate oversight of:violence to a government authority, including a social (i) The health care system;service or protective services agency, authorized by (ii) Government benefit programs for whichlaw to receive reports of such abuse, neglect, or health information is relevant to beneficiarydomestic violence: eligibility; (i) To the extent the disclosure is required by law (iii) Entities subject to government regulatoryand the disclosure complies with and is limited to the programs for which health information is necessaryrelevant requirements of such law; for determining compliance with program standards; (ii) If the individual agrees to the disclosure; or or (iii) To the extent the disclosure is expressly (iv) Entities subject to civil rights laws for whichauthorized by statute or regulation and: health information is necessary for determining (A) The covered entity, in the exercise of compliance.professional judgment, believes the disclosure is (2) Exception to health oversight activities. Fornecessary to prevent serious harm to the individual or the purpose of the disclosures permitted by paragraphother potential victims; or (d)(1) of this section, a health oversight activity does (B) If the individual is unable to agree because of not include an investigation or other activity in whichincapacity, a law enforcement or other public official the individual is the subject of the investigation orauthorized to receive the report represents that the activity and such investigation or other activity doesprotected health information for which disclosure is not arise out of and is not directly related to:sought is not intended to be used against the (i) The receipt of health care; -59­
  • 77. HIPAA Administrative Simplification Regulation Text March 2006 (ii) A claim for public benefits related to health; (A) The party requesting such information hasor made a good faith attempt to provide written notice to (iii) Qualification for, or receipt of, public the individual (or, if the individuals location isbenefits or services when a patients health is integral unknown, to mail a notice to the individuals lastto the claim for public benefits or services. known address); (3) Joint activities or investigations. (B) The notice included sufficient informationNotwithstanding paragraph (d)(2) of this section, if a about the litigation or proceeding in which thehealth oversight activity or investigation is conducted protected health information is requested to permitin conjunction with an oversight activity or the individual to raise an objection to the court orinvestigation relating to a claim for public benefits administrative tribunal; andnot related to health, the joint activity or investigation (C) The time for the individual to raise objectionsis considered a health oversight activity for purposes to the court or administrative tribunal has elapsed,of paragraph (d) of this section. and: (4) Permitted uses. If a covered entity also is a (1) No objections were filed; orhealth oversight agency, the covered entity may use (2) All objections filed by the individual haveprotected health information for health oversight been resolved by the court or the administrativeactivities as permitted by paragraph (d) of this tribunal and the disclosures being sought aresection. consistent with such resolution. (e) Standard: Disclosures for judicial and (iv) For the purposes of paragraph (e)(1)(ii)(B) ofadministrative proceedings. this section, a covered entity receives satisfactory (1) Permitted disclosures. A covered entity may assurances from a party seeking protected healthdisclose protected health information in the course of information, if the covered entity receives from suchany judicial or administrative proceeding: party a written statement and accompanying (i) In response to an order of a court or documentation demonstrating that:administrative tribunal, provided that the covered (A) The parties to the dispute giving rise to theentity discloses only the protected health information request for information have agreed to a qualifiedexpressly authorized by such order; or protective order and have presented it to the court or (ii) In response to a subpoena, discovery request, administrative tribunal with jurisdiction over theor other lawful process, that is not accompanied by an dispute; ororder of a court or administrative tribunal, if: (B) The party seeking the protected health (A) The covered entity receives satisfactory information has requested a qualified protective orderassurance, as described in paragraph (e)(1)(iii) of this from such court or administrative tribunal.section, from the party seeking the information that (v) For purposes of paragraph (e)(1) of thisreasonable efforts have been made by such party to section, a qualified protective order means, withensure that the individual who is the subject of the respect to protected health information requestedprotected health information that has been requested under paragraph (e)(1)(ii) of this section, an order ofhas been given notice of the request; or a court or of an administrative tribunal or a (B) The covered entity receives satisfactory stipulation by the parties to the litigation orassurance, as described in paragraph (e)(1)(iv) of this administrative proceeding that:section, from the party seeking the information that (A) Prohibits the parties from using or disclosingreasonable efforts have been made by such party to the protected health information for any purposesecure a qualified protective order that meets the other than the litigation or proceeding for which suchrequirements of paragraph (e)(1)(v) of this section. information was requested; and (iii) For the purposes of paragraph (e)(1)(ii)(A) of (B) Requires the return to the covered entity orthis section, a covered entity receives satisfactory destruction of the protected health informationassurances from a party seeking protecting health (including all copies made) at the end of the litigationinformation if the covered entity receives from such or proceeding.party a written statement and accompanying (vi) Notwithstanding paragraph (e)(1)(ii) of thisdocumentation demonstrating that: section, a covered entity may disclose protected -60­
  • 78. HIPAA Administrative Simplification Regulation Text March 2006health information in response to lawful process enforcement officials request for such information fordescribed in paragraph (e)(1)(ii) of this section the purpose of identifying or locating a suspect,without receiving satisfactory assurance under fugitive, material witness, or missing person,paragraph (e)(1)(ii)(A) or (B) of this section, if the provided that:covered entity makes reasonable efforts to provide (i) The covered entity may disclose only thenotice to the individual sufficient to meet the following information:requirements of paragraph (e)(1)(iii) of this section or (A) Name and address;to seek a qualified protective order sufficient to meet (B) Date and place of birth;the requirements of paragraph (e)(1)(iv) of this (C) Social security number;section. (D) ABO blood type and rh factor; (2) Other uses and disclosures under this section. (E) Type of injury;The provisions of this paragraph do not supersede (F) Date and time of treatment;other provisions of this section that otherwise permit (G) Date and time of death, if applicable; andor restrict uses or disclosures of protected health (H) A description of distinguishing physicalinformation. characteristics, including height, weight, gender, race, (f) Standard: Disclosures for law enforcement hair and eye color, presence or absence of facial hairpurposes. A covered entity may disclose protected (beard or moustache), scars, and tattoos.health information for a law enforcement purpose to a (ii) Except as permitted by paragraph (f)(2)(i) oflaw enforcement official if the conditions in this section, the covered entity may not disclose forparagraphs (f)(1) through (f)(6) of this section are the purposes of identification or location undermet, as applicable. paragraph (f)(2) of this section any protected health (1) Permitted disclosures: Pursuant to process information related to the individuals DNA or DNAand as otherwise required by law. A covered entity analysis, dental records, or typing, samples ormay disclose protected health information: analysis of body fluids or tissue. (i) As required by law including laws that require (3) Permitted disclosure: Victims of a crime.the reporting of certain types of wounds or other Except for disclosures required by law as permittedphysical injuries, except for laws subject to paragraph by paragraph (f)(1) of this section, a covered entity(b)(1)(ii) or (c)(1)(i) of this section; or may disclose protected health information in response (ii) In compliance with and as limited by the to a law enforcement officials request for suchrelevant requirements of: information about an individual who is or is (A) A court order or court-ordered warrant, or a suspected to be a victim of a crime, other thansubpoena or summons issued by a judicial officer; disclosures that are subject to paragraph (b) or (c) of (B) A grand jury subpoena; or this section, if: (C) An administrative request, including an (i) The individual agrees to the disclosure; oradministrative subpoena or summons, a civil or an (ii) The covered entity is unable to obtain theauthorized investigative demand, or similar process individuals agreement because of incapacity or otherauthorized under law, provided that: emergency circumstance, provided that: (1) The information sought is relevant and (A) The law enforcement official represents thatmaterial to a legitimate law enforcement inquiry; such information is needed to determine whether a (2) The request is specific and limited in scope to violation of law by a person other than the victim hasthe extent reasonably practicable in light of the occurred, and such information is not intended to bepurpose for which the information is sought; and used against the victim; (3) De-identified information could not (B) The law enforcement official represents thatreasonably be used. immediate law enforcement activity that depends (2) Permitted disclosures: Limited information for upon the disclosure would be materially andidentification and location purposes. Except for adversely affected by waiting until the individual isdisclosures required by law as permitted by paragraph able to agree to the disclosure; and(f)(1) of this section, a covered entity may disclose (C) The disclosure is in the best interests of theprotected health information in response to a law individual as determined by the covered entity, in the -61­
  • 79. HIPAA Administrative Simplification Regulation Text March 2006exercise of professional judgment. directors, consistent with applicable law, as necessary (4) Permitted disclosure: Decedents. A covered to carry out their duties with respect to the decedent.entity may disclose protected health information If necessary for funeral directors to carry out theirabout an individual who has died to a law duties, the covered entity may disclose the protectedenforcement official for the purpose of alerting law health information prior to, and in reasonableenforcement of the death of the individual if the anticipation of, the individuals death.covered entity has a suspicion that such death may (h) Standard: Uses and disclosures for cadaverichave resulted from criminal conduct. organ, eye or tissue donation purposes. A covered (5) Permitted disclosure: Crime on premises. A entity may use or disclose protected healthcovered entity may disclose to a law enforcement information to organ procurement organizations orofficial protected health information that the covered other entities engaged in the procurement, banking, orentity believes in good faith constitutes evidence of transplantation of cadaveric organs, eyes, or tissue forcriminal conduct that occurred on the premises of the the purpose of facilitating organ, eye or tissuecovered entity. donation and transplantation. (6) Permitted disclosure: Reporting crime in (i) Standard: Uses and disclosures for researchemergencies. purposes. (i) A covered health care provider providing (1) Permitted uses and disclosures. A coveredemergency health care in response to a medical entity may use or disclose protected healthemergency, other than such emergency on the information for research, regardless of the source ofpremises of the covered health care provider, may funding of the research, provided that:disclose protected health information to a law (i) Board approval of a waiver of authorization.enforcement official if such disclosure appears The covered entity obtains documentation that annecessary to alert law enforcement to: alteration to or waiver, in whole or in part, of the (A) The commission and nature of a crime; individual authorization required by §164.508 for use (B) The location of such crime or of the victim(s) or disclosure of protected health information has beenof such crime; and approved by either: (C) The identity, description, and location of the (A) An Institutional Review Board (IRB),perpetrator of such crime. established in accordance with 7 CFR lc.107, 10 CFR (ii) If a covered health care provider believes that 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFRthe medical emergency described in paragraph 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR(f)(6)(i) of this section is the result of abuse, neglect, 60.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFRor domestic violence of the individual in need of 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFRemergency health care, paragraph (f)(6)(i) of this 46.107, 45 CFR 690.107, or 49 CFR 11.107; orsection does not apply and any disclosure to a law (B) A privacy board that:enforcement official for law enforcement purposes is (1) Has members with varying backgrounds andsubject to paragraph (c) of this section. appropriate professional competency as necessary to (g) Standard: Uses and disclosures about review the effect of the research protocol on thedecedents. individuals privacy rights and related interests; (1) Coroners and medical examiners. A covered (2) Includes at least one member who is notentity may disclose protected health information to a affiliated with the covered entity, not affiliated withcoroner or medical examiner for the purpose of any entity conducting or sponsoring the research, andidentifying a deceased person, determining a cause of not related to any person who is affiliated with any ofdeath, or other duties as authorized by law. A covered such entities; andentity that also performs the duties of a coroner or (3) Does not have any member participating in amedical examiner may use protected health review of any project in which the member has ainformation for the purposes described in this conflict of interest.paragraph. (ii) Reviews preparatory to research. The covered (2) Funeral directors. A covered entity may entity obtains from the researcher representationsdisclose protected health information to funeral that: -62­
  • 80. HIPAA Administrative Simplification Regulation Text March 2006 (A) Use or disclosure is sought solely to review protected health information would be permitted byprotected health information as necessary to prepare a this subpart;research protocol or for similar purposes preparatory (B) The research could not practicably beto research; conducted without the waiver or alteration; and (B) No protected health information is to be (C) The research could not practicably beremoved from the covered entity by the researcher in conducted without access to and use of the protectedthe course of the review; and health information. (C) The protected health information for which (iii) Protected health information needed. A briefuse or access is sought is necessary for the research description of the protected health information forpurposes. which use or access has been determined to be (iii) Research on decedents information. The necessary by the IRB or privacy board hascovered entity obtains from the researcher: determined, pursuant to paragraph (i)(2)(ii)(C) of this (A) Representation that the use or disclosure section;sought is solely for research on the protected health (iv) Review and approval procedures. Ainformation of decedents; statement that the alteration or waiver of (B) Documentation, at the request of the covered authorization has been reviewed and approved underentity, of the death of such individuals; and either normal or expedited review procedures, as (C) Representation that the protected health follows:information for which use or disclosure is sought is (A) An IRB must follow the requirements of thenecessary for the research purposes. Common Rule, including the normal review (2) Documentation of waiver approval. For a use procedures (7 CFR 1c.108(b), 10 CFR 745.108(b), 14or disclosure to be permitted based on documentation CFR 1230.108(b), 15 CFR 27.108(b), 16 CFRof approval of an alteration or waiver, under 1028.108(b), 21 CFR 56.108(b), 22 CFR 225.108(b),paragraph (i)(1)(i) of this section, the documentation 24 CFR 60.108(b), 28 CFR 46.108(b), 32 CFRmust include all of the following: 219.108(b), 34 CFR 97.108(b), 38 CFR 16.108(b), (i) Identification and date of action. A statement 40 CFR 26.108(b), 45 CFR 46.108(b), 45 CFRidentifying the IRB or privacy board and the date on 690.108(b), or 49 CFR 11.108(b)) or the expeditedwhich the alteration or waiver of authorization was review procedures (7 CFR 1c.110, 10 CFR 745.110,approved; 14 CFR 1230.110, 15 CFR 27.110, 16 CFR (ii) Waiver criteria. A statement that the IRB or 1028.110, 21 CFR 56.110, 22 CFR 225.110, 24 CFRprivacy board has determined that the alteration or 60.110, 28 CFR 46.110, 32 CFR 219.110, 34 CFRwaiver, in whole or in part, of authorization satisfies 97.110, 38 CFR 16.110, 40 CFR 26.110, 45 CFRthe following criteria: 46.110, 45 CFR 690.110, or 49 CFR 11.110); (A) The use or disclosure of protected health (B) A privacy board must review the proposedinformation involves no more than a minimal risk to research at convened meetings at which a majority ofthe privacy of individuals, based on, at least, the the privacy board members are present, including atpresence of the following elements; least one member who satisfies the criterion stated in (1) An adequate plan to protect the identifiers paragraph (i)(1)(i)(B)(2) of this section, and thefrom improper use and disclosure; alteration or waiver of authorization must be (2) An adequate plan to destroy the identifiers at approved by the majority of the privacy boardthe earliest opportunity consistent with conduct of the members present at the meeting, unless the privacyresearch, unless there is a health or research board elects to use an expedited review procedure injustification for retaining the identifiers or such accordance with paragraph (i)(2)(iv)(C) of thisretention is otherwise required by law; and section; (3) Adequate written assurances that the protected (C) A privacy board may use an expedited reviewhealth information will not be reused or disclosed to procedure if the research involves no more thanany other person or entity, except as required by law, minimal risk to the privacy of the individuals who arefor authorized oversight of the research study, or for the subject of the protected health information forother research for which the use or disclosure of which use or disclosure is being sought. If the privacy -63­
  • 81. HIPAA Administrative Simplification Regulation Text March 2006board elects to use an expedited review procedure, protected health information described in paragraphthe review and approval of the alteration or waiver of (f)(2)(i) of this section.authorization may be carried out by the chair of the (4) Presumption of good faith belief. A coveredprivacy board, or by one or more members of the entity that uses or discloses protected healthprivacy board as designated by the chair; and information pursuant to paragraph (j)(1) of this (v) Required signature. The documentation of the section is presumed to have acted in good faith withalteration or waiver of authorization must be signed regard to a belief described in paragraph (j)(1)(i) orby the chair or other member, as designated by the (ii) of this section, if the belief is based upon thechair, of the IRB or the privacy board, as applicable. covered entitys actual knowledge or in reliance on a (j) Standard: Uses and disclosures to avert a credible representation by a person with apparentserious threat to health or safety. knowledge or authority. (1) Permitted disclosures. A covered entity may, (k) Standard: Uses and disclosures forconsistent with applicable law and standards of specialized government functionsethical conduct, use or disclose protected health (1) Military and veterans activities.information, if the covered entity, in good faith, (i) Armed Forces personnel. A covered entity maybelieves the use or disclosure: use and disclose the protected health information of (i)(A) Is necessary to prevent or lessen a serious individuals who are Armed Forces personnel forand imminent threat to the health or safety of a person activities deemed necessary by appropriate militaryor the public; and command authorities to assure the proper execution (B) Is to a person or persons reasonably able to of the military mission, if the appropriate militaryprevent or lessen the threat, including the target of the authority has published by notice in the Federalthreat; or Register the following information: (ii) Is necessary for law enforcement authorities to (A) Appropriate military command authorities;identify or apprehend an individual: and (A) Because of a statement by an individual (B) The purposes for which the protected healthadmitting participation in a violent crime that the information may be used or disclosed.covered entity reasonably believes may have caused (ii) Separation or discharge from military service.serious physical harm to the victim; or A covered entity that is a component of the (B) Where it appears from all the circumstances Departments of Defense or Transportation maythat the individual has escaped from a correctional disclose to the Department of Veterans Affairsinstitution or from lawful custody, as those terms are (DVA) the protected health information of andefined in §164.501. individual who is a member of the Armed Forces (2) Use or disclosure not permitted. A use or upon the separation or discharge of the individualdisclosure pursuant to paragraph (j)(1)(ii)(A) of this from military service for the purpose of asection may not be made if the information described determination by DVA of the individuals eligibilityin paragraph (j)(1)(ii)(A) of this section is learned by for or entitlement to benefits under laws administeredthe covered entity: by the Secretary of Veterans Affairs. (i) In the course of treatment to affect the (iii) Veterans. A covered entity that is apropensity to commit the criminal conduct that is the component of the Department of Veterans Affairsbasis for the disclosure under paragraph (j)(1)(ii)(A) may use and disclose protected health information toof this section, or counseling or therapy; or components of the Department that determine (ii) Through a request by the individual to initiate eligibility for or entitlement to, or that provide,or to be referred for the treatment, counseling, or benefits under the laws administered by the Secretarytherapy described in paragraph (j)(2)(i) of this of Veterans Affairs.section. (iv) Foreign military personnel. A covered entity (3) Limit on information that may be disclosed. A may use and disclose the protected health informationdisclosure made pursuant to paragraph (j)(1)(ii)(A) of of individuals who are foreign military personnel tothis section shall contain only the statement described their appropriate foreign military authority for thein paragraph (j)(1)(ii)(A) of this section and the same purposes for which uses and disclosures are -64­
  • 82. HIPAA Administrative Simplification Regulation Text March 2006permitted for Armed Forces personnel under the (B) The health and safety of such individual ornotice published in the Federal Register pursuant to other inmates;paragraph (k)(1)(i) of this section. (C) The health and safety of the officers or (2) National security and intelligence activities. A employees of or others at the correctional institution;covered entity may disclose protected health (D) The health and safety of such individuals andinformation to authorized federal officials for the officers or other persons responsible for theconduct of lawful intelligence, counter-intelligence, transporting of inmates or their transfer from oneand other national security activities authorized by the institution, facility, or setting to another;National Security Act (50 U.S.C. 401, et seq.) and (E) Law enforcement on the premises of theimplementing authority (e.g., Executive Order correctional institution; and12333). (F) The administration and maintenance of the (3) Protective services for the President and safety, security, and good order of the correctionalothers. A covered entity may disclose protected institution.health information to authorized federal officials for (ii) Permitted uses. A covered entity that is athe provision of protective services to the President or correctional institution may use protected healthother persons authorized by 18 U.S.C. 3056, or to information of individuals who are inmates for anyforeign heads of state or other persons authorized by purpose for which such protected health information22 U.S.C. 2709(a)(3), or to for the conduct of may be disclosed.investigations authorized by 18 U.S.C. 871 and 879. (iii) No application after release. For the (4) Medical suitability determinations. A covered purposes of this provision, an individual is no longerentity that is a component of the Department of State an inmate when released on parole, probation,may use protected health information to make supervised release, or otherwise is no longer in lawfulmedical suitability determinations and may disclose custody.whether or not the individual was determined to be (6) Covered entities that are governmentmedically suitable to the officials in the Department programs providing public benefits.of State who need access to such information for the (i) A health plan that is a government programfollowing purposes: providing public benefits may disclose protected (i) For the purpose of a required security health information relating to eligibility for orclearance conducted pursuant to Executive Orders enrollment in the health plan to another agency10450 and 12698; administering a government program providing (ii) As necessary to determine worldwide public benefits if the sharing of eligibility oravailability or availability for mandatory service enrollment information among such governmentabroad under sections 101(a)(4) and 504 of the agencies or the maintenance of such information in aForeign Service Act; or single or combined data system accessible to all such (iii) For a family to accompany a Foreign Service government agencies is required or expresslymember abroad, consistent with section 101(b)(5) and authorized by statute or regulation.904 of the Foreign Service Act. (ii) A covered entity that is a government agency (5) Correctional institutions and other law administering a government program providingenforcement custodial situations. public benefits may disclose protected health (i) Permitted disclosures. A covered entity may information relating to the program to anotherdisclose to a correctional institution or a law covered entity that is a government agencyenforcement official having lawful custody of an administering a government program providinginmate or other individual protected health public benefits if the programs serve the same orinformation about such inmate or individual, if the similar populations and the disclosure of protectedcorrectional institution or such law enforcement health information is necessary to coordinate theofficial represents that such protected health covered functions of such programs or to improveinformation is necessary for: administration and management relating to the (A) The provision of health care to such covered functions of such programs.individuals; -65­
  • 83. HIPAA Administrative Simplification Regulation Text March 2006 (l) Standard: Disclosures for workers more than 20,000 people; andcompensation. A covered entity may disclose (2) The initial three digits of a zip code for allprotected health information as authorized by and to such geographic units containing 20,000 or fewerthe extent necessary to comply with laws relating to people is changed to 000.workers compensation or other similar programs, (C) All elements of dates (except year) for datesestablished by law, that provide benefits for directly related to an individual, including birth date,work-related injuries or illness without regard to admission date, discharge date, date of death; and allfault. ages over 89 and all elements of dates (including year) indicative of such age, except that such ages[65 FR 82802, Dec. 28, 2000, as amended at 67 FR and elements may be aggregated into a single53270, Aug. 14, 2002] category of age 90 or older; (D) Telephone numbers;§ 164.514 Other requirements relating to uses (E) Fax numbers;and disclosures of protected health information. (F) Electronic mail addresses; (a) Standard: De-identification of protected (G) Social security numbers;health information. Health information that does not (H) Medical record numbers;identify an individual and with respect to which there (I) Health plan beneficiary numbers;is no reasonable basis to believe that the information (J) Account numbers;can be used to identify an individual is not (K) Certificate/license numbers;individually identifiable health information. (L) Vehicle identifiers and serial numbers, (b) Implementation specifications: Requirements including license plate numbers;for de-identification of protected health information. (M) Device identifiers and serial numbers;A covered entity may determine that health (N) Web Universal Resource Locators (URLs);information is not individually identifiable health (O) Internet Protocol (IP) address numbers;information only if: (P) Biometric identifiers, including finger and (1) A person with appropriate knowledge of and voice prints;experience with generally accepted statistical and (Q) Full face photographic images and anyscientific principles and methods for rendering comparable images; andinformation not individually identifiable: (R) Any other unique identifying number, (i) Applying such principles and methods, characteristic, or code, except as permitted bydetermines that the risk is very small that the paragraph (c) of this section; andinformation could be used, alone or in combination (ii) The covered entity does not have actualwith other reasonably available information, by an knowledge that the information could be used aloneanticipated recipient to identify an individual who is a or in combination with other information to identifysubject of the information; and an individual who is a subject of the information. (ii) Documents the methods and results of the (c) Implementation specifications:analysis that justify such determination; or Re-identification. A covered entity may assign a code (2)(i) The following identifiers of the individual or other means of record identification to allowor of relatives, employers, or household members of information de-identified under this section to bethe individual, are removed: re-identified by the covered entity, provided that: (A) Names; (1) Derivation. The code or other means of record (B) All geographic subdivisions smaller than a identification is not derived from or related toState, including street address, city, county, precinct, information about the individual and is not otherwisezip code, and their equivalent geocodes, except for capable of being translated so as to identify thethe initial three digits of a zip code if, according to individual; andthe current publicly available data from the Bureau of (2) Security. The covered entity does not use orthe Census: disclose the code or other means of record (1) The geographic unit formed by combining all identification for any other purpose, and does notzip codes with the same three initial digits contains disclose the mechanism for re-identification. -66­
  • 84. HIPAA Administrative Simplification Regulation Text March 2006 (d)(1) Standard: Minimum necessary (C) The information is requested by a professionalrequirements. In order to comply with §164.502(b) who is a member of its workforce or is a businessand this section, a covered entity must meet the associate of the covered entity for the purpose ofrequirements of paragraphs (d)(2) through (d)(5) of providing professional services to the covered entity,this section with respect to a request for, or the use if the professional represents that the informationand disclosure of, protected health information. requested is the minimum necessary for the stated (2) Implementation specifications: Minimum purpose(s); ornecessary uses of protected health information. (D) Documentation or representations that comply (i) A covered entity must identify: with the applicable requirements of §164.512(i) have (A) Those persons or classes of persons, as been provided by a person requesting the informationappropriate, in its workforce who need access to for research purposes.protected health information to carry out their duties; (4) Implementation specifications: Minimumand necessary requests for protected health information. (B) For each such person or class of persons, the (i) A covered entity must limit any request forcategory or categories of protected health information protected health information to that which isto which access is needed and any conditions reasonably necessary to accomplish the purpose forappropriate to such access. which the request is made, when requesting such (ii) A covered entity must make reasonable efforts information from other covered entities.to limit the access of such persons or classes (ii) For a request that is made on a routine andidentified in paragraph (d)(2)(i)(A) of this section to recurring basis, a covered entity must implementprotected health information consistent with policies and procedures (which may be standardparagraph (d)(2)(i)(B) of this section. protocols) that limit the protected health information (3) Implementation specification: Minimum requested to the amount reasonably necessary tonecessary disclosures of protected health accomplish the purpose for which the request isinformation. made. (i) For any type of disclosure that it makes on a (iii) For all other requests, a covered entity must:routine and recurring basis, a covered entity must (A) Develop criteria designed to limit the requestimplement policies and procedures (which may be for protected health information to the informationstandard protocols) that limit the protected health reasonably necessary to accomplish the purpose forinformation disclosed to the amount reasonably which the request is made; andnecessary to achieve the purpose of the disclosure. (B) Review requests for disclosure on an (ii) For all other disclosures, a covered entity individual basis in accordance with such criteria.must: (5) Implementation specification: Other content (A) Develop criteria designed to limit the requirement. For all uses, disclosures, or requests toprotected health information disclosed to the which the requirements in paragraph (d) of thisinformation reasonably necessary to accomplish the section apply, a covered entity may not use, disclosepurpose for which disclosure is sought; and or request an entire medical record, except when the (B) Review requests for disclosure on an entire medical record is specifically justified as theindividual basis in accordance with such criteria. amount that is reasonably necessary to accomplish the (iii) A covered entity may rely, if such reliance is purpose of the use, disclosure, or request.reasonable under the circumstances, on a requested (e)(1) Standard: Limited data set. A covereddisclosure as the minimum necessary for the stated entity may use or disclose a limited data set thatpurpose when: meets the requirements of paragraphs (e)(2) and (A) Making disclosures to public officials that are (e)(3) of this section, if the covered entity enters intopermitted under §164.512, if the public official a data use agreement with the limited data setrepresents that the information requested is the recipient, in accordance with paragraph (e)(4) of thisminimum necessary for the stated purpose(s); section. (B) The information is requested by another (2) Implementation specification: Limited datacovered entity; set. A limited data set is protected health information -67­
  • 85. HIPAA Administrative Simplification Regulation Text March 2006that excludes the following direct identifiers of the of such information by the limited data set recipient,individual or of relatives, employers, or household consistent with paragraph (e)(3) of this section. Themembers of the individual: data use agreement may not authorize the limited data (i) Names; set recipient to use or further disclose the information (ii) Postal address information, other than town or in a manner that would violate the requirements ofcity, State, and zip code; this subpart, if done by the covered entity; (iii) Telephone numbers; (B) Establish who is permitted to use or receive (iv) Fax numbers; the limited data set; and (v) Electronic mail addresses; (C) Provide that the limited data set recipient will: (vi) Social security numbers; (1) Not use or further disclose the information (vii) Medical record numbers; other than as permitted by the data use agreement or (viii) Health plan beneficiary numbers; as otherwise required by law; (ix) Account numbers; (2) Use appropriate safeguards to prevent use or (x) Certificate/license numbers; disclosure of the information other than as provided (xi) Vehicle identifiers and serial numbers, for by the data use agreement;including license plate numbers; (3) Report to the covered entity any use or (xii) Device identifiers and serial numbers; disclosure of the information not provided for by its (xiii) Web Universal Resource Locators (URLs); data use agreement of which it becomes aware; (xiv) Internet Protocol (IP) address numbers; (4) Ensure that any agents, including a (xv) Biometric identifiers, including finger and subcontractor, to whom it provides the limited datavoice prints; and set agrees to the same restrictions and conditions that (xvi) Full face photographic images and any apply to the limited data set recipient with respect tocomparable images. such information; and (3) Implementation specification: Permitted (5) Not identify the information or contact thepurposes for uses and disclosures. individuals. (i) A covered entity may use or disclose a limited (iii) Compliance.data set under paragraph (e)(1) of this section only for (A) A covered entity is not in compliance with thethe purposes of research, public health, or health care standards in paragraph (e) of this section if theoperations. covered entity knew of a pattern of activity or (ii) A covered entity may use protected health practice of the limited data set recipient thatinformation to create a limited data set that meets the constituted a material breach or violation of the datarequirements of paragraph (e)(2) of this section, or use agreement, unless the covered entity tookdisclose protected health information only to a reasonable steps to cure the breach or end thebusiness associate for such purpose, whether or not violation, as applicable, and, if such steps werethe limited data set is to be used by the covered unsuccessful:entity. (1) Discontinued disclosure of protected health (4) Implementation specifications: Data use information to the recipient; andagreement. (2) Reported the problem to the Secretary. (i) Agreement required. A covered entity may use (B) A covered entity that is a limited data setor disclose a limited data set under paragraph (e)(1) recipient and violates a data use agreement will be inof this section only if the covered entity obtains noncompliance with the standards, implementationsatisfactory assurance, in the form of a data use specifications, and requirements of paragraph (e) ofagreement that meets the requirements of this section, this section.that the limited data set recipient will only use or (f)(1) Standard: Uses and disclosures fordisclose the protected health information for limited fundraising. A covered entity may use, or disclose topurposes. a business associate or to an institutionally related (ii) Contents. A data use agreement between the foundation, the following protected healthcovered entity and the limited data set recipient must: information for the purpose of raising funds for its (A) Establish the permitted uses and disclosures own benefit, without an authorization meeting the -68­
  • 86. HIPAA Administrative Simplification Regulation Text March 2006requirements of §164.508: conditioned by this subpart on particular (i) Demographic information relating to an documentation, statements, or representations fromindividual; and the person requesting the protected health (ii) Dates of health care provided to an individual. information, a covered entity may rely, if such (2) Implementation specifications: Fundraising reliance is reasonable under the circumstances, onrequirements. documentation, statements, or representations that, on (i) The covered entity may not use or disclose their face, meet the applicable requirements.protected health information for fundraising purposes (A) The conditions in §164.512(f)(1)(ii)(C) mayas otherwise permitted by paragraph (f)(1) of this be satisfied by the administrative subpoena or similarsection unless a statement required by process or by a separate written statement that, on its§164.520(b)(1)(iii)(B) is included in the covered face, demonstrates that the applicable requirementsentitys notice; have been met. (ii) The covered entity must include in any (B) The documentation required byfundraising materials it sends to an individual under §164.512(i)(2) may be satisfied by one or morethis paragraph a description of how the individual written statements, provided that each is appropriatelymay opt out of receiving any further fundraising dated and signed in accordance with §164.512(i)(2)(i)communications. and (v). (iii) The covered entity must make reasonable (ii) Identity of public officials. A covered entityefforts to ensure that individuals who decide to opt may rely, if such reliance is reasonable under theout of receiving future fundraising communications circumstances, on any of the following to verifyare not sent such communications. identity when the disclosure of protected health (g) Standard: Uses and disclosures for information is to a public official or a person actingunderwriting and related purposes. If a health plan on behalf of the public official:receives protected heath information for the purpose (A) If the request is made in person, presentationof underwriting, premium rating, or other activities of an agency identification badge, other officialrelating to the creation, renewal, or replacement of a credentials, or other proof of government status;contract of health insurance or health benefits, and if (B) If the request is in writing, the request is onsuch health insurance or health benefits are not placed the appropriate government letterhead; orwith the health plan, such health plan may not use or (C) If the disclosure is to a person acting ondisclose such protected health information for any behalf of a public official, a written statement onother purpose, except as may be required by law. appropriate government letterhead that the person is (h)(1) Standard: Verification requirements. Prior acting under the governments authority or otherto any disclosure permitted by this subpart, a covered evidence or documentation of agency, such as aentity must: contract for services, memorandum of understanding, (i) Except with respect to disclosures under or purchase order, that establishes that the person is§164.510, verify the identity of a person requesting acting on behalf of the public official.protected health information and the authority of any (iii) Authority of public officials. A covered entitysuch person to have access to protected health may rely, if such reliance is reasonable under theinformation under this subpart, if the identity or any circumstances, on any of the following to verifysuch authority of such person is not known to the authority when the disclosure of protected healthcovered entity; and information is to a public official or a person acting (ii) Obtain any documentation, statements, or on behalf of the public official:representations, whether oral or written, from the (A) A written statement of the legal authorityperson requesting the protected health information under which the information is requested, or, if awhen such documentation, statement, or written statement would be impracticable, an oralrepresentation is a condition of the disclosure under statement of such legal authority;this subpart. (B) If a request is made pursuant to legal process, (2) Implementation specifications: Verification. warrant, subpoena, order, or other legal process (i) Conditions on disclosures. If a disclosure is issued by a grand jury or a judicial or administrative -69­
  • 87. HIPAA Administrative Simplification Regulation Text March 2006tribunal is presumed to constitute legal authority. health insurance issuer or HMO, and does not create (iv) Exercise of professional judgment. The or receive protected health information other thanverification requirements of this paragraph are met if summary health information as defined inthe covered entity relies on the exercise of §164.504(a) or information on whether an individualprofessional judgment in making a use or disclosure is participating in the group health plan, or is enrolledin accordance with §164.510 or acts on a good faith in or has disenrolled from a health insurance issuer orbelief in making a disclosure in accordance with HMO offered by the plan, is not required to maintain§164.512(j). or provide a notice under this section. (3) Exception for inmates. An inmate does not[65 FR 82802, Dec. 28, 2000, as amended at 67 FR have a right to notice under this section, and the53270, Aug. 14, 2002] requirements of this section do not apply to a correctional institution that is a covered entity.§ 164.520 Notice of privacy practices for (b) Implementation specifications: Content ofprotected health information. notice. (a) Standard: notice of privacy practices. (1) Required elements. The covered entity must (1) Right to notice. Except as provided by provide a notice that is written in plain language andparagraph (a)(2) or (3) of this section, an individual that contains the elements required by this paragraph.has a right to adequate notice of the uses and (i) Header. The notice must contain the followingdisclosures of protected health information that may statement as a header or otherwise prominentlybe made by the covered entity, and of the individuals displayed: “THIS NOTICE DESCRIBES HOWrights and the covered entitys legal duties with MEDICAL INFORMATION ABOUT YOU MAYrespect to protected health information. BE USED AND DISCLOSED AND HOW YOU (2) Exception for group health plans. CAN GET ACCESS TO THIS INFORMATION. (i) An individual enrolled in a group health plan PLEASE REVIEW IT CAREFULLY.”has a right to notice: (ii) Uses and disclosures. The notice must (A) From the group health plan, if, and to the contain:extent that, such an individual does not receive health (A) A description, including at least one example,benefits under the group health plan through an of the types of uses and disclosures that the coveredinsurance contract with a health insurance issuer or entity is permitted by this subpart to make for each ofHMO; or the following purposes: treatment, payment, and (B) From the health insurance issuer or HMO health care operations.with respect to the group health plan through which (B) A description of each of the other purposessuch individuals receive their health benefits under for which the covered entity is permitted or requiredthe group health plan. by this subpart to use or disclose protected health (ii) A group health plan that provides health information without the individuals writtenbenefits solely through an insurance contract with a authorization.health insurance issuer or HMO, and that creates or (C) If a use or disclosure for any purposereceives protected health information in addition to described in paragraphs (b)(1)(ii)(A) or (B) of thissummary health information as defined in section is prohibited or materially limited by other§164.504(a) or information on whether the individual applicable law, the description of such use oris participating in the group health plan, or is enrolled disclosure must reflect the more stringent law asin or has disenrolled from a health insurance issuer or defined in §160.202 of this subchapter.HMO offered by the plan, must: (D) For each purpose described in paragraph (A) Maintain a notice under this section; and (b)(1)(ii)(A) or (B) of this section, the description (B) Provide such notice upon request to any must include sufficient detail to place the individualperson. The provisions of paragraph (c)(1) of this on notice of the uses and disclosures that aresection do not apply to such group health plan. permitted or required by this subpart and other (iii) A group health plan that provides health applicable law.benefits solely through an insurance contract with a (E) A statement that other uses and disclosures -70­
  • 88. HIPAA Administrative Simplification Regulation Text March 2006will be made only with the individuals written its legal duties and privacy practices with respect toauthorization and that the individual may revoke such protected health information;authorization as provided by §164.508(b)(5). (B) A statement that the covered entity is required (iii) Separate statements for certain uses or to abide by the terms of the notice currently in effect;disclosures. If the covered entity intends to engage in andany of the following activities, the description (C) For the covered entity to apply a change in arequired by paragraph (b)(1)(ii)(A) of this section privacy practice that is described in the notice tomust include a separate statement, as applicable, that: protected health information that the covered entity (A) The covered entity may contact the individual created or received prior to issuing a revised notice,to provide appointment reminders or information in accordance with §164.530(i)(2)(ii), a statementabout treatment alternatives or other health-related that it reserves the right to change the terms of itsbenefits and services that may be of interest to the notice and to make the new notice provisionsindividual; effective for all protected health information that it (B) The covered entity may contact the individual maintains. The statement must also describe how itto raise funds for the covered entity; or will provide individuals with a revised notice. (C) A group health plan, or a health insurance (vi) Complaints. The notice must contain aissuer or HMO with respect to a group health plan, statement that individuals may complain to themay disclose protected health information to the covered entity and to the Secretary if they believesponsor of the plan. their privacy rights have been violated, a brief (iv) Individual rights. The notice must contain a description of how the individual may file astatement of the individuals rights with respect to complaint with the covered entity, and a statementprotected health information and a brief description that the individual will not be retaliated against forof how the individual may exercise these rights, as filing a complaint.follows: (vii) Contact. The notice must contain the name, (A) The right to request restrictions on certain or title, and telephone number of a person or office touses and disclosures of protected health information contact for further information as required byas provided by §164.522(a), including a statement §164.530(a)(1)(ii).that the covered entity is not required to agree to a (viii) Effective date. The notice must contain therequested restriction; date on which the notice is first in effect, which may (B) The right to receive confidential not be earlier than the date on which the notice iscommunications of protected health information as printed or otherwise published.provided by §164.522(b), as applicable; (2) Optional elements. (C) The right to inspect and copy protected health (i) In addition to the information required byinformation as provided by §164.524; paragraph (b)(1) of this section, if a covered entity (D) The right to amend protected health elects to limit the uses or disclosures that it isinformation as provided by §164.526; permitted to make under this subpart, the covered (E) The right to receive an accounting of entity may describe its more limited uses ordisclosures of protected health information as disclosures in its notice, provided that the coveredprovided by §164.528; and entity may not include in its notice a limitation (F) The right of an individual, including an affecting its right to make a use or disclosure that isindividual who has agreed to receive the notice required by law or permitted by §164.512(j)(1)(i).electronically in accordance with paragraph (c)(3) of (ii) For the covered entity to apply a change in itsthis section, to obtain a paper copy of the notice from more limited uses and disclosures to protected healththe covered entity upon request. information created or received prior to issuing a (v) Covered entitys duties. The notice must revised notice, in accordance with §164.530(i)(2)(ii),contain: the notice must include the statements required by (A) A statement that the covered entity is required paragraph (b)(1)(v)(C) of this section.by law to maintain the privacy of protected health (3) Revisions to the notice. The covered entityinformation and to provide individuals with notice of must promptly revise and distribute its notice -71­
  • 89. HIPAA Administrative Simplification Regulation Text March 2006whenever there is a material change to the uses or and if not obtained, document its good faith efforts todisclosures, the individuals rights, the covered obtain such acknowledgment and the reason why theentitys legal duties, or other privacy practices stated acknowledgment was not obtained;in the notice. Except when required by law, a material (iii) If the covered health care provider maintainschange to any term of the notice may not be a physical service delivery site:implemented prior to the effective date of the notice (A) Have the notice available at the servicein which such material change is reflected. delivery site for individuals to request to take with (c) Implementation specifications: Provision of them; andnotice. A covered entity must make the notice (B) Post the notice in a clear and prominentrequired by this section available on request to any location where it is reasonable to expect individualsperson and to individuals as specified in paragraphs seeking service from the covered health care provider(c)(1) through (c)(3) of this section, as applicable. to be able to read the notice; and (1) Specific requirements for health plans. (iv) Whenever the notice is revised, make the (i) A health plan must provide notice: notice available upon request on or after the effective (A) No later than the compliance date for the date of the revision and promptly comply with thehealth plan, to individuals then covered by the plan; requirements of paragraph (c)(2)(iii) of this section, if (B) Thereafter, at the time of enrollment, to applicable.individuals who are new enrollees; and (3) Specific requirements for electronic notice. (C) Within 60 days of a material revision to the (i) A covered entity that maintains a web site thatnotice, to individuals then covered by the plan. provides information about the covered entitys (ii) No less frequently than once every three years, customer services or benefits must prominently postthe health plan must notify individuals then covered its notice on the web site and make the noticeby the plan of the availability of the notice and how to available electronically through the web site.obtain the notice. (ii) A covered entity may provide the notice (iii) The health plan satisfies the requirements of required by this section to an individual by e-mail, ifparagraph (c)(1) of this section if notice is provided the individual agrees to electronic notice and suchto the named insured of a policy under which agreement has not been withdrawn. If the coveredcoverage is provided to the named insured and one or entity knows that the e-mail transmission has failed, amore dependents. paper copy of the notice must be provided to the (iv) If a health plan has more than one notice, it individual. Provision of electronic notice by thesatisfies the requirements of paragraph (c)(1) of this covered entity will satisfy the provision requirementssection by providing the notice that is relevant to the of paragraph (c) of this section when timely made inindividual or other person requesting the notice. accordance with paragraph (c)(1) or (2) of this (2) Specific requirements for certain covered section.health care providers. A covered health care provider (iii) For purposes of paragraph (c)(2)(i) of thisthat has a direct treatment relationship with an section, if the first service delivery to an individual isindividual must: delivered electronically, the covered health care (i) Provide the notice: provider must provide electronic notice automatically (A) No later than the date of the first service and contemporaneously in response to the individualsdelivery, including service delivered electronically, to first request for service. The requirements insuch individual after the compliance date for the paragraph (c)(2)(ii) of this section apply to electroniccovered health care provider; or notice. (B) In an emergency treatment situation, as soon (iv) The individual who is the recipient ofas reasonably practicable after the emergency electronic notice retains the right to obtain a papertreatment situation. copy of the notice from a covered entity upon request. (ii) Except in an emergency treatment situation, (d) Implementation specifications: Joint notice bymake a good faith effort to obtain a written separate covered entities. Covered entities thatacknowledgment of receipt of the notice provided in participate in organized health care arrangements mayaccordance with paragraph (c)(2)(i) of this section, comply with this section by a joint notice, provided -72­
  • 90. HIPAA Administrative Simplification Regulation Text March 2006that: restriction of uses and disclosures. (1) The covered entities participating in the (i) A covered entity must permit an individual toorganized health care arrangement agree to abide by request that the covered entity restrict:the terms of the notice with respect to protected (A) Uses or disclosures of protected healthhealth information created or received by the covered information about the individual to carry outentity as part of its participation in the organized treatment, payment, or health care operations; andhealth care arrangement; (B) Disclosures permitted under §164.510(b). (2) The joint notice meets the implementation (ii) A covered entity is not required to agree to aspecifications in paragraph (b) of this section, except restriction.that the statements required by this section may be (iii) A covered entity that agrees to a restrictionaltered to reflect the fact that the notice covers more under paragraph (a)(1)(i) of this section may not usethan one covered entity; and or disclose protected health information in violation (i) Describes with reasonable specificity the of such restriction, except that, if the individual whocovered entities, or class of entities, to which the joint requested the restriction is in need of emergencynotice applies; treatment and the restricted protected health (ii) Describes with reasonable specificity the information is needed to provide the emergencyservice delivery sites, or classes of service delivery treatment, the covered entity may use the restrictedsites, to which the joint notice applies; and protected health information, or may disclose such (iii) If applicable, states that the covered entities information to a health care provider, to provide suchparticipating in the organized health care arrangement treatment to the individual.will share protected health information with each (iv) If restricted protected health information isother, as necessary to carry out treatment, payment, or disclosed to a health care provider for emergencyhealth care operations relating to the organized health treatment under paragraph (a)(1)(iii) of this section,care arrangement. the covered entity must request that such health care (3) The covered entities included in the joint provider not further use or disclose the information.notice must provide the notice to individuals in (v) A restriction agreed to by a covered entityaccordance with the applicable implementation under paragraph (a) of this section, is not effectivespecifications of paragraph (c) of this section. under this subpart to prevent uses or disclosuresProvision of the joint notice to an individual by any permitted or required under §§164.502(a)(2)(ii),one of the covered entities included in the joint notice 164.510(a) or 164.512.will satisfy the provision requirement of paragraph (c) (2) Implementation specifications: Terminating aof this section with respect to all others covered by restriction. A covered entity may terminate itsthe joint notice. agreement to a restriction, if : (e) Implementation specifications: (i) The individual agrees to or requests theDocumentation. A covered entity must document termination in writing;compliance with the notice requirements, as required (ii) The individual orally agrees to the terminationby §164.530(j), by retaining copies of the notices and the oral agreement is documented; orissued by the covered entity and, if applicable, any (iii) The covered entity informs the individual thatwritten acknowledgments of receipt of the notice or it is terminating its agreement to a restriction, exceptdocumentation of good faith efforts to obtain such that such termination is only effective with respect towritten acknowledgment, in accordance with protected health information created or received afterparagraph (c)(2)(ii) of this section. it has so informed the individual. (3) Implementation specification: Documentation.[65 FR 82802, Dec. 28, 2000, as amended at 67 FR A covered entity that agrees to a restriction must53271, Aug. 14, 2002] document the restriction in accordance with §164.530(j).§ 164.522 Rights to request privacy protection (b)(1) Standard: Confidential communicationsfor protected health information. requirements. (a)(1) Standard: Right of an individual to request (i) A covered health care provider must permit -73­
  • 91. HIPAA Administrative Simplification Regulation Text March 2006individuals to request and must accommodate (ii) Information compiled in reasonablereasonable requests by individuals to receive anticipation of, or for use in, a civil, criminal, orcommunications of protected health information from administrative action or proceeding; andthe covered health care provider by alternative means (iii) Protected health information maintained by aor at alternative locations. covered entity that is: (ii) A health plan must permit individuals to (A) Subject to the Clinical Laboratoryrequest and must accommodate reasonable requests Improvements Amendments of 1988, 42 U.S.C. 263a,by individuals to receive communications of to the extent the provision of access to the individualprotected health information from the health plan by would be prohibited by law; oralternative means or at alternative locations, if the (B) Exempt from the Clinical Laboratoryindividual clearly states that the disclosure of all or Improvements Amendments of 1988, pursuant to 42part of that information could endanger the CFR 493.3(a)(2).individual. (2) Unreviewable grounds for denial. A covered (2) Implementation specifications: Conditions on entity may deny an individual access withoutproviding confidential communications. providing the individual an opportunity for review, in (i) A covered entity may require the individual to the following circumstances.make a request for a confidential communication (i) The protected health information is excepteddescribed in paragraph (b)(1) of this section in from the right of access by paragraph (a)(1) of thiswriting. section. (ii) A covered entity may condition the provision (ii) A covered entity that is a correctionalof a reasonable accommodation on: institution or a covered health care provider acting (A) When appropriate, information as to how under the direction of the correctional institution maypayment, if any, will be handled; and deny, in whole or in part, an inmates request to (B) Specification of an alternative address or obtain a copy of protected health information, ifother method of contact. obtaining such copy would jeopardize the health, (iii) A covered health care provider may not safety, security, custody, or rehabilitation of therequire an explanation from the individual as to the individual or of other inmates, or the safety of anybasis for the request as a condition of providing officer, employee, or other person at the correctionalcommunications on a confidential basis. institution or responsible for the transporting of the (iv) A health plan may require that a request inmate.contain a statement that disclosure of all or part of the (iii) An individuals access to protected healthinformation to which the request pertains could information created or obtained by a covered healthendanger the individual. care provider in the course of research that includes treatment may be temporarily suspended for as long[65 FR 82802, Dec. 28, 2000, as amended at 67 FR as the research is in progress, provided that the53271, Aug. 14, 2002] individual has agreed to the denial of access when consenting to participate in the research that includes§ 164.524 Access of individuals to protected treatment, and the covered health care provider hashealth information. informed the individual that the right of access will be (a) Standard: Access to protected health reinstated upon completion of the research.information. (iv) An individuals access to protected health (1) Right of access. Except as otherwise provided information that is contained in records that arein paragraph (a)(2) or (a)(3) of this section, an subject to the Privacy Act, 5 U.S.C. 552a, may beindividual has a right of access to inspect and obtain a denied, if the denial of access under the Privacy Actcopy of protected health information about the would meet the requirements of that law.individual in a designated record set, for as long as (v) An individuals access may be denied if thethe protected health information is maintained in the protected health information was obtained fromdesignated record set, except for: someone other than a health care provider under a (i) Psychotherapy notes; promise of confidentiality and the access requested -74­
  • 92. HIPAA Administrative Simplification Regulation Text March 2006would be reasonably likely to reveal the source of the for access no later than 30 days after receipt of theinformation. request as follows. (3) Reviewable grounds for denial. A covered (A) If the covered entity grants the request, inentity may deny an individual access, provided that whole or in part, it must inform the individual of thethe individual is given a right to have such denials acceptance of the request and provide the accessreviewed, as required by paragraph (a)(4) of this requested, in accordance with paragraph (c) of thissection, in the following circumstances: section. (i) A licensed health care professional has (B) If the covered entity denies the request, indetermined, in the exercise of professional judgment, whole or in part, it must provide the individual with athat the access requested is reasonably likely to written denial, in accordance with paragraph (d) ofendanger the life or physical safety of the individual this section.or another person; (ii) If the request for access is for protected health (ii) The protected health information makes information that is not maintained or accessible to thereference to another person (unless such other person covered entity on-site, the covered entity must take anis a health care provider) and a licensed health care action required by paragraph (b)(2)(i) of this sectionprofessional has determined, in the exercise of by no later than 60 days from the receipt of such aprofessional judgment, that the access requested is request.reasonably likely to cause substantial harm to such (iii) If the covered entity is unable to take another person; or action required by paragraph (b)(2)(i)(A) or (B) of (iii) The request for access is made by the this section within the time required by paragraphindividuals personal representative and a licensed (b)(2)(i) or (ii) of this section, as applicable, thehealth care professional has determined, in the covered entity may extend the time for such actionsexercise of professional judgment, that the provision by no more than 30 days, provided that:of access to such personal representative is (A) The covered entity, within the time limit setreasonably likely to cause substantial harm to the by paragraph (b)(2)(i) or (ii) of this section, asindividual or another person. applicable, provides the individual with a written (4) Review of a denial of access. If access is statement of the reasons for the delay and the date bydenied on a ground permitted under paragraph (a)(3) which the covered entity will complete its action onof this section, the individual has the right to have the the request; anddenial reviewed by a licensed health care professional (B) The covered entity may have only one suchwho is designated by the covered entity to act as a extension of time for action on a request for access.reviewing official and who did not participate in the (c) Implementation specifications: Provision oforiginal decision to deny. The covered entity must access. If the covered entity provides an individualprovide or deny access in accordance with the with access, in whole or in part, to protected healthdetermination of the reviewing official under information, the covered entity must comply with theparagraph (d)(4) of this section. following requirements. (b) Implementation specifications: Requests for (1) Providing the access requested. The coveredaccess and timely action. entity must provide the access requested by (1) Individuals request for access. The covered individuals, including inspection or obtaining a copy,entity must permit an individual to request access to or both, of the protected health information aboutinspect or to obtain a copy of the protected health them in designated record sets. If the same protectedinformation about the individual that is maintained in health information that is the subject of a request fora designated record set. The covered entity may access is maintained in more than one designatedrequire individuals to make requests for access in record set or at more than one location, the coveredwriting, provided that it informs individuals of such a entity need only produce the protected healthrequirement. information once in response to a request for access. (2) Timely action by the covered entity. (2) Form of access requested. (i) Except as provided in paragraph (b)(2)(ii) of (i) The covered entity must provide the individualthis section, the covered entity must act on a request with access to the protected health information in the -75­
  • 93. HIPAA Administrative Simplification Regulation Text March 2006form or format requested by the individual, if it is individual access to any other protected healthreadily producible in such form or format; or, if not, information requested, after excluding the protectedin a readable hard copy form or such other form or health information as to which the covered entity hasformat as agreed to by the covered entity and the a ground to deny access.individual. (2) Denial. The covered entity must provide a (ii) The covered entity may provide the individual timely, written denial to the individual, in accordancewith a summary of the protected health information with paragraph (b)(2) of this section. The denial mustrequested, in lieu of providing access to the protected be in plain language and contain:health information or may provide an explanation of (i) The basis for the denial;the protected health information to which access has (ii) If applicable, a statement of the individualsbeen provided, if: review rights under paragraph (a)(4) of this section, (A) The individual agrees in advance to such a including a description of how the individual maysummary or explanation; and exercise such review rights; and (B) The individual agrees in advance to the fees (iii) A description of how the individual mayimposed, if any, by the covered entity for such complain to the covered entity pursuant to thesummary or explanation. complaint procedures in §164.530(d) or to the (3) Time and manner of access. The covered Secretary pursuant to the procedures in §160.306.entity must provide the access as requested by the The description must include the name, or title, andindividual in a timely manner as required by telephone number of the contact person or officeparagraph (b)(2) of this section, including arranging designated in §164.530(a)(1)(ii).with the individual for a convenient time and place to (3) Other responsibility. If the covered entity doesinspect or obtain a copy of the protected health not maintain the protected health information that isinformation, or mailing the copy of the protected the subject of the individuals request for access, andhealth information at the individuals request. The the covered entity knows where the requestedcovered entity may discuss the scope, format, and information is maintained, the covered entity mustother aspects of the request for access with the inform the individual where to direct the request forindividual as necessary to facilitate the timely access.provision of access. (4) Review of denial requested. If the individual (4) Fees. If the individual requests a copy of the has requested a review of a denial under paragraphprotected health information or agrees to a summary (a)(4) of this section, the covered entity mustor explanation of such information, the covered entity designate a licensed health care professional, whomay impose a reasonable, cost-based fee, provided was not directly involved in the denial to review thethat the fee includes only the cost of: decision to deny access. The covered entity must (i) Copying, including the cost of supplies for and promptly refer a request for review to such designatedlabor of copying, the protected health information reviewing official. The designated reviewing officialrequested by the individual; must determine, within a reasonable period of time, (ii) Postage, when the individual has requested the whether or not to deny the access requested based oncopy, or the summary or explanation, be mailed; and the standards in paragraph (a)(3) of this section. The (iii) Preparing an explanation or summary of the covered entity must promptly provide written noticeprotected health information, if agreed to by the to the individual of the determination of theindividual as required by paragraph (c)(2)(ii) of this designated reviewing official and take other action assection. required by this section to carry out the designated (d) Implementation specifications: Denial of reviewing officials determination.access. If the covered entity denies access, in whole (e) Implementation specification: Documentation.or in part, to protected health information, the A covered entity must document the following andcovered entity must comply with the following retain the documentation as required by §164.530(j):requirements. (1) The designated record sets that are subject to (1) Making other information accessible. The access by individuals; andcovered entity must, to the extent possible, give the (2) The titles of the persons or offices responsible -76­
  • 94. HIPAA Administrative Simplification Regulation Text March 2006for receiving and processing requests for access by amendment within the time required by paragraphindividuals. (b)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days,§ 164.526 Amendment of protected health provided that:information. (A) The covered entity, within the time limit set (a) Standard: Right to amend. by paragraph (b)(2)(i) of this section, provides the (1) Right to amend. An individual has the right to individual with a written statement of the reasons forhave a covered entity amend protected health the delay and the date by which the covered entityinformation or a record about the individual in a will complete its action on the request; anddesignated record set for as long as the protected (B) The covered entity may have only one suchhealth information is maintained in the designated extension of time for action on a request for anrecord set. amendment. (2) Denial of amendment. A covered entity may (c) Implementation specifications: Accepting thedeny an individuals request for amendment, if it amendment. If the covered entity accepts thedetermines that the protected health information or requested amendment, in whole or in part, therecord that is the subject of the request: covered entity must comply with the following (i) Was not created by the covered entity, unless requirements.the individual provides a reasonable basis to believe (1) Making the amendment. The covered entitythat the originator of protected health information is must make the appropriate amendment to theno longer available to act on the requested protected health information or record that is theamendment; subject of the request for amendment by, at a (ii) Is not part of the designated record set; minimum, identifying the records in the designated (iii) Would not be available for inspection under record set that are affected by the amendment and§164.524; or appending or otherwise providing a link to the (iv) Is accurate and complete. location of the amendment. (b) Implementation specifications: Requests for (2) Informing the individual. In accordance withamendment and timely action. paragraph (b) of this section, the covered entity must (1) Individuals request for amendment. The timely inform the individual that the amendment iscovered entity must permit an individual to request accepted and obtain the individuals identification ofthat the covered entity amend the protected health and agreement to have the covered entity notify theinformation maintained in the designated record set. relevant persons with which the amendment needs toThe covered entity may require individuals to make be shared in accordance with paragraph (c)(3) of thisrequests for amendment in writing and to provide a section.reason to support a requested amendment, provided (3) Informing others. The covered entity mustthat it informs individuals in advance of such make reasonable efforts to inform and provide therequirements. amendment within a reasonable time to: (2) Timely action by the covered entity. (i) Persons identified by the individual as having (i) The covered entity must act on the individuals received protected health information about therequest for an amendment no later than 60 days after individual and needing the amendment; andreceipt of such a request, as follows. (ii) Persons, including business associates, that the (A) If the covered entity grants the requested covered entity knows have the protected healthamendment, in whole or in part, it must take the information that is the subject of the amendment andactions required by paragraphs (c)(1) and (2) of this that may have relied, or could foreseeably rely, onsection. such information to the detriment of the individual. (B) If the covered entity denies the requested (d) Implementation specifications: Denying theamendment, in whole or in part, it must provide the amendment. If the covered entity denies the requestedindividual with a written denial, in accordance with amendment, in whole or in part, the covered entityparagraph (d)(1) of this section. must comply with the following requirements. (ii) If the covered entity is unable to act on the (1) Denial. The covered entity must provide the -77­
  • 95. HIPAA Administrative Simplification Regulation Text March 2006individual with a timely, written denial, in accordance the covered entity, an accurate summary of any suchwith paragraph (b)(2) of this section. The denial must information, with any subsequent disclosure of theuse plain language and contain: protected health information to which the (i) The basis for the denial, in accordance with disagreement relates.paragraph (a)(2) of this section; (ii) If the individual has not submitted a written (ii) The individuals right to submit a written statement of disagreement, the covered entity muststatement disagreeing with the denial and how the include the individuals request for amendment and itsindividual may file such a statement; denial, or an accurate summary of such information, (iii) A statement that, if the individual does not with any subsequent disclosure of the protected healthsubmit a statement of disagreement, the individual information only if the individual has requested suchmay request that the covered entity provide the action in accordance with paragraph (d)(1)(iii) of thisindividuals request for amendment and the denial section.with any future disclosures of the protected health (iii) When a subsequent disclosure described ininformation that is the subject of the amendment; and paragraph (d)(5)(i) or (ii) of this section is made (iv) A description of how the individual may using a standard transaction under part 162 of thiscomplain to the covered entity pursuant to the subchapter that does not permit the additionalcomplaint procedures established in §164.530(d) or material to be included with the disclosure, theto the Secretary pursuant to the procedures covered entity may separately transmit the materialestablished in §160.306. The description must include required by paragraph (d)(5)(i) or (ii) of this section,the name, or title, and telephone number of the as applicable, to the recipient of the standardcontact person or office designated in transaction.§164.530(a)(1)(ii). (e) Implementation specification: Actions on (2) Statement of disagreement. The covered entity notices of amendment. A covered entity that ismust permit the individual to submit to the covered informed by another covered entity of an amendmententity a written statement disagreeing with the denial to an individuals protected health information, inof all or part of a requested amendment and the basis accordance with paragraph (c)(3) of this section, mustof such disagreement. The covered entity may amend the protected health information in designatedreasonably limit the length of a statement of record sets as provided by paragraph (c)(1) of thisdisagreement. section. (3) Rebuttal statement. The covered entity may (f) Implementation specification: Documentation.prepare a written rebuttal to the individuals statement A covered entity must document the titles of theof disagreement. Whenever such a rebuttal is persons or offices responsible for receiving andprepared, the covered entity must provide a copy to processing requests for amendments by individualsthe individual who submitted the statement of and retain the documentation as required bydisagreement. §164.530(j). (4) Recordkeeping. The covered entity must, asappropriate, identify the record or protected health § 164.528 Accounting of disclosures of protectedinformation in the designated record set that is the health information.subject of the disputed amendment and append or (a) Standard: Right to an accounting ofotherwise link the individuals request for an disclosures of protected health information.amendment, the covered entitys denial of the request, (1) An individual has a right to receive anthe individuals statement of disagreement, if any, and accounting of disclosures of protected healththe covered entitys rebuttal, if any, to the designated information made by a covered entity in the six yearsrecord set. prior to the date on which the accounting is requested, (5) Future disclosures. except for disclosures: (i) If a statement of disagreement has been (i) To carry out treatment, payment and healthsubmitted by the individual, the covered entity must care operations as provided in §164.506;include the material appended in accordance with (ii) To individuals of protected health informationparagraph (d)(4) of this section, or, at the election of about them as provided in §164.502; -78­
  • 96. HIPAA Administrative Simplification Regulation Text March 2006 (iii) Incident to a use or disclosure otherwise occurred during the six years (or such shorter timepermitted or required by this subpart, as provided in period at the request of the individual as provided in§164.502; paragraph (a)(3) of this section) prior to the date of (iv) Pursuant to an authorization as provided in the request for an accounting, including disclosures to§164.508; or by business associates of the covered entity. (v) For the facilitys directory or to persons (2) Except as otherwise provided by paragraphsinvolved in the individuals care or other notification (b)(3) or (b)(4) of this section, the accounting mustpurposes as provided in §164.510; include for each disclosure: (vi) For national security or intelligence purposes (i) The date of the disclosure;as provided in §164.512(k)(2); (ii) The name of the entity or person who received (vii) To correctional institutions or law the protected health information and, if known, theenforcement officials as provided in §164.512(k)(5); address of such entity or person; (viii) As part of a limited data set in accordance (iii) A brief description of the protected healthwith §164.514(e); or information disclosed; and (ix) That occurred prior to the compliance date for (iv) A brief statement of the purpose of thethe covered entity. disclosure that reasonably informs the individual of (2)(i) The covered entity must temporarily the basis for the disclosure or, in lieu of suchsuspend an individuals right to receive an accounting statement, a copy of a written request for a disclosureof disclosures to a health oversight agency or law under §§164.502(a)(2)(ii) or 164.512, if any.enforcement official, as provided in §164.512(d) or (3) If, during the period covered by the(f), respectively, for the time specified by such accounting, the covered entity has made multipleagency or official, if such agency or official provides disclosures of protected health information to thethe covered entity with a written statement that such same person or entity for a single purpose underan accounting to the individual would be reasonably §§164.502(a)(2)(ii) or 164.512, the accounting may,likely to impede the agencys activities and specifying with respect to such multiple disclosures, provide:the time for which such a suspension is required. (i) The information required by paragraph (b)(2) (ii) If the agency or official statement in of this section for the first disclosure during theparagraph (a)(2)(i) of this section is made orally, the accounting period;covered entity must: (ii) The frequency, periodicity, or number of the (A) Document the statement, including the disclosures made during the accounting period; andidentity of the agency or official making the (iii) The date of the last such disclosure during thestatement; accounting period. (B) Temporarily suspend the individuals right to (4)(i) If, during the period covered by thean accounting of disclosures subject to the statement; accounting, the covered entity has made disclosuresand of protected health information for a particular (C) Limit the temporary suspension to no longer research purpose in accordance with §164.512(i) forthan 30 days from the date of the oral statement, 50 or more individuals, the accounting may, withunless a written statement pursuant to paragraph respect to such disclosures for which the protected(a)(2)(i) of this section is submitted during that time. health information about the individual may have (3) An individual may request an accounting of been included, provide:disclosures for a period of time less than six years (A) The name of the protocol or other researchfrom the date of the request. activity; (b) Implementation specifications: Content of the (B) A description, in plain language, of theaccounting. The covered entity must provide the research protocol or other research activity, includingindividual with a written accounting that meets the the purpose of the research and the criteria forfollowing requirements. selecting particular records; (1) Except as otherwise provided by paragraph (a) (C) A brief description of the type of protectedof this section, the accounting must include health information that was disclosed;disclosures of protected health information that (D) The date or period of time during which such -79­
  • 97. HIPAA Administrative Simplification Regulation Text March 2006disclosures occurred, or may have occurred, including (d) Implementation specification: Documentation.the date of the last such disclosure during the A covered entity must document the following andaccounting period; retain the documentation as required by §164.530(j): (E) The name, address, and telephone number of (1) The information required to be included in anthe entity that sponsored the research and of the accounting under paragraph (b) of this section forresearcher to whom the information was disclosed; disclosures of protected health information that areand subject to an accounting under paragraph (a) of this (F) A statement that the protected health section;information of the individual may or may not have (2) The written accounting that is provided to thebeen disclosed for a particular protocol or other individual under this section; andresearch activity. (3) The titles of the persons or offices responsible (ii) If the covered entity provides an accounting for receiving and processing requests for anfor research disclosures, in accordance with accounting by individuals.paragraph (b)(4) of this section, and if it is reasonablylikely that the protected health information of the [65 FR 82802, Dec. 28, 2000, as amended at 67 FRindividual was disclosed for such research protocol or 53271, Aug. 14, 2002]activity, the covered entity shall, at the request of theindividual, assist in contacting the entity that § 164.530 Administrative requirements.sponsored the research and the researcher. (a)(1) Standard: Personnel designations. (c) Implementation specifications: Provision of (i) A covered entity must designate a privacythe accounting. official who is responsible for the development and (1) The covered entity must act on the individuals implementation of the policies and procedures of therequest for an accounting, no later than 60 days after entity.receipt of such a request, as follows. (ii) A covered entity must designate a contact (i) The covered entity must provide the individual person or office who is responsible for receivingwith the accounting requested; or complaints under this section and who is able to (ii) If the covered entity is unable to provide the provide further information about matters covered byaccounting within the time required by paragraph the notice required by §164.520.(c)(1) of this section, the covered entity may extend (2) Implementation specification: Personnelthe time to provide the accounting by no more than designations. A covered entity must document the30 days, provided that: personnel designations in paragraph (a)(1) of this (A) The covered entity, within the time limit set section as required by paragraph (j) of this section.by paragraph (c)(1) of this section, provides the (b)(1) Standard: Training. A covered entity mustindividual with a written statement of the reasons for train all members of its workforce on the policies andthe delay and the date by which the covered entity procedures with respect to protected healthwill provide the accounting; and information required by this subpart, as necessary and (B) The covered entity may have only one such appropriate for the members of the workforce to carryextension of time for action on a request for an out their function within the covered entity.accounting. (2) Implementation specifications: Training. (2) The covered entity must provide the first (i) A covered entity must provide training thataccounting to an individual in any 12 month period meets the requirements of paragraph (b)(1) of thiswithout charge. The covered entity may impose a section, as follows:reasonable, cost-based fee for each subsequent (A) To each member of the covered entitysrequest for an accounting by the same individual workforce by no later than the compliance date forwithin the 12 month period, provided that the covered the covered entity;entity informs the individual in advance of the fee and (B) Thereafter, to each new member of theprovides the individual with an opportunity to workforce within a reasonable period of time after thewithdraw or modify the request for a subsequent person joins the covered entitys workforce; andaccounting in order to avoid or reduce the fee. (C) To each member of the covered entitys -80­
  • 98. HIPAA Administrative Simplification Regulation Text March 2006workforce whose functions are affected by a material disclosure of protected health information in violationchange in the policies or procedures required by this of its policies and procedures or the requirements ofsubpart, within a reasonable period of time after the this subpart by the covered entity or its businessmaterial change becomes effective in accordance with associate.paragraph (i) of this section. (g) Standard: Refraining from intimidating or (ii) A covered entity must document that the retaliatory acts. A covered entity—training as described in paragraph (b)(2)(i) of this (1) May not intimidate, threaten, coerce,section has been provided, as required by paragraph discriminate against, or take other retaliatory action(j) of this section. against any individual for the exercise by the (c)(1) Standard: Safeguards. A covered entity individual of any right established, or formust have in place appropriate administrative, participation in any process provided for by thistechnical, and physical safeguards to protect the subpart, including the filing of a complaint under thisprivacy of protected health information. section; and (2)(i) Implementation specification: Safeguards. (2) Must refrain from intimidation and retaliationA covered entity must reasonably safeguard protected as provided in §160.316 of this subchapter.health information from any intentional or (h) Standard: Waiver of rights. A covered entityunintentional use or disclosure that is in violation of may not require individuals to waive their rightsthe standards, implementation specifications or other under §160.306 of this subchapter or this subpart as arequirements of this subpart. condition of the provision of treatment, payment, (ii) A covered entity must reasonably safeguard enrollment in a health plan, or eligibility for benefits.protected health information to limit incidental uses (i)(1) Standard: Policies and procedures. Aor disclosures made pursuant to an otherwise covered entity must implement policies andpermitted or required use or disclosure. procedures with respect to protected health (d)(1) Standard: Complaints to the covered entity. information that are designed to comply with theA covered entity must provide a process for standards, implementation specifications, or otherindividuals to make complaints concerning the requirements of this subpart. The policies andcovered entitys policies and procedures required by procedures must be reasonably designed, taking intothis subpart or its compliance with such policies and account the size of and the type of activities thatprocedures or the requirements of this subpart. relate to protected health information undertaken by (2) Implementation specification: Documentation the covered entity, to ensure such compliance. Thisof complaints. As required by paragraph (j) of this standard is not to be construed to permit or excuse ansection, a covered entity must document all action that violates any other standard,complaints received, and their disposition, if any. implementation specification, or other requirement of (e)(1) Standard: Sanctions. A covered entity must this subpart.have and apply appropriate sanctions against (2) Standard: Changes to policies or procedures.members of its workforce who fail to comply with the (i) A covered entity must change its policies andprivacy policies and procedures of the covered entity procedures as necessary and appropriate to complyor the requirements of this subpart. This standard with changes in the law, including the standards,does not apply to a member of the covered entitys requirements, and implementation specifications ofworkforce with respect to actions that are covered by this subpart;and that meet the conditions of §164.502(j) or (ii) When a covered entity changes a privacyparagraph (g)(2) of this section. practice that is stated in the notice described in (2) Implementation specification: Documentation. §164.520, and makes corresponding changes to itsAs required by paragraph (j) of this section, a covered policies and procedures, it may make the changesentity must document the sanctions that are applied, if effective for protected health information that itany. created or received prior to the effective date of the (f) Standard: Mitigation. A covered entity must notice revision, if the covered entity has, inmitigate, to the extent practicable, any harmful effect accordance with §164.520(b)(1)(v)(C), included inthat is known to the covered entity of a use or the notice a statement reserving its right to make such -81­
  • 99. HIPAA Administrative Simplification Regulation Text March 2006a change in its privacy practices; or the effective date of the notice. (iii) A covered entity may make any other changes (5) Implementation specification: Changes toto policies and procedures at any time, provided that other policies or procedures. A covered entity maythe changes are documented and implemented in change, at any time, a policy or procedure that doesaccordance with paragraph (i)(5) of this section. not materially affect the content of the notice required (3) Implementation specification: Changes in law. by §164.520, provided that:Whenever there is a change in law that necessitates a (i) The policy or procedure, as revised, complieschange to the covered entitys policies or procedures, with the standards, requirements, and implementationthe covered entity must promptly document and specifications of this subpart; andimplement the revised policy or procedure. If the (ii) Prior to the effective date of the change, thechange in law materially affects the content of the policy or procedure, as revised, is documented asnotice required by §164.520, the covered entity must required by paragraph (j) of this section.promptly make the appropriate revisions to the notice (j)(1) Standard: Documentation. A covered entityin accordance with §164.520(b)(3). Nothing in this must:paragraph may be used by a covered entity to excuse (i) Maintain the policies and procedures provideda failure to comply with the law. for in paragraph (i) of this section in written or (4) Implementation specifications: Changes to electronic form;privacy practices stated in the notice. (ii) If a communication is required by this subpart (i) To implement a change as provided by to be in writing, maintain such writing, or anparagraph (i)(2)(ii) of this section, a covered entity electronic copy, as documentation; andmust: (iii) If an action, activity, or designation is (A) Ensure that the policy or procedure, as revised required by this subpart to be documented, maintain ato reflect a change in the covered entitys privacy written or electronic record of such action, activity, orpractice as stated in its notice, complies with the designation.standards, requirements, and implementation (2) Implementation specification: Retentionspecifications of this subpart; period. A covered entity must retain the (B) Document the policy or procedure, as revised, documentation required by paragraph (j)(1) of thisas required by paragraph (j) of this section; and section for six years from the date of its creation or (C) Revise the notice as required by the date when it last was in effect, whichever is later.§164.520(b)(3) to state the changed practice and (k) Standard: Group health plans.make the revised notice available as required by (1) A group health plan is not subject to the§164.520(c). The covered entity may not implement a standards or implementation specifications inchange to a policy or procedure prior to the effective paragraphs (a) through (f) and (i) of this section, todate of the revised notice. the extent that: (ii) If a covered entity has not reserved its right (i) The group health plan provides health benefitsunder §164.520(b)(1)(v)(C) to change a privacy solely through an insurance contract with a healthpractice that is stated in the notice, the covered entity insurance issuer or an HMO; andis bound by the privacy practices as stated in the (ii) The group health plan does not create ornotice with respect to protected health information receive protected health information, except for:created or received while such notice is in effect. A (A) Summary health information as defined incovered entity may change a privacy practice that is §164.504(a); orstated in the notice, and the related policies and (B) Information on whether the individual isprocedures, without having reserved the right to do participating in the group health plan, or is enrolled inso, provided that: or has disenrolled from a health insurance issuer or (A) Such change meets the implementation HMO offered by the plan.specifications in paragraphs (i)(4)(i)(A)–(C) of this (2) A group health plan described in paragraphsection; and (k)(1) of this section is subject to the standard and (B) Such change is effective only with respect to implementation specification in paragraph (j) of thisprotected health information created or received after section only with respect to plan documents amended -82­
  • 100. HIPAA Administrative Simplification Regulation Text March 2006in accordance with §164.504(f). CFR 225.116(d), 24 CFR 60.116(d), 28 CFR 46.116(d), 32 CFR 219.116(d), 34 CFR 97.116(d),[65 FR 82802, Dec. 28, 2000, as amended at 67 FR 38 CFR 16.116(d), 40 CFR 26.116(d), 45 CFR53272, Aug. 14, 2002; 71 FR 8433, Feb. 16, 2006] 46.116(d), 45 CFR 690.116(d), or 49 CFR 11.116(d), provided that a covered entity must obtain§ 164.532 Transition provisions. authorization in accordance with §164.508 if, after (a) Standard: Effect of prior authorizations. the compliance date, informed consent is sought fromNotwithstanding §§164.508 and 164.512(i), a an individual participating in the research.covered entity may use or disclose protected health (d) Standard: Effect of prior contracts or otherinformation, consistent with paragraphs (b) and (c) of arrangements with business associates.this section, pursuant to an authorization or other Notwithstanding any other provisions of this subpart,express legal permission obtained from an individual a covered entity, other than a small health plan, maypermitting the use or disclosure of protected health disclose protected health information to a businessinformation, informed consent of the individual to associate and may allow a business associate toparticipate in research, or a waiver of informed create, receive, or use protected health information onconsent by an IRB. its behalf pursuant to a written contract or other (b) Implementation specification: Effect of prior written arrangement with such business associate thatauthorization for purposes other than research. does not comply with §§164.502(e) and 164.504(e)Notwithstanding any provisions in §164.508, a consistent with the requirements, and only for suchcovered entity may use or disclose protected health time, set forth in paragraph (e) of this section.information that it created or received prior to the (e) Implementation specification: Deemedapplicable compliance date of this subpart pursuant to compliance.an authorization or other express legal permission (1) Qualification. Notwithstanding other sectionsobtained from an individual prior to the applicable of this subpart, a covered entity, other than a smallcompliance date of this subpart, provided that the health plan, is deemed to be in compliance with theauthorization or other express legal permission documentation and contract requirements ofspecifically permits such use or disclosure and there §§164.502(e) and 164.504(e), with respect to ais no agreed-to restriction in accordance with particular business associate relationship, for the time§164.522(a). period set forth in paragraph (e)(2) of this section, if: (c) Implementation specification: Effect of prior (i) Prior to October 15, 2002, such covered entitypermission for research. Notwithstanding any has entered into and is operating pursuant to a writtenprovisions in §§164.508 and 164.512(i), a covered contract or other written arrangement with a businessentity may, to the extent allowed by one of the associate for such business associate to performfollowing permissions, use or disclose, for research, functions or activities or provide services that makeprotected health information that it created or the entity a business associate; andreceived either before or after the applicable (ii) The contract or other arrangement is notcompliance date of this subpart, provided that there is renewed or modified from October 15, 2002, until theno agreed-to restriction in accordance with compliance date set forth in §164.534.§164.522(a), and the covered entity has obtained, (2) Limited deemed compliance period. A priorprior to the applicable compliance date, either: contract or other arrangement that meets the (1) An authorization or other express legal qualification requirements in paragraph (e) of thispermission from an individual to use or disclose section, shall be deemed compliant until the earlierprotected health information for the research; of: (2) The informed consent of the individual to (i) The date such contract or other arrangement isparticipate in the research; or renewed or modified on or after the compliance date (3) A waiver, by an IRB, of informed consent for set forth in §164.534; orthe research, in accordance with 7 CFR 1c.116(d), 10 (ii) April 14, 2004.CFR 745.116(d), 14 CFR 1230.116(d), 15 CFR (3) Covered entity responsibilities. Nothing in this27.116(d), 16 CFR 1028.116(d), 21 CFR 50.24, 22 section shall alter the requirements of a covered entity -83­
  • 101. HIPAA Administrative Simplification Regulation Text March 2006to comply with part 160, subpart C of this subchapterand §§164.524, 164.526, 164.528, and 164.530(f)with respect to protected health information held by abusiness associate.[65 FR 82802, Dec. 28, 2000, as amended at 67 FR53272, Aug. 14, 2002]§ 164.534 Compliance dates for initialimplementation of the privacy standards. (a) Health care providers. A covered health careprovider must comply with the applicablerequirements of this subpart no later than April 14,2003. (b) Health plans. A health plan must comply withthe applicable requirements of this subpart no laterthan the following as applicable: (1) Health plans other than small health plans.April 14, 2003. (2) Small health plans. April 14, 2004. (c) Health care clearinghouses. A health careclearinghouse must comply with the applicablerequirements of this subpart no later than April 14,2003.[66 FR 12434, Feb. 26, 2001] -84­