HIPAA Resources

HIPAA Home

HIPAA Message Board

Privacy Regulations

Security Regulations

Transactions & Code Sets

All Regulations By Topic


HIPAA Self Assessment
and Compliance Guides

Media Guide

Training Q & A

HIPAA Links & Preemption

Contacts

 


SECTION-BY-SECTION COMPILATION OF DOCUMENTATION PERTAINING TO THE FINAL HIPAA PRIVACY REGULATIONS

Included here is a section-by-section compilation of the documentation within the final HIPAA privacy regulations, including the revisions of August 14, 2002 and the security regulations released in February 2003. Collected in one place are regulations, the HHS description, and the HHS response to comments received regarding that particular section of the regulations. This resource should be useful as part of the documentation for the privacy compliance program.

INTRODUCTORY MATERIAL


Relationship to Other Federal Laws

General Discussion
Implied Repeal Analysis
The Privacy Act
The Freedom of Information Act
Federal Substance Abuse Confidentiality Requirements
Employee Retirement Income Security Act of 1974
The Family Educational Rights and Privacy Act
Gramm-Leach-Bliley
Federally Funded Health Programs
Food, Drug, and Cosmetic Act
Clinical Laboratory Improvement Amendments
Other Mandatory Federal or State Laws
Federal Disability Nondiscrimination Laws
U.S. Safe Harbor Privacy Principles


PART 160 GENERAL ADMINISTRATIVE REQUIREMENTS


General Provisions
Subpart A

Statutory Basis and Purpose - Section 160.101
Applicability - Section 160.102
Definitions - Section 160.103
Act
ANSI
Business Associate
Compliance Date
Covered Entity
Disclosure
Electronic Media
Electronic Protected Health Information
Group Health Plan
HCFA
HHS
Health Care
Health Care Clearinghouse
Health Care Provider
Health Information
Health Insurance Issuer
Health Maintenance Organization
Health Plan
Implementation Specification
Individual
Individually Identifiable Health Information
Modification
Organized Health Care Arrangement
Protected Health Information
Secretary
Small Health Plan
Standard
Standard Setting Organization
State
Trading Partner Agreement
Transaction
Use
Workforce
Modifications - Section 160.104



Preemption of State Law
Subpart B

Applicability - Section 160.201
Definitions - Section 160.202
Contrary
More Stringent
Relates to the Privacy of Individually Identifiable Health Information
State Law
General Rule and Exceptions - Section 160.203
Process for Requesting Exception Determinations - Section 160.204
Duration of Effectiveness of Exception Determinations - Section 160.205



Compliance and Enforcement
Subpart C

Applicability - Section 160.300
Definitions - Section 160.302
Principles for Achieving Compliance - Section 160.304
Complaints to the Secretary - Section 160.306
Compliance Reviews - Section 160.308
Responsibilities of Covered Entities - Section 160.310
Secretarial Action Regarding Complaints and Compliance Reviews - Section 160.312


PART 164 SECURITY AND PRIVACY


General Provisions
Subpart A

Statutory Basis - Section 164.102
Definitions- Section 164.103
Applicability - Section 164.104
Organizational Requirements - Section 164.105
Relationship to Other Parts - Section 164.106



Security Standards for the Protection of Electronic Protected Health Information
Subpart C

Applicability - Section 164.302
Definitions - Section 164.304
General Rules - Section 164.306
Administrative Safeguards - Section 164.308
Physical Safeguards - Section 164.310
Technical Safeguards - Section 164.312
Organizational Requirements - Section 164.314
Policies and Procedures and Documentation Requirements - Section 164.316
Compliance Dates for the Initial Implementation of the Security Standards - Section 164.318
Appendix: Matrix



Applicability - Section 164.500



Definitions
Section 164.501

Correctional Institution
Data Aggregation
Designated Record Set
Direct Treatment Relationship
Health Care Operations
Health Oversight Agency
Indirect Treatment Relationship
Inmate
Law Enforcement Official
Marketing
Payment
Psychotherapy Notes
Public Health Authority
Research
Treatment



General Rules for Uses and Disclosures of Protected Health Information Section 164.502

Use and Disclosure for Treatment, Payment and Health Care Operations - (a)
Minimum Necessary - (b)
Uses and Disclosures of Protected Health Information Subject to an Agreed Upon Restriction - (c)
Creation of De-Identified Information - (d)
Disclosures to Business Associates - (e)
Deceased Individuals - (f)
Personal Representatives - (g)
Confidential Communications - (h)
Uses and Disclosures Consistent With Notice (i)
Disclosures by Whistleblowers and Workforce Member Crime Victims - (j)



Uses and Disclosures - Organizational Requirements - Component Entities, Affiliated Entities, Business Associates and Group Health Plans
Section 164.504

Definitions - (a)
[164.504(b) - (d) Removed and reserved]
Business Associate Contracts - (e)
Requirements for Group Health Plans - (f)
Requirements for a Covered Entity With Multiple Covered Functions - (g)



Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations
Section 164.506

Permitted Uses and Disclosures - (a)
Consent for Uses and Disclosures Permitted - (b)
Treatment, Payment, or Health Care Operations - (c)



Uses and Disclosures For Which an Authorization is Required
Section 164.508

Authorizations for Uses and Disclosures - (a)
General Requirements - (b)
Core Elements and Requirements - (c)



Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object
Section 164.510

General Rule
Use and Disclosure for Facility Directories - (a)
Uses and Disclosures for Involvement in the Individual's Care and Notification Purposes - (b)



Uses and Disclosures For Which Consent, an Authorization, or Opportunity to Agree or Object is Not Required
Section 164.512

General Rule
Uses and Disclosures Required By Law - (a)
Uses and Disclosures for Public Health Activities - (b)
Disclosures About Victims of Abuse, Neglect or Domestic Violence - (c)
Uses and Disclosures for Health Oversight Activities - (d)
Disclosures for Judicial and Administrative Proceedings - (e)
Disclosures for Law Enforcement Purposes - (f)
Uses and Disclosures about Decedents - (g)
Uses and Disclosures for Cadaveric Organ, Eye, Tissue Donation - (h)
Uses and Disclosures for Research Purposes - (i)
Uses and Disclosures to Avert a Serious Threat to Health or Safety - (j)
Uses and Disclosures For Specialized Government Functions - (k)
Disclosures for Workers' Compensation - (l)



Other Requirements Relating to Uses and Disclosures of Protected Health Information
Section 164.514

De-Identification of Protected Health Information - (a)
Requirements for De-Identification of Protected Health Information - (b)
Re-Identification - (c)
Minimum Necessary Requirements - (d)
Limited Data Set - (e)
Fundraising - (f)
Underwriting - (g)
Verification Requirements - (h)



Notice of Privacy Practices for Protected Health Information
Section 164.520

Right to Notice of Privacy Practices - (a)
Content of Notice of Privacy Practices - (b)
Provision of Notice of Privacy Practices - (c)
Joint Notice by Separate Covered Entities - (d)
Documentation of Notice - (e)



Rights to Request Privacy Protection for Protected Health Information
Section 164.522

Right of an Individual to Request Restriction of Uses and Disclosures - (a)
Confidential Communications Requirements - (b)



Access of Individuals to Protected Health Information
Section 164.524

Access to Protected Health Information - (a)
Requests for Access and Timely Action - (b)
Provision of Access - (c)
Denial of Access - (d)
Documentation - (e)



Amendment of Protected Health Information
Section 164.526

Right to Amend - (a)
Requests for Amendment and Timely Action - (b)
Accepting the Amendment - (c)
Denying the Amendment - (d)
Actions on Notices of Amendment - (e)
Documentation - (f)



Accounting of Disclosures of Protected Health Information
Section 164.528

Right to an Accounting - (a)
Content of the Accounting - (b)
Provision of the Accounting - (c)
Documentation - (d)



The Administrative Requirements
Section 164.530

Personnel Designations - (a)
Training - (b)
Safeguards - (c)
Complaints to the Covered Entity - (d)
Sanctions - (e)
Mitigation - (f)
Refraining from Intimidating or Retaliatory Acts -(g)
Waiver of Rights - (h)
Policies and Procedures (i)
Documentation - (j)
Group Health Plans - (k)



Transition Provisions - Section 164.532



Compliance Dates - Section 164.534