Hipaa Simplification 201303

U.S.
Department of Health and Human Services

Office for Civil Rights
HIPAA Administrative Simplification
Regulation Text
45 CFR Parts 160, 162, and 164

(Unofficial Version, as amended through March 26, 2013)
HIPAA Administrative Simplification Regulation Text
March 2013
HIPAA Administrative Simplification
Table of Contents
Section Page
PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS.................10
SUBPART A—GENERAL PROVISIONS .............................................................................. 10
§ 160.101 Statutory basis and purpose. .................................................................................................................. 10
§ 160.102 Applicability. ........................................................................................................................................... 11
§ 160.103 Definitions................................................................................................................................................ 11
§ 160.104 Modifications. .......................................................................................................................................... 17
§ 160.105 Compliance dates for implementation of new or modified standards and implementation
specifications. .......................................................................................................................................... 17
SUBPART B—PREEMPTION OF STATE LAW .................................................................. 17
§ 160.201 Statutory basis. ........................................................................................................................................ 17
§ 160.202 Definitions................................................................................................................................................ 18
§ 160.203 General rule and exceptions. .................................................................................................................. 18
§ 160.204 Process for requesting exception determinations. ................................................................................ 19
§ 160.205 Duration of effectiveness of exception determinations. ....................................................................... 19
SUBPART C—COMPLIANCE AND INVESTIGATIONS................................................... 19
§ 160.300 Applicability. ........................................................................................................................................... 19
§ 160.302 [Reserved] ................................................................................................................................................ 20
§ 160.304 Principles for achieving compliance. ..................................................................................................... 20
§ 160.306 Complaints to the Secretary................................................................................................................... 20
§ 160.308 Compliance reviews. ............................................................................................................................... 20
§ 160.310 Responsibilities of covered entities and business associates. ............................................................... 20
2
March 2013
§ 160.312 Secretarial action regarding complaints and compliance reviews. ..................................................... 21
§ 160.314 Investigational subpoenas and inquiries. .............................................................................................. 21
§ 160.316 Refraining from intimidation or retaliation. ........................................................................................ 23
SUBPART D—IMPOSITION OF CIVIL MONEY PENALTIES ........................................ 23
§ 160.400 Applicability. ........................................................................................................................................... 23
§ 160.401 Definitions................................................................................................................................................ 23
§ 160.402 Basis for a civil money penalty. ............................................................................................................. 23
§ 160.404 Amount of a civil money penalty. .......................................................................................................... 24
§ 160.406 Violations of an identical requirement or prohibition. ........................................................................ 24
§ 160.408 Factors considered in determining the amount of a civil money penalty. .......................................... 25
§ 160.410 Affirmative defenses. .............................................................................................................................. 25
§ 160.412 Waiver...................................................................................................................................................... 26
§ 160.414 Limitations. ............................................................................................................................................. 26
§ 160.416 Authority to settle. .................................................................................................................................. 26
§ 160.418 Penalty not exclusive. .............................................................................................................................. 26
§ 160.420 Notice of proposed determination. ........................................................................................................ 26
§ 160.422 Failure to request a hearing. .................................................................................................................. 26
§ 160.424 Collection of penalty. .............................................................................................................................. 27
§ 160.426 Notification of the public and other agencies. ...................................................................................... 27
SUBPART E—PROCEDURES FOR HEARINGS ................................................................. 27
§ 160.500 Applicability. ........................................................................................................................................... 27
§ 160.502 Definitions................................................................................................................................................ 27
§ 160.504 Hearing before an ALJ. .......................................................................................................................... 27
§ 160.506 Rights of the parties. ............................................................................................................................... 28
§ 160.508 Authority of the ALJ. ............................................................................................................................. 28
§ 160.510 Ex parte contacts..................................................................................................................................... 29
§ 160.512 Prehearing conferences. ......................................................................................................................... 29
§ 160.514 Authority to settle. .................................................................................................................................. 29
3
March 2013
§ 160.516 Discovery. ................................................................................................................................................ 29
§ 160.518 Exchange of witness lists, witness statements, and exhibits. ............................................................... 30
§ 160.520 Subpoenas for attendance at hearing. ................................................................................................... 30
§ 160.522 Fees........................................................................................................................................................... 31
§ 160.524 Form, filing, and service of papers. ....................................................................................................... 31
§ 160.526 Computation of time. .............................................................................................................................. 31
§ 160.528 Motions. ................................................................................................................................................... 31
§ 160.530 Sanctions. ................................................................................................................................................. 32
§ 160.532 Collateral estoppel. ................................................................................................................................. 32
§ 160.534 The hearing. ............................................................................................................................................ 32
§ 160.536 Statistical sampling. ................................................................................................................................ 33
§ 160.538 Witnesses. ................................................................................................................................................ 33
§ 160.540 Evidence. .................................................................................................................................................. 33
§ 160.542 The record. .............................................................................................................................................. 34
§ 160.544 Post hearing briefs. ................................................................................................................................. 34
§ 160.546 ALJ's decision. ........................................................................................................................................ 34
§ 160.548 Appeal of the ALJ's decision. ................................................................................................................. 34
§ 160.550 Stay of the Secretary's decision. ............................................................................................................ 35
PART 162—ADMINISTRATIVE REQUIREMENTS .....................................37
§ 162.100 Applicability. ........................................................................................................................................... 38
§ 162.103 Definitions................................................................................................................................................ 38
SUBPARTS B-C [RESERVED] ................................................................................................ 39
SUBPART D—STANDARD UNIQUE HEALTH IDENTIFIER FOR HEALTH CARE

PROVIDERS ............................................................................................................................... 39
§ 162.402 [Reserved] ................................................................................................................................................ 39
4
March 2013
§ 162.404 Compliance dates of the implementation of the standard unique health identifier for
health care providers. ............................................................................................................................ 39
§ 162.406 Standard unique health identifier for health care providers. ............................................................. 39
§ 162.408 National Provider System. ..................................................................................................................... 39
§ 162.410 Implementation specifications: Health care providers. ....................................................................... 40
§ 162.412 Implementation specifications: Health plans. ...................................................................................... 40
§ 162.414 Implementation specifications: Health care clearinghouses. .............................................................. 40
SUBPART E—STANDARD UNIQUE HEALTH IDENTIFIER FOR HEALTH PLANS 40
§ 162.502 [Reserved] ................................................................................................................................................ 40
§ 162.504 Compliance requirements for the implementation of the standard unique health plan
identifier. ................................................................................................................................................. 40
§ 162.506 Standard unique health plan identifier. ................................................................................................ 41
§ 162.508 Enumeration System............................................................................................................................... 41
§ 162.510 Full implementation requirements: Covered entities. ......................................................................... 41
§ 162.512 Implementation specifications: Health plans. ...................................................................................... 41
§ 162.514 Other entity identifier. ............................................................................................................................ 42
SUBPART F—STANDARD UNIQUE EMPLOYER IDENTIFIER .................................... 42
§ 162.600 Compliance dates of the implementation of the standard unique employer identifier. .................... 42
§ 162.605 Standard unique employer identifier. ................................................................................................... 42
§ 162.610 Implementation specifications for covered entities. ............................................................................. 42
SUBPARTS G-H [RESERVED] ................................................................................................ 42
SUBPART I—GENERAL PROVISIONS FOR TRANSACTIONS ..................................... 42
§ 162.900 [Reserved] ................................................................................................................................................ 42
§ 162.910 Maintenance of standards and adoption of modifications and new standards. ................................ 42
§ 162.915 Trading partner agreements. ................................................................................................................. 43
§ 162.920 Availability of implementation specifications and operating rules. .................................................... 43
§ 162.923 Requirements for covered entities. ........................................................................................................ 46
§ 162.925 Additional requirements for health plans. ............................................................................................ 47
5
March 2013
§ 162.930 Additional rules for health care clearinghouses. .................................................................................. 47
§ 162.940 Exceptions from standards to permit testing of proposed modifications. .......................................... 48
SUBPART J—CODE SETS....................................................................................................... 49
§ 162.1000 General requirements. .......................................................................................................................... 49
§ 162.1002 Medical data code sets. ......................................................................................................................... 49
§ 162.1011 Valid code sets. ...................................................................................................................................... 50
SUBPART K—HEALTH CARE CLAIMS OR EQUIVALENT ENCOUNTER

INFORMATION ......................................................................................................................... 50
§ 162.1101 Health care claims or equivalent encounter information transaction. ............................................. 50
§ 162.1102 Standards for health care claims or equivalent encounter information transaction. ..................... 50
SUBPART L—ELIGIBILITY FOR A HEALTH PLAN ....................................................... 52
§ 162.1201 Eligibility for a health plan transaction. ............................................................................................. 52
§ 162.1202 Standards for eligibility for a health plan transaction. ..................................................................... 52
§ 162.1203 Operating rules for eligibility for a health plan transaction. ............................................................ 52
SUBPART M—REFERRAL CERTIFICATION AND AUTHORIZATION ...................... 53
§ 162.1301 Referral certification and authorization transaction. ........................................................................ 53
§ 162.1302 Standards for referral certification and authorization transaction. ................................................ 53
SUBPART N—HEALTH CARE CLAIM STATUS ............................................................... 54
§ 162.1401 Health care claim status transaction. .................................................................................................. 54
§ 162.1402 Standards for health care claim status transaction. .......................................................................... 54
§ 162.1403 Operating rules for health care claim status transaction. ................................................................. 54
SUBPART O—ENROLLMENT AND DISENROLLMENT IN A HEALTH PLAN ......... 54
§ 162.1501 Enrollment and disenrollment in a health plan transaction. ............................................................ 54
§ 162.1502 Standards for enrollment and disenrollment in a health plan transaction. ..................................... 54
SUBPART P—HEALTH CARE ELECTRONIC FUNDS TRANSFERS (EFT) AND

REMITTANCE ADVICE .......................................................................................................... 55
§ 162.1601 Health care electronic funds transfers (EFT) and remittance advice transaction. ......................... 55
6
March 2013
§ 162.1602 Standards for health care electronic funds transfers (EFT) and remittance advice
transaction. ........................................................................................................................................... 55
§ 162.1603 Operating rules for health care electronic funds transfers (EFT) and remittance advice
transaction. ........................................................................................................................................... 56
SUBPART Q—HEALTH PLAN PREMIUM PAYMENTS .................................................. 56
§ 162.1701 Health plan premium payments transaction. ..................................................................................... 56
§ 162.1702 Standards for health plan premium payments transaction. ............................................................. 56
SUBPART R—COORDINATION OF BENEFITS ................................................................ 57
§ 162.1801 Coordination of benefits transaction. .................................................................................................. 57
§ 162.1802 Standards for coordination of benefits information transaction. ..................................................... 57
SUBPART S—MEDICAID PHARMACY SUBROGATION ................................................ 58
§ 162.1901 Medicaid pharmacy subrogation transaction. .................................................................................... 58
§ 162.1902 Standard for Medicaid pharmacy subrogation transaction. ............................................................. 58
PART 164—SECURITY AND PRIVACY ..........................................................59
§ 164.102 Statutory basis. ........................................................................................................................................ 59
§ 164.103 Definitions................................................................................................................................................ 59
§ 164.104 Applicability. ........................................................................................................................................... 60
§ 164.105 Organizational requirements. ................................................................................................................ 60
§ 164.106 Relationship to other parts..................................................................................................................... 62
SUBPART B [RESERVED] ....................................................................................................... 62
SUBPART C—SECURITY STANDARDS FOR THE PROTECTION OF ELECTRONIC

PROTECTED HEALTH INFORMATION ............................................................................. 62
§ 164.302 Applicability. ........................................................................................................................................... 62
§ 164.304 Definitions................................................................................................................................................ 62
§ 164.306 Security standards: General rules. ........................................................................................................ 63
§ 164.308 Administrative safeguards. .................................................................................................................... 64
7
March 2013
§ 164.310 Physical safeguards. ................................................................................................................................ 66
§ 164.312 Technical safeguards. ............................................................................................................................. 66
§ 164.314 Organizational requirements. ................................................................................................................ 67
§ 164.316 Policies and procedures and documentation requirements. ................................................................ 68
§ 164.318 Compliance dates for the initial implementation of the security standards. ..................................... 68
SUBPART D—NOTIFICATION IN THE CASE OF BREACH OF UNSECURED

PROTECTED HEALTH INFORMATION ............................................................................. 71
§ 164.400 Applicability. ........................................................................................................................................... 71
§ 164.402 Definitions................................................................................................................................................ 71
§ 164.404 Notification to individuals. ..................................................................................................................... 71
§ 164.406 Notification to the media. ....................................................................................................................... 72
§ 164.408 Notification to the Secretary. ................................................................................................................. 72
§ 164.410 Notification by a business associate. ...................................................................................................... 73
§ 164.412 Law enforcement delay. ......................................................................................................................... 73
§ 164.414 Administrative requirements and burden of proof.............................................................................. 73
SUBPART E—PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH

INFORMATION ......................................................................................................................... 73
§ 164.500 Applicability. ........................................................................................................................................... 73
§ 164.501 Definitions................................................................................................................................................ 74
§ 164.502 Uses and disclosures of protected health information: General rules. ............................................... 77
§ 164.504 Uses and disclosures: Organizational requirements. ........................................................................... 81
§ 164.506 Uses and disclosures to carry out treatment, payment, or health care
operations. .............................................................................................................................................. 84
§ 164.508 Uses and disclosures for which an authorization is required. ............................................................. 85
§ 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object................... 87
§ 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is
not required. ........................................................................................................................................... 88
§ 164.514 Other requirements relating to uses and disclosures of protected health information. .................... 96
§ 164.520 Notice of privacy practices for protected health information. .......................................................... 101
§ 164.522 Rights to request privacy protection for protected health information. .......................................... 104
8
March 2013
§ 164.524 Access of individuals to protected health information. ...................................................................... 105
§ 164.526 Amendment of protected health information. .................................................................................... 108
§ 164.528 Accounting of disclosures of protected health information. ............................................................... 110
§ 164.530 Administrative requirements. .............................................................................................................. 111
§ 164.532 Transition provisions. ........................................................................................................................... 114
§ 164.534 Compliance dates for initial implementation of the privacy standards. .......................................... 115
9
March 2013
§ 160.316 Refraining from § 160.522 Fees.

intimidation or retaliation. § 160.524 Form, filing, and
PART 160—GENERAL service of papers.
ADMINISTRATIVE Subpart D—Imposition of Civil § 160.526 Computation of
REQUIREMENTS Money Penalties time.
§ 160.528 Motions.
§ 160.530 Sanctions.
§ 160.400 Applicability.
§ 160.401 Definitions. § 160.532 Collateral estoppel.
Contents
§ 160.402 Basis for a civil § 160.534 The hearing.
§ 160.536 Statistical sampling.
Subpart A—General Provisions money penalty.
§ 160.538 Witnesses.
§ 160.404 Amount of a civil
§ 160.540 Evidence.
§ 160.101 Statutory basis and money penalty.
§ 160.542 The record.
purpose. § 160.406 Violations of an
identical requirement or § 160.544 Post hearing briefs.
§ 160.102 Applicability. § 160.546 ALJ's decision.
prohibition.
§ 160.103 Definitions. § 160.548 Appeal of the ALJ's
§ 160.408 Factors considered
§ 160.104 Modifications. decision.
in determining the amount of a
§ 160.105 Compliance dates § 160.550 Stay of the
for implementation of new or civil money penalty.
Secretary's decision.
modified standards and § 160.410 Affirmative
defenses. § 160.552 Harmless error.
implementation specifications.
§ 160.412 Waiver.
§ 160.414 Limitations.
Subpart B—Preemption of State § 160.416 Authority to settle. AUTHORITY: 42 U.S.C. 1302(a);
Law § 160.418 Penalty not 42 U.S.C. 1320d-1320d-9; sec.
exclusive. 264, Pub. L. 104-191, 110 Stat.
§ 160.201 Statutory basis. § 160.420 Notice of proposed 2033-2034 (42 U.S.C. 1320d-2
§ 160.202 Definitions. determination. (note)); 5 U.S.C. 552; secs.
§ 160.203 General rule and § 160.422 Failure to request a 13400-13424, Pub. L. 111-5,
exceptions. hearing. 123 Stat. 258-279; and sec. 1104
§ 160.204 Process for § 160.424 Collection of of Pub. L. 111-148, 124 Stat.
requesting exception penalty. 146-154.
determinations. § 160.426 Notification of the
§ 160.205 Duration of public and other agencies. SOURCE: 65 FR 82798, Dec. 28,
effectiveness of exception 2000, unless otherwise noted.
determinations. Subpart E—Procedures for
Hearings Subpart A—General
Subpart C—Compliance and Provisions
Investigations § 160.500 Applicability.
§ 160.502 Definitions. § 160.101 Statutory basis and
§ 160.300 Applicability. § 160.504 Hearing before an purpose.
§ 160.302 [Reserved] ALJ.
§ 160.304 Principles for § 160.506 Rights of the parties. The requirements of this
achieving compliance. § 160.508 Authority of the subchapter implement sections
§ 160.306 Complaints to the ALJ. 1171-1180 of the Social
Secretary. § 160.510 Ex parte contacts. Security Act (the Act), sections
§ 160.308 Compliance reviews. § 160.512 Prehearing 262 and 264 of Public Law 104-
§ 160.310 Responsibilities of conferences. 191, section 105 of Public Law
covered entities and business § 160.514 Authority to settle. 110-233, sections 13400-13424
associates. § 160.516 Discovery. of Public Law 111-5, and
§ 160.312 Secretarial action § 160.518 Exchange of witness section 1104 of Public Law 111-
regarding complaints and lists, witness statements, and 148.
compliance reviews. exhibits.
§ 160.314 Investigational § 160.520 Subpoenas for
[78 FR 5687, Jan. 25, 2013]
subpoenas and inquiries. attendance at hearing.
10
March 2013
§ 160.102 Applicability. requirement or prohibition § 164.501 of this subchapter),

established by: management, administrative,
(a) Except as otherwise accreditation, or financial
provided, the standards, (1) 42 U.S.C. 1320d-1320d-4, services to or for such covered
requirements, and 1320d-7, 1320d-8, and 1320d-9; entity, or to or for an organized
implementation specifications health care arrangement in
adopted under this subchapter which the covered entity
(2) Section 264 of Pub. L. 104-
apply to the following entities: 191; participates, where the provision
of the service involves the
disclosure of protected health
(1) A health plan. (3) Sections 13400-13424 of information from such covered
Public Law 111-5; or entity or arrangement, or from
(2) A health care clearinghouse. another business associate of
(4) This subchapter. such covered entity or
(3) A health care provider who arrangement, to the person.
transmits any health information ALJ means Administrative Law
in electronic form in connection Judge. (2) A covered entity may be a
with a transaction covered by business associate of another
this subchapter. covered entity.
ANSI stands for the American
National Standards Institute.
(b) Where provided, the (3) Business associate includes:
standards, requirements, and Business associate: (1) Except
implementation specifications as provided in paragraph (4) of
adopted under this subchapter (i) A Health Information
this definition, business Organization, E-prescribing
apply to a business associate.
associate means, with respect to Gateway, or other person that
a covered entity, a person who: provides data transmission
(c) To the extent required under services with respect to
the Social Security Act, 42 (i) On behalf of such covered protected health information to a
U.S.C. 1320a-7c(a)(5), nothing covered entity and that requires
entity or of an organized health
in this subchapter shall be access on a routine basis to such
care arrangement (as defined in
construed to diminish the protected health information.
this section) in which the
authority of any Inspector covered entity participates, but
General, including such other than in the capacity of a
authority as provided in the (ii) A person that offers a
member of the workforce of personal health record to one or
Inspector General Act of 1978,
such covered entity or more individuals on behalf of a
as amended (5 U.S.C. App.).
arrangement, creates, receives, covered entity.
maintains, or transmits protected
[65 FR 82798, Dec. 28, 2000, as health information for a function
amended at 67 FR 53266, Aug. (iii) A subcontractor that creates,
or activity regulated by this receives, maintains, or transmits
14, 2002; 78 FR 5687, Jan. 25, subchapter, including claims protected health information on
2013] processing or administration, behalf of the business associate.
data analysis, processing or
§ 160.103 Definitions. administration, utilization
review, quality assurance, (4) Business associate does not
patient safety activities listed at include:
Except as otherwise provided,
the following definitions apply 42 CFR 3.20, billing, benefit
management, practice (i) A health care provider, with
to this subchapter:
management, and repricing; or respect to disclosures by a
covered entity to the health care
Act means the Social Security provider concerning the
Act. (ii) Provides, other than in the
treatment of the individual.
capacity of a member of the
workforce of such covered
Administrative simplification (ii) A plan sponsor, with respect
provision means any entity, legal, actuarial,
accounting, consulting, data to disclosures by a group health
aggregation (as defined in plan (or by a health insurance
11
March 2013
issuer or HMO with respect to a Covered entity means: magnetic tape or disk, optical
group health plan) to the plan disk, or digital memory card;
sponsor, to the extent that the (1) A health plan.
requirements of § 164.504(f) of (2) Transmission media used to
this subchapter apply and are exchange information already in
(2) A health care clearinghouse.
met. electronic storage media.
(3) A health care provider who Transmission media include, for
(iii) A government agency, with transmits any health information example, the Internet, extranet
respect to determining eligibility or intranet, leased lines, dial-up
in electronic form in connection
for, or enrollment in, a lines, private networks, and the
with a transaction covered by
government health plan that physical movement of
this subchapter.
provides public benefits and is removable/transportable
administered by another electronic storage media.
government agency, or Disclosure means the release, Certain transmissions, including
collecting protected health transfer, provision of access to, of paper, via facsimile, and of
information for such purposes, or divulging in any manner of voice, via telephone, are not
to the extent such activities are information outside the entity considered to be transmissions
authorized by law. holding the information. via electronic media if the
information being exchanged
(iv) A covered entity EIN stands for the employer did not exist in electronic form
participating in an organized identification number assigned immediately before the
health care arrangement that by the Internal Revenue Service, transmission.
performs a function or activity U.S. Department of the
as described by paragraph (1)(i) Treasury. The EIN is the Electronic protected health
of this definition for or on behalf taxpayer identifying number of information means information
of such organized health care an individual or other entity that comes within paragraphs
arrangement, or that provides a (whether or not an employer) (1)(i) or (1)(ii) of the definition
service as described in assigned under one of the of protected health information
paragraph (1)(ii) of this following: as specified in this section.
definition to or for such
organized health care (1) 26 U.S.C. 6011(b), which is Employer is defined as it is in 26
arrangement by virtue of such the portion of the Internal U.S.C. 3401(d).
activities or services. Revenue Code dealing with
identifying the taxpayer in tax
returns and statements, or Family member means, with
Civil money penalty or penalty respect to an individual:
means the amount determined corresponding provisions of
under § 160.404 of this part and prior law.
(1) A dependent (as such term is
includes the plural of these
(2) 26 U.S.C. 6109, which is the defined in 45 CFR 144.103), of
terms.
portion of the Internal Revenue the individual; or
CMS stands for Centers for Code dealing with identifying

numbers in tax returns, (2) Any other person who is a
Medicare & Medicaid Services
statements, and other required first-degree, second-degree,
within the Department of Health
documents. third-degree, or fourth-degree
and Human Services.
relative of the individual or of a
dependent of the individual.
Compliance date means the date Electronic media means:
Relatives by affinity (such as by
by which a covered entity or marriage or adoption) are treated
business associate must comply (1) Electronic storage material the same as relatives by
with a standard, implementation on which data is or may be consanguinity (that is, relatives
specification, requirement, or recorded electronically, who share a common biological
modification adopted under this including, for example, devices ancestor). In determining the
subchapter. in computers (hard drives) and degree of the relationship,
any removable/transportable relatives by less than full
digital memory medium, such as consanguinity (such as half-
siblings, who share only one
12
March 2013
parent) are treated the same as (i) A fetus carried by the reimbursement, or otherwise,
relatives by full consanguinity individual or family member that:
(such as siblings who share both who is a pregnant woman; and
parents). (1) Has 50 or more participants
(ii) Any embryo legally held by (as defined in section 3(7) of
(i) First-degree relatives include an individual or family member ERISA, 29 U.S.C. 1002(7)); or
parents, spouses, siblings, and utilizing an assisted reproductive
children. technology. (2) Is administered by an entity
other than the employer that
(ii) Second-degree relatives (3) Genetic information established and maintains the
include grandparents, excludes information about the plan.
grandchildren, aunts, uncles, sex or age of any individual.
nephews, and nieces. HHS stands for the Department
Genetic services means: of Health and Human Services.
(iii) Third-degree relatives
include great-grandparents, (1) A genetic test; Health care means care,
great-grandchildren, great aunts, services, or supplies related to
great uncles, and first cousins. (2) Genetic counseling the health of an individual.
(including obtaining, Health care includes, but is not
(iv) Fourth-degree relatives interpreting, or assessing genetic limited to, the following:
include great-great grandparents, information); or
great-great grandchildren, and (1) Preventive, diagnostic,
children of first cousins. (3) Genetic education. therapeutic, rehabilitative,
maintenance, or palliative care,
Genetic information means: and counseling, service,
Genetic test means an analysis
assessment, or procedure with
of human DNA, RNA,
(1) Subject to paragraphs (2) and chromosomes, proteins, or respect to the physical or mental
(3) of this definition, with condition, or functional status,
metabolites, if the analysis
respect to an individual, of an individual or that affects
detects genotypes, mutations, or
information about: the structure or function of the
chromosomal changes. Genetic
body; and
test does not include an analysis
(i) The individual's genetic tests; of proteins or metabolites that is
directly related to a manifested (2) Sale or dispensing of a drug,
disease, disorder, or pathological device, equipment, or other item
(ii) The genetic tests of family
condition. in accordance with a
members of the individual;
prescription.
(iii) The manifestation of a Group health plan (also see
definition of health plan in this Health care clearinghouse
disease or disorder in family
section) means an employee means a public or private entity,
members of such individual; or
welfare benefit plan (as defined including a billing service,
in section 3(1) of the Employee repricing company, community
(iv) Any request for, or receipt health management information
of, genetic services, or Retirement Income and Security
Act of 1974 (ERISA), 29 U.S.C. system or community health
participation in clinical research information system, and “value-
1002(1)), including insured and
which includes genetic services, added” networks and switches,
self-insured plans, to the extent
by the individual or any family that does either of the following
that the plan provides medical
member of the individual. functions:
care (as defined in section
2791(a)(2) of the Public Health
(2) Any reference in this Service Act (PHS Act), 42 (1) Processes or facilitates the
subchapter to genetic U.S.C. 300gg-91(a)(2)), processing of health information
information concerning an including items and services received from another entity in a
individual or family member of paid for as medical care, to nonstandard format or
an individual shall include the employees or their dependents containing nonstandard data
genetic information of: directly or through insurance, content into standard data
13
March 2013
elements or a standard business of insurance in a State (vii) An issuer of a Medicare

transaction. and is subject to State law that supplemental policy (as defined
regulates insurance. Such term in section 1882(g)(1) of the Act,
(2) Receives a standard does not include a group health 42 U.S.C. 1395ss(g)(1)).
transaction from another entity plan.
and processes or facilitates the (viii) An issuer of a long-term
processing of health information Health maintenance care policy, excluding a nursing
into nonstandard format or organization (HMO) (as defined home fixed indemnity policy.
nonstandard data content for the in section 2791(b)(3) of the PHS
receiving entity. Act, 42 U.S.C. 300gg-91(b)(3) (ix) An employee welfare
and used in the definition of benefit plan or any other
Health care provider means a health plan in this section) arrangement that is established
provider of services (as defined means a federally qualified or maintained for the purpose of
in section 1861(u) of the Act, 42 HMO, an organization offering or providing health
U.S.C. 1395x(u)), a provider of recognized as an HMO under benefits to the employees of two
medical or health services (as State law, or a similar or more employers.
defined in section 1861(s) of the organization regulated for
Act, 42 U.S.C. 1395x(s)), and solvency under State law in the
(x) The health care program for
any other person or organization same manner and to the same uniformed services under title
who furnishes, bills, or is paid extent as such an HMO. 10 of the United States Code.
for health care in the normal
course of business. Health plan means an individual
(xi) The veterans health care
or group plan that provides, or
program under 38 U.S.C.
Health information means any pays the cost of, medical care chapter 17.
information, including genetic (as defined in section 2791(a)(2)
information, whether oral or of the PHS Act, 42 U.S.C.
300gg-91(a)(2)). (xii) The Indian Health Service
recorded in any form or
program under the Indian Health
medium, that: Care Improvement Act, 25
(1) Health plan includes the U.S.C. 1601, et seq.
(1) Is created or received by a following, singly or in
health care provider, health plan, combination:
(xiii) The Federal Employees
public health authority,
Health Benefits Program under
employer, life insurer, school or (i) A group health plan, as 5 U.S.C. 8902, et seq.
university, or health care defined in this section.
clearinghouse; and
(xiv) An approved State child
(ii) A health insurance issuer, as
health plan under title XXI of
(2) Relates to the past, present, defined in this section.
the Act, providing benefits for
or future physical or mental child health assistance that meet
health or condition of an (iii) An HMO, as defined in this the requirements of section 2103
individual; the provision of section. of the Act, 42 U.S.C. 1397, et
health care to an individual; or
seq.
the past, present, or future
(iv) Part A or Part B of the
payment for the provision of
Medicare program under title (xv) The Medicare Advantage
health care to an individual. XVIII of the Act. program under Part C of title
XVIII of the Act, 42 U.S.C.
Health insurance issuer (as
(v) The Medicaid program under 1395w-21 through 1395w-28.
defined in section 2791(b)(2) of
title XIX of the Act, 42 U.S.C.
the PHS Act, 42 U.S.C. 300gg-
1396, et seq. (xvi) A high risk pool that is a
91(b)(2) and used in the
definition of health plan in this mechanism established under
section) means an insurance (vi) The Voluntary Prescription State law to provide health
company, insurance service, or Drug Benefit Program under insurance coverage or
insurance organization Part D of title XVIII of the Act, comparable coverage to eligible
(including an HMO) that is 42 U.S.C. 1395w-101 through individuals.
licensed to engage in the 1395w-152.
14
March 2013
(xvii) Any other individual or employer, or health care one covered entity participates
group plan, or combination of clearinghouse; and and in which the participating
individual or group plans, that covered entities:
provides or pays for the cost of (2) Relates to the past, present,
medical care (as defined in or future physical or mental (i) Hold themselves out to the
section 2791(a)(2) of the PHS health or condition of an public as participating in a joint
Act, 42 U.S.C. 300gg-91(a)(2)). individual; the provision of arrangement; and
health care to an individual; or
(2) Health plan excludes: the past, present, or future (ii) Participate in joint activities
payment for the provision of that include at least one of the
(i) Any policy, plan, or program health care to an individual; and following:
to the extent that it provides, or
pays for the cost of, excepted (i) That identifies the individual; (A) Utilization review, in which
benefits that are listed in section or health care decisions by
2791(c)(1) of the PHS Act, 42 participating covered entities are
U.S.C. 300gg-91(c)(1); and (ii) With respect to which there reviewed by other participating
is a reasonable basis to believe covered entities or by a third
(ii) A government-funded the information can be used to party on their behalf;
program (other than one listed in identify the individual.
paragraph (1)(i)-(xvi) of this (B) Quality assessment and
definition): Manifestation or manifested improvement activities, in which
means, with respect to a disease, treatment provided by
(A) Whose principal purpose is disorder, or pathological participating covered entities is
other than providing, or paying condition, that an individual has assessed by other participating
the cost of, health care; or been or could reasonably be covered entities or by a third
diagnosed with the disease, party on their behalf; or
(B) Whose principal activity is: disorder, or pathological
condition by a health care (C) Payment activities, if the
professional with appropriate financial risk for delivering
(1) The direct provision of
training and expertise in the health care is shared, in part or
health care to persons; or
field of medicine involved. For in whole, by participating
purposes of this subchapter, a covered entities through the
(2) The making of grants to fund disease, disorder, or pathological
the direct provision of health joint arrangement and if
condition is not manifested if the protected health information
care to persons. diagnosis is based principally on created or received by a covered
genetic information. entity is reviewed by other
Implementation specification participating covered entities or
means specific requirements or Modify or modification refers to by a third party on their behalf
instructions for implementing a a change adopted by the for the purpose of administering
standard. Secretary, through regulation, to the sharing of financial risk.
a standard or an implementation
Individual means the person specification.
(3) A group health plan and a
who is the subject of protected health insurance issuer or HMO
health information. Organized health care with respect to such group
arrangement means: health plan, but only with
Individually identifiable health respect to protected health
information is information that (1) A clinically integrated care information created or received
is a subset of health information, setting in which individuals by such health insurance issuer
including demographic typically receive health care or HMO that relates to
information collected from an from more than one health care individuals who are or who have
individual, and: provider; been participants or
beneficiaries in such group
(1) Is created or received by a (2) An organized system of health plan;
health care provider, health plan, health care in which more than
15
March 2013
(4) A group health plan and one (iii) In employment records held State refers to one of the
or more other group health plans by a covered entity in its role as following:
each of which are maintained by employer; and
the same plan sponsor; or (1) For a health plan established
(iv) Regarding a person who has or regulated by Federal law,
(5) The group health plans been deceased for more than 50 State has the meaning set forth
described in paragraph (4) of years. in the applicable section of the
this definition and health United States Code for such
insurance issuers or HMOs with Respondent means a covered health plan.
respect to such group health entity or business associate upon
plans, but only with respect to which the Secretary has (2) For all other purposes, State
protected health information imposed, or proposes to impose, means any of the several States,
created or received by such a civil money penalty. the District of Columbia, the
health insurance issuers or Commonwealth of Puerto Rico,
HMOs that relates to individuals the Virgin Islands, Guam,
Secretary means the Secretary
who are or have been American Samoa, and the
of Health and Human Services
participants or beneficiaries in Commonwealth of the Northern
or any other officer or employee
any of such group health plans. Mariana Islands.
of HHS to whom the authority
involved has been delegated.
Person means a natural person, Subcontractor means a person to
trust or estate, partnership, whom a business associate
Small health plan means a
corporation, professional delegates a function, activity, or
health plan with annual receipts
association or corporation, or service, other than in the
of $5 million or less.
other entity, public or private. capacity of a member of the
workforce of such business
Standard means a rule,
Protected health information associate.
condition, or requirement:
means individually identifiable
health information: Trading partner agreement
(1) Describing the following
means an agreement related to
information for products,
(1) Except as provided in the exchange of information in
systems, services, or practices:
paragraph (2) of this definition, electronic transactions, whether
that is: the agreement is distinct or part
(i) Classification of components; of a larger agreement, between
(i) Transmitted by electronic each party to the agreement.
media; (ii) Specification of materials, (For example, a trading partner
performance, or operations; or agreement may specify, among
other things, the duties and
(ii) Maintained in electronic
(iii) Delineation of procedures; responsibilities of each party to
media; or
or the agreement in conducting a
standard transaction.)
(iii) Transmitted or maintained
in any other form or medium. (2) With respect to the privacy
of protected health information. Transaction means the
transmission of information
(2) Protected health information between two parties to carry out
excludes individually Standard setting organization
(SSO) means an organization financial or administrative
identifiable health information: activities related to health care.
accredited by the American
National Standards Institute that It includes the following types
(i) In education records covered develops and maintains of information transmissions:
by the Family Educational
standards for information
Rights and Privacy Act, as (1) Health care claims or
transactions or data elements, or
amended, 20 U.S.C. 1232g; equivalent encounter
any other standard that is
necessary for, or will facilitate information.
(ii) In records described at 20 the implementation of, this part.
U.S.C. 1232g(a)(4)(B)(iv);
16
March 2013
(2) Health care payment and not they are paid by the covered (3) The Secretary may extend
remittance advice. entity or business associate. the compliance date for small
health plans, as the Secretary
(3) Coordination of benefits. [65 FR 82798, Dec. 28, 2000, as determines is appropriate.
amended at 67 FR 38019, May
(4) Health care claim status. 31, 2002; 67 FR 53266, Aug. [65 FR 82798, Dec. 28, 2000, as
14, 2002; 68 FR 8374, Feb. 20, amended at 67 FR 38019, May
(5) Enrollment and 2003; 71 FR 8424, Feb. 16, 31, 2002]
2006; 76 FR 40495, July 8,
disenrollment in a health plan.
2011; 77 FR 1589, Jan. 10, § 160.105 Compliance dates
2012; 78 FR 5687, Jan. 25, for implementation of new or
(6) Eligibility for a health plan. 2013] modified standards and
implementation specifications.
(7) Health plan premium § 160.104 Modifications.
payments.
Except as otherwise provided,
(a) Except as provided in with respect to rules that adopt
(8) Referral certification and paragraph (b) of this section, the new standards and
authorization. Secretary may adopt a implementation specifications or
modification to a standard or modifications to standards and
(9) First report of injury. implementation specification implementation specifications in
adopted under this subchapter this subchapter in accordance
(10) Health claims attachments. no more frequently than once with § 160.104 that become
every 12 months. effective after January 25, 2013,
(11) Health care electronic funds covered entities and business
transfers (EFT) and remittance (b) The Secretary may adopt a associates must comply with the
advice. modification at any time during applicable new standards and
the first year after the standard implementation specifications,
or implementation specification or modifications to standards
(12) Other transactions that the
is initially adopted, if the and implementation
Secretary may prescribe by
Secretary determines that the specifications, no later than 180
regulation.
modification is necessary to days from the effective date of
permit compliance with the any such standards or
Use means, with respect to implementation specifications.
standard or implementation
individually identifiable health
specification.
information, the sharing,
[78 FR 5689, Jan. 25, 2013]
employment, application,
utilization, examination, or (c) The Secretary will establish
analysis of such information the compliance date for any Subpart B—Preemption of
within an entity that maintains standard or implementation State Law
such information. specification modified under this
section. § 160.201 Statutory basis.
Violation or violate means, as
the context may require, failure (1) The compliance date for a The provisions of this subpart
to comply with an modification is no earlier than implement section 1178 of the
administrative simplification 180 days after the effective date Act, section 262 of Public Law
provision. of the final rule in which the 104-191, section 264(c) of
Secretary adopts the Public Law 104-191, and section
modification. 13421(a) of Public Law 111-5.
Workforce means employees,
volunteers, trainees, and other
persons whose conduct, in the (2) The Secretary may consider [78 FR 5689, Jan. 25, 2013]
performance of work for a the extent of the modification
covered entity or business and the time needed to comply
associate, is under the direct with the modification in
control of such covered entity or determining the compliance date
business associate, whether or for the modification.
17
March 2013
§ 160.202 Definitions. (ii) To the individual who is the Relates to the privacy of
subject of the individually individually identifiable health
For purposes of this subpart, the identifiable health information. information means, with respect
following terms have the to a State law, that the State law
following meanings: (2) With respect to the rights of has the specific purpose of
an individual, who is the subject protecting the privacy of health
of the individually identifiable information or affects the
Contrary, when used to compare
a provision of State law to a health information, regarding privacy of health information in
standard, requirement, or access to or amendment of a direct, clear, and substantial
individually identifiable health way.
implementation specification
adopted under this subchapter, information, permits greater
means: rights of access or amendment, State law means a constitution,
as applicable. statute, regulation, rule,
(1) A covered entity or business common law, or other State
(3) With respect to information action having the force and
associate would find it
to be provided to an individual effect of law.
impossible to comply with both
the State and Federal who is the subject of the
requirements; or individually identifiable health [65 FR 82798, Dec. 28, 2000, as
information about a use, a amended at 67 FR 53266, Aug.
disclosure, rights, and remedies, 14, 2002; 74 FR 42767, Aug.
(2) The provision of State law
provides the greater amount of 24, 2009; 78 FR 5689, Jan. 25,
stands as an obstacle to the
information. 2013]
accomplishment and execution
of the full purposes and
objectives of part C of title XI of (4) With respect to the form, § 160.203 General rule and
the Act, section 264 of Public substance, or the need for exceptions.
Law 104-191, or sections express legal permission from
13400-13424 of Public Law an individual, who is the subject A standard, requirement, or
111-5, as applicable. of the individually identifiable implementation specification
health information, for use or adopted under this subchapter
disclosure of individually that is contrary to a provision of
More stringent means, in the
identifiable health information, State law preempts the provision
context of a comparison of a
provides requirements that of State law. This general rule
provision of State law and a
narrow the scope or duration, applies, except if one or more of
standard, requirement, or
implementation specification increase the privacy protections the following conditions is met:
adopted under subpart E of part afforded (such as by expanding
the criteria for), or reduce the
164 of this subchapter, a State (a) A determination is made by
coercive effect of the
law that meets one or more of the Secretary under § 160.204
circumstances surrounding the
the following criteria: that the provision of State law:
express legal permission, as
applicable.
(1) With respect to a use or (1) Is necessary:
disclosure, the law prohibits or
(5) With respect to
restricts a use or disclosure in (i) To prevent fraud and abuse
recordkeeping or requirements
circumstances under which such related to the provision of or
relating to accounting of
use or disclosure otherwise payment for health care;
would be permitted under this disclosures, provides for the
retention or reporting of more
subchapter, except if the
detailed information or for a (ii) To ensure appropriate State
disclosure is:
longer duration. regulation of insurance and
health plans to the extent
(i) Required by the Secretary in expressly authorized by statute
connection with determining (6) With respect to any other
matter, provides greater privacy or regulation;
whether a covered entity or
protection for the individual
business associate is in
who is the subject of the (iii) For State reporting on
compliance with this subchapter; health care delivery or costs; or
or
information.
18
March 2013
(iv) For purposes of serving a § 160.204 Process for or implementation specification

compelling need related to requesting exception under this subchapter remains in
public health, safety, or welfare, determinations. effect.
and, if a standard, requirement,
or implementation specification (a) A request to except a (c) The Secretary's
under part 164 of this subchapter provision of State law from determination under this section
is at issue, if the Secretary preemption under § 160.203(a) will be made on the basis of the
determines that the intrusion may be submitted to the extent to which the information
into privacy is warranted when Secretary. A request by a State provided and other factors
balanced against the need to be must be submitted through its demonstrate that one or more of
served; or chief elected official, or his or the criteria at § 160.203(a) has
her designee. The request must been met.
(2) Has as its principal purpose be in writing and include the
the regulation of the following information: § 160.205 Duration of
manufacture, registration, effectiveness of exception
distribution, dispensing, or other (1) The State law for which the determinations.
control of any controlled exception is requested;
substances (as defined in 21
An exception granted under this
U.S.C. 802), or that is deemed a (2) The particular standard, subpart remains in effect until:
controlled substance by State requirement, or implementation
law.
specification for which the (a) Either the State law or the
exception is requested; federal standard, requirement, or
(b) The provision of State law
implementation specification
relates to the privacy of (3) The part of the standard or that provided the basis for the
other provision that will not be exception is materially changed
information and is more
implemented based on the such that the ground for the
stringent than a standard,
exception or the additional data exception no longer exists; or
requirement, or implementation
to be collected based on the
specification adopted under exception, as appropriate;
subpart E of part 164 of this (b) The Secretary revokes the
subchapter. exception, based on a
(4) How health care providers, determination that the ground
health plans, and other entities supporting the need for the
(c) The provision of State law,
would be affected by the exception no longer exists.
including State procedures exception;
established under such law, as
applicable, provides for the Subpart C—Compliance and
reporting of disease or injury, (5) The reasons why the State Investigations
child abuse, birth, or death, or law should not be preempted by
for the conduct of public health the federal standard, SOURCE: 71 FR 8424, Feb. 16,
surveillance, investigation, or requirement, or implementation 2006, unless otherwise noted.
intervention. specification, including how the
State law meets one or more of
the criteria at § 160.203(a); and
(d) The provision of State law
requires a health plan to report, This subpart applies to actions
or to provide access to, (6) Any other information the
by the Secretary, covered
information for the purpose of Secretary may request in order
entities, business associates, and
management audits, financial to make the determination.
others with respect to
audits, program monitoring and ascertaining the compliance by
evaluation, or the licensure or (b) Requests for exception under covered entities and business
certification of facilities or this section must be submitted to associates with, and the
individuals. the Secretary at an address that enforcement of, the applicable
will be published in the provisions of this part 160 and
[65 FR 82798, Dec. 28, 2000, as FEDERAL REGISTER. Until the parts 162 and 164 of this
amended at 67 FR 53266, Aug. Secretary's determination is subchapter.
14, 2002] made, the standard, requirement,
19
March 2013
[78 FR 5690, Jan. 25, 2013] (3) A complaint must be filed whether a covered entity or
within 180 days of when the business associate is complying
§ 160.302 [Reserved] complainant knew or should with the applicable
have known that the act or administrative simplification
omission complained of provisions when a preliminary
§ 160.304 Principles for
occurred, unless this time limit review of the facts indicates a
achieving compliance.
is waived by the Secretary for possible violation due to willful
good cause shown. neglect.
(a) Cooperation. The Secretary
will, to the extent practicable
(4) The Secretary may prescribe (b) The Secretary may conduct a
and consistent with the
additional procedures for the compliance review to determine
provisions of this subpart, seek
filing of complaints, as well as whether a covered entity or
the cooperation of covered
entities and business associates the place and manner of filing, business associate is complying
in obtaining compliance with the by notice in the FEDERAL with the applicable
REGISTER. administrative simplification
applicable administrative
provisions in any other
simplification provisions.
(c) Investigation. (1) The circumstance.
(b) Assistance. The Secretary Secretary will investigate any
may provide technical assistance complaint filed under this [78 FR 5690, Jan. 25, 2013]
section when a preliminary
to covered entities and business
review of the facts indicates a § 160.310 Responsibilities of
associates to help them comply
possible violation due to willful covered entities and business
voluntarily with the applicable
neglect. associates.
administrative simplification
provisions.
(2) The Secretary may (a) Provide records and
investigate any other complaint compliance reports. A covered
[78 FR 5690, Jan. 25, 2013]
filed under this section. entity or business associate must
keep such records and submit
§ 160.306 Complaints to the
(3) An investigation under this such compliance reports, in such
Secretary.
section may include a review of time and manner and containing
the pertinent policies, such information, as the
(a) Right to file a complaint. A procedures, or practices of the Secretary may determine to be
person who believes a covered covered entity or business necessary to enable the
entity or business associate is associate and of the Secretary to ascertain whether
not complying with the circumstances regarding any the covered entity or business
administrative simplification alleged violation. associate has complied or is
provisions may file a complaint complying with the applicable
with the Secretary. administrative simplification
(4) At the time of the initial
written communication with the provisions.
(b) Requirements for filing covered entity or business
complaints. Complaints under associate about the complaint, (b) Cooperate with complaint
this section must meet the the Secretary will describe the investigations and compliance
following requirements: acts and/or omissions that are reviews. A covered entity or
the basis of the complaint. business associate must
(1) A complaint must be filed in cooperate with the Secretary, if
writing, either on paper or [71 FR 8424, Feb. 16, 2006, as the Secretary undertakes an
electronically. amended at 78 FR 5690, Jan. 25, investigation or compliance
2013] review of the policies,
(2) A complaint must name the procedures, or practices of the
person that is the subject of the covered entity or business
§ 160.308 Compliance
complaint and describe the acts associate to determine whether it
reviews.
or omissions believed to be in is complying with the applicable
violation of the applicable administrative simplification
administrative simplification (a) The Secretary will conduct a provisions.
compliance review to determine
provision(s).
20
March 2013
(c) Permit access to information. § 160.312 Secretarial action such finding in a notice of
(1) A covered entity or business regarding complaints and proposed determination in
associate must permit access by compliance reviews. accordance with § 160.420 of
the Secretary during normal this part.
business hours to its facilities, (a) Resolution when
books, records, accounts, and noncompliance is indicated. (1) (b) Resolution when no violation
other sources of information, If an investigation of a is found. If, after an
including protected health complaint pursuant to § 160.306 investigation pursuant to
information, that are pertinent to or a compliance review pursuant § 160.306 or a compliance
ascertaining compliance with the to § 160.308 indicates review pursuant to § 160.308,
applicable administrative noncompliance, the Secretary the Secretary determines that
simplification provisions. If the may attempt to reach a further action is not warranted,
Secretary determines that resolution of the matter the Secretary will so inform the
exigent circumstances exist, satisfactory to the Secretary by covered entity or business
such as when documents may be informal means. Informal means associate and, if the matter arose
hidden or destroyed, a covered may include demonstrated from a complaint, the
entity or business associate must compliance or a completed complainant, in writing.
permit access by the Secretary at corrective action plan or other
any time and without notice. agreement. [78 FR 5690, Jan. 25, 2013]
(2) If any information required (2) If the matter is resolved by § 160.314 Investigational
of a covered entity or business informal means, the Secretary subpoenas and inquiries.
associate under this section is in will so inform the covered entity
the exclusive possession of any or business associate and, if the
other agency, institution, or (a) The Secretary may issue
matter arose from a complaint,
person and the other agency, subpoenas in accordance with
the complainant, in writing.
institution, or person fails or 42 U.S.C. 405(d) and (e), 1320a-
refuses to furnish the 7a(j), and 1320d-5 to require the
(3) If the matter is not resolved attendance and testimony of
information, the covered entity
by informal means, the witnesses and the production of
or business associate must so Secretary will—
certify and set forth what efforts any other evidence during an
it has made to obtain the investigation or compliance
information. (i) So inform the covered entity review pursuant to this part. For
or business associate and purposes of this paragraph, a
provide the covered entity or person other than a natural
(3) Protected health information business associate an person is termed an “entity.”
obtained by the Secretary in opportunity to submit written
connection with an investigation
evidence of any mitigating (1) A subpoena issued under this
or compliance review under this
factors or affirmative defenses paragraph must—
subpart will not be disclosed by
for consideration under
the Secretary, except if
§§ 160.408 and 160.410 of this (i) State the name of the person
necessary for ascertaining or part. The covered entity or
enforcing compliance with the (including the entity, if
business associate must submit
applicable administrative applicable) to whom the
any such evidence to the
simplification provisions, if subpoena is addressed;
Secretary within 30 days
otherwise required by law, or if
(computed in the same manner
permitted under 5 U.S.C. as prescribed under § 160.526 of (ii) State the statutory authority
552a(b)(7). this part) of receipt of such for the subpoena;
notification; and
[78 FR 5690, Jan. 25, 2013] (iii) Indicate the date, time, and
(ii) If, following action pursuant place that the testimony will
to paragraph (a)(3)(i) of this take place;
section, the Secretary finds that
a civil money penalty should be (iv) Include a reasonably
imposed, inform the covered specific description of any
entity or business associate of
21
March 2013
documents or items required to (5) A subpoena under this delay or obstruct the
be produced; and section is enforceable through investigational inquiry, the
the district court of the United Secretary may seek enforcement
(v) If the subpoena is addressed States for the district where the of the subpoena under paragraph
to an entity, describe with subpoenaed natural person (a)(5) of this section.
reasonable particularity the resides or is found or where the
subject matter on which entity transacts business. (8) The proceedings will be
testimony is required. In that recorded and transcribed. The
event, the entity must designate (b) Investigational inquiries are witness is entitled to a copy of
one or more natural persons who non-public investigational the transcript, upon payment of
will testify on its behalf, and proceedings conducted by the prescribed costs, except that, for
must state as to each such Secretary. good cause, the witness may be
person that person's name and limited to inspection of the
address and the matters on (1) Testimony at investigational official transcript of his or her
which he or she will testify. The inquiries will be taken under testimony.
designated person must testify oath or affirmation.
as to matters known or (9)(i) The transcript will be
reasonably available to the submitted to the witness for
(2) Attendance of non-witnesses
entity. is discretionary with the signature.
Secretary, except that a witness
(2) A subpoena under this is entitled to be accompanied, (A) Where the witness will be
section must be served by— represented, and advised by an provided a copy of the
attorney. transcript, the transcript will be
(i) Delivering a copy to the submitted to the witness for
natural person named in the (3) Representatives of the signature. The witness may
subpoena or to the entity named Secretary are entitled to attend submit to the Secretary written
in the subpoena at its last and ask questions. proposed corrections to the
principal place of business; or transcript, with such corrections
(4) A witness will have the attached to the transcript. If the
(ii) Registered or certified mail witness does not return a signed
opportunity to clarify his or her
addressed to the natural person copy of the transcript or
answers on the record following
at his or her last known dwelling proposed corrections within 30
questioning by the Secretary.
place or to the entity at its last days (computed in the same
known principal place of manner as prescribed under
(5) Any claim of privilege must § 160.526 of this part) of its
business.
be asserted by the witness on the being submitted to him or her
record. for signature, the witness will be
(3) A verified return by the
deemed to have agreed that the
natural person serving the (6) Objections must be asserted transcript is true and accurate.
subpoena setting forth the on the record. Errors of any kind
manner of service or, in the case
that might be corrected if (B) Where, as provided in
of service by registered or
promptly presented will be paragraph (b)(8) of this section,
certified mail, the signed return
deemed to be waived unless the witness is limited to
post office receipt, constitutes
reasonable objection is made at inspecting the transcript, the
proof of service. the investigational inquiry. witness will have the
Except where the objection is on opportunity at the time of
(4) Witnesses are entitled to the the grounds of privilege, the inspection to propose
same fees and mileage as question will be answered on the corrections to the transcript,
witnesses in the district courts of record, subject to objection. with corrections attached to the
the United States (28 U.S.C.
1821 and 1825). Fees need not transcript. The witness will also
(7) If a witness refuses to have the opportunity to sign the
be paid at the time the subpoena
answer any question not transcript. If the witness does
is served.
privileged or to produce not sign the transcript or offer
requested documents or items, corrections within 30 days
or engages in conduct likely to (computed in the same manner
22
March 2013
as prescribed under § 160.526 of [71 FR 8426, Feb. 16, 2006, as § 160.402 Basis for a civil
this part) of receipt of notice of amended at 78 FR 5691, Jan. 25, money penalty.
the opportunity to inspect the 2013]
transcript, the witness will be (a) General rule. Subject to
deemed to have agreed that the Subpart D—Imposition of § 160.410, the Secretary will
transcript is true and accurate. Civil Money Penalties impose a civil money penalty
upon a covered entity or
(ii) The Secretary's proposed SOURCE: 71 FR 8426, Feb. 16, business associate if the
corrections to the record of 2006, unless otherwise noted. Secretary determines that the
transcript will be attached to the covered entity or business
transcript. associate has violated an
(c) Consistent with provision.
This subpart applies to the
§ 160.310(c)(3), testimony and
imposition of a civil money
other evidence obtained in an (b) Violation by more than one
penalty by the Secretary under
investigational inquiry may be covered entity or business
42 U.S.C. 1320d-5.
used by HHS in any of its associate. (1) Except as
activities and may be used or provided in paragraph (b)(2) of
offered into evidence in any § 160.401 Definitions. this section, if the Secretary
administrative or judicial determines that more than one
proceeding. As used in this subpart, the covered entity or business
following terms have the associate was responsible for a
§ 160.316 Refraining from following meanings: violation, the Secretary will
intimidation or retaliation. impose a civil money penalty
Reasonable cause means an act against each such covered entity
or omission in which a covered or business associate.
A covered entity or business
associate may not threaten, entity or business associate
intimidate, coerce, harass, knew, or by exercising (2) A covered entity that is a
discriminate against, or take any reasonable diligence would have member of an affiliated covered
other retaliatory action against known, that the act or omission entity, in accordance with
any individual or other person violated an administrative § 164.105(b) of this subchapter,
for— simplification provision, but in is jointly and severally liable for
which the covered entity or a civil money penalty for a
business associate did not act violation of part 164 of this
(a) Filing of a complaint under
with willful neglect. subchapter based on an act or
§ 160.306;
omission of the affiliated
Reasonable diligence means the covered entity, unless it is
(b) Testifying, assisting, or business care and prudence established that another member
participating in an investigation, expected from a person seeking of the affiliated covered entity
compliance review, proceeding, was responsible for the
to satisfy a legal requirement
or hearing under this part; or violation.
under similar circumstances.
(c) Opposing any act or practice Willful neglect means conscious, (c) Violation attributed to a
made unlawful by this intentional failure or reckless covered entity or business
subchapter, provided the associate. (1) A covered entity
indifference to the obligation to
individual or person has a good is liable, in accordance with the
comply with the administrative
faith belief that the practice Federal common law of agency,
simplification provision
opposed is unlawful, and the for a civil money penalty for a
violated.
manner of opposition is violation based on the act or
reasonable and does not involve omission of any agent of the
a disclosure of protected health [74 FR 56130, Oct. 30, 2009, as
amended at 78 FR 5691, Jan. 25, covered entity, including a
information in violation of workforce member or business
subpart E of part 164 of this 2013]
associate, acting within the
subchapter. scope of the agency.
23
March 2013
(2) A business associate is (A) In the amount of less than have known that the violation
liable, in accordance with the $100 or more than $50,000 for occurred,
Federal common law of agency, each violation; or
for a civil money penalty for a (A) In the amount of less than
violation based on the act or (B) In excess of $1,500,000 for $50,000 for each violation; or
omission of any agent of the identical violations during a
business associate, including a calendar year (January 1 through (B) In excess of $1,500,000 for
workforce member or the following December 31); identical violations during a
subcontractor, acting within the calendar year (January 1 through
scope of the agency.
(ii) For a violation in which it is the following December 31).
established that the violation
[78 FR 5691, Jan. 25, 2013] was due to reasonable cause and (3) If a requirement or
not to willful neglect, prohibition in one administrative
§ 160.404 Amount of a civil simplification provision is
money penalty. (A) In the amount of less than repeated in a more general form
$1,000 or more than $50,000 for in another administrative
(a) The amount of a civil money each violation; or simplification provision in the
penalty will be determined in same subpart, a civil money
accordance with paragraph (b) (B) In excess of $1,500,000 for penalty may be imposed for a
of this section and §§ 160.406, identical violations during a violation of only one of these
160.408, and 160.412. calendar year (January 1 through administrative simplification
the following December 31); provisions.
(b) The amount of a civil money
penalty that may be imposed is (iii) For a violation in which it is [71 FR 8426, Feb. 16, 2006, as
subject to the following established that the violation amended at 74 FR 56130, Oct.
limitations: was due to willful neglect and 30, 2009; 78 FR 5691, Jan. 25,
was corrected during the 30-day 2013]
(1) For violations occurring period beginning on the first
prior to February 18, 2009, the date the covered entity or § 160.406 Violations of an
Secretary may not impose a civil business associate liable for the identical requirement or
money penalty— penalty knew, or, by exercising prohibition.
reasonable diligence, would
(i) In the amount of more than have known that the violation The Secretary will determine the
$100 for each violation; or occurred, number of violations of an
(ii) In excess of $25,000 for (A) In the amount of less than provision based on the nature of
identical violations during a $10,000 or more than $50,000 the covered entity's or business
calendar year (January 1 through for each violation; or associate's obligation to act or
the following December 31); not act under the provision that
(B) In excess of $1,500,000 for is violated, such as its obligation
identical violations during a to act in a certain manner, or
(2) For violations occurring on
calendar year (January 1 through within a certain time, or to act or
or after February 18, 2009, the
Secretary may not impose a civil the following December 31); not act with respect to certain
money penalty— persons. In the case of
continuing violation of a
(iv) For a violation in which it is
provision, a separate violation
(i) For a violation in which it is established that the violation
occurs each day the covered
established that the covered was due to willful neglect and
entity or business associate is in
entity or business associate did was not corrected during the 30-
day period beginning on the first violation of the provision.
not know and, by exercising
reasonable diligence, would not date the covered entity or
business associate liable for the [78 FR 5691, Jan. 25, 2013]
have known that the covered
entity or business associate penalty knew, or, by exercising
violated such provision, reasonable diligence, would
24
March 2013
§ 160.408 Factors considered to previous indications of a covered entity or business

in determining the amount of noncompliance; associate for an act that violates
a civil money penalty. an administrative simplification
(2) Whether and to what extent provision if the covered entity or
In determining the amount of the covered entity or business business associate establishes
any civil money penalty, the associate has attempted to that the violation is punishable
Secretary will consider the correct previous indications of under 42 U.S.C. 1320d-6.
following factors, which may be noncompliance;
mitigating or aggravating as (2) On or after February 18,
appropriate: (3) How the covered entity or 2011, impose a civil money
business associate has responded penalty on a covered entity or
(a) The nature and extent of the to technical assistance from the business associate for an act that
violation, consideration of Secretary provided in the violates an administrative
which may include but is not context of a compliance effort; simplification provision if the
limited to: and covered entity or business
associate establishes that a
penalty has been imposed under
(1) The number of individuals (4) How the covered entity or
42 U.S.C. 1320d-6 with respect
affected; and business associate has responded
to prior complaints; to such act.
(2) The time period during
(b) For violations occurring
which the violation occurred; (d) The financial condition of
prior to February 18, 2009, the
the covered entity or business
Secretary may not impose a civil
(b) The nature and extent of the associate, consideration of
which may include but is not money penalty on a covered
harm resulting from the entity for a violation if the
violation, consideration of limited to:
covered entity establishes that
which may include but is not an affirmative defense exists
limited to: (1) Whether the covered entity with respect to the violation,
or business associate had including the following:
(1) Whether the violation caused financial difficulties that
physical harm; affected its ability to comply;
(1) The covered entity
establishes, to the satisfaction of
(2) Whether the violation (2) Whether the imposition of a the Secretary, that it did not
resulted in financial harm; civil money penalty would have knowledge of the violation,
jeopardize the ability of the determined in accordance with
covered entity or business the Federal common law of
(3) Whether the violation
associate to continue to provide, agency, and by exercising
resulted in harm to an
individual's reputation; and or to pay for, health care; and reasonable diligence, would not
have known that the violation
(3) The size of the covered occurred; or
(4) Whether the violation
entity or business associate; and
hindered an individual's ability
to obtain health care; (2) The violation is—
(e) Such other matters as justice
may require. (i) Due to circumstances that
(c) The history of prior
compliance with the would make it unreasonable for
administrative simplification [78 FR 5691, Jan. 25, 2013] the covered entity, despite the
provisions, including violations, exercise of ordinary business
by the covered entity or business § 160.410 Affirmative care and prudence, to comply
associate, consideration of defenses. with the administrative
which may include but is not simplification provision violated
limited to: (a) The Secretary may not: and is not due to willful neglect;
and
(1) Whether the current (1) Prior to February 18, 2011,
violation is the same or similar impose a civil money penalty on (ii) Corrected during either:
25
March 2013
(A) The 30-day period payment of the penalty would be penalty is proposed (except that,
beginning on the first date the excessive relative to the in any case where the Secretary
covered entity liable for the violation. is relying upon a statistical
penalty knew, or by exercising sampling study in accordance
reasonable diligence would have [8 FR 5692, Jan. 25, 2013] with § 160.536 of this part, the
known, that the violation notice must provide a copy of
occurred; or the study relied upon by the
§ 160.414 Limitations.
Secretary);
(B) Such additional period as the
No action under this subpart
Secretary determines to be (3) The reason(s) why the
may be entertained unless
appropriate based on the nature violation(s) subject(s) the
commenced by the Secretary, in
and extent of the failure to respondent to a penalty;
accordance with § 160.420,
comply. within 6 years from the date of
the occurrence of the violation. (4) The amount of the proposed
(c) For violations occurring on penalty and a reference to the
or after February 18, 2009, the subparagraph of § 160.404 upon
§ 160.416 Authority to settle.
Secretary may not impose a civil which it is based.
money penalty on a covered
entity or business associate for a Nothing in this subpart limits the
(5) Any circumstances described
violation if the covered entity or authority of the Secretary to
in § 160.408 that were
business associate establishes to settle any issue or case or to
considered in determining the
the satisfaction of the Secretary compromise any penalty.
amount of the proposed penalty;
that the violation is— and
§ 160.418 Penalty not
(1) Not due to willful neglect; exclusive.
(6) Instructions for responding
and to the notice, including a
Except as otherwise provided by statement of the respondent's
(2) Corrected during either: 42 U.S.C. 1320d-5(b)(1) and 42 right to a hearing, a statement
U.S.C. 299b-22(f)(3), a penalty that failure to request a hearing
imposed under this part is in within 90 days permits the
(i) The 30-day period beginning
addition to any other penalty imposition of the proposed
on the first date the covered
prescribed by law. penalty without the right to a
entity or business associate
liable for the penalty knew, or, hearing under § 160.504 or a
by exercising reasonable [78 FR 5692, Jan. 25, 2013] right of appeal under § 160.548
diligence, would have known of this part, and the address to
that the violation occurred; or § 160.420 Notice of proposed which the hearing request must
determination. be sent.
(ii) Such additional period as the
Secretary determines to be (a) If a penalty is proposed in (b) The respondent may request
appropriate based on the nature accordance with this part, the a hearing before an ALJ on the
and extent of the failure to Secretary must deliver, or send proposed penalty by filing a
comply. by certified mail with return request in accordance with
receipt requested, to the § 160.504 of this part.
[78 FR 5692, Jan. 25, 2013] respondent, written notice of the
Secretary's intent to impose a [71 FR 8426, Feb. 16, 2006, as
penalty. This notice of proposed amended at 74 FR 56131, Oct.
§ 160.412 Waiver. determination must include— 30, 2009]
For violations described in
(1) Reference to the statutory § 160.422 Failure to request a
§ 160.410(b)(2) or (c) that are
basis for the penalty; hearing.
not corrected within the period
specified under such paragraphs,
the Secretary may waive the (2) A description of the findings If the respondent does not
civil money penalty, in whole or of fact regarding the violations request a hearing within the time
in part, to the extent that the with respect to which the prescribed by § 160.504 of this
26
March 2013
part and the matter is not settled § 160.426 Notification of the § 160.504 Hearing before an
pursuant to § 160.416, the public and other agencies. ALJ.
Secretary will impose the
proposed penalty or any lesser Whenever a proposed penalty (a) A respondent may request a
penalty permitted by 42 U.S.C. becomes final, the Secretary will hearing before an ALJ. The
1320d-5. The Secretary will notify, in such manner as the parties to the hearing proceeding
notify the respondent by Secretary deems appropriate, the consist of—
certified mail, return receipt public and the following
requested, of any penalty that organizations and entities (1) The respondent; and
has been imposed and of the thereof and the reason it was
means by which the respondent imposed: the appropriate State
may satisfy the penalty, and the (2) The officer(s) or
or local medical or professional
penalty is final on receipt of the employee(s) of HHS to whom
organization, the appropriate the enforcement authority
notice. The respondent has no State agency or agencies
right to appeal a penalty under involved has been delegated.
administering or supervising the
§ 160.548 of this part with administration of State health
respect to which the respondent care programs (as defined in 42 (b) The request for a hearing
has not timely requested a U.S.C. 1320a-7(h)), the must be made in writing signed
hearing. appropriate utilization and by the respondent or by the
quality control peer review respondent's attorney and sent
§ 160.424 Collection of organization, and the by certified mail, return receipt
penalty. appropriate State or local requested, to the address
licensing agency or organization specified in the notice of
(including the agency specified proposed determination. The
(a) Once a determination of the request for a hearing must be
Secretary to impose a penalty in 42 U.S.C. 1395aa(a),
1396a(a)(33)). mailed within 90 days after
has become final, the penalty
notice of the proposed
will be collected by the
determination is received by the
Secretary, subject to the first Subpart E—Procedures for respondent. For purposes of this
sentence of 42 U.S.C. 1320a- Hearings section, the respondent's date of
7a(f). receipt of the notice of proposed
SOURCE: 71 FR 8428, Feb. 16, determination is presumed to be
(b) The penalty may be 2006, unless otherwise noted. 5 days after the date of the
recovered in a civil action notice unless the respondent
brought in the United States § 160.500 Applicability. makes a reasonable showing to
district court for the district the contrary to the ALJ.
where the respondent resides, is
This subpart applies to hearings
found, or is located.
conducted relating to the (c) The request for a hearing
imposition of a civil money must clearly and directly admit,
(c) The amount of a penalty, penalty by the Secretary under deny, or explain each of the
when finally determined, or the 42 U.S.C. 1320d-5. findings of fact contained in the
amount agreed upon in notice of proposed
compromise, may be deducted determination with regard to
§ 160.502 Definitions.
from any sum then or later which the respondent has any
owing by the United States, or knowledge. If the respondent
by a State agency, to the As used in this subpart, the
following term has the following has no knowledge of a particular
respondent. finding of fact and so states, the
meaning:
finding shall be deemed denied.
(d) Matters that were raised or The request for a hearing must
that could have been raised in a Board means the members of also state the circumstances or
hearing before an ALJ, or in an the HHS Departmental Appeals arguments that the respondent
appeal under 42 U.S.C. 1320a- Board, in the Office of the alleges constitute the grounds
7a(e), may not be raised as a Secretary, who issue decisions for any defense and the factual
defense in a civil action by the in panels of three. and legal basis for opposing the
United States to collect a penalty penalty, except that a respondent
under this part. may raise an affirmative defense
27
March 2013
under § 160.410(b)(1) at any (7) Present oral arguments at the (5) Issue subpoenas requiring
time. hearing as permitted by the ALJ; the attendance of witnesses at
and hearings and the production of
(d) The ALJ must dismiss a documents at or in relation to
hearing request where— (8) Submit written briefs and hearings;
proposed findings of fact and
(1) On motion of the Secretary, conclusions of law after the (6) Rule on motions and other
the ALJ determines that the hearing. procedural matters;
respondent's hearing request is
not timely filed as required by (b) A party may appear in (7) Regulate the scope and
paragraphs (b) or does not meet person or by a representative. timing of documentary
the requirements of paragraph Natural persons who appear as discovery as permitted by this
(c) of this section; an attorney or other subpart;
representative must conform to
(2) The respondent withdraws the standards of conduct and (8) Regulate the course of the
the request for a hearing; ethics required of practitioners hearing and the conduct of
before the courts of the United representatives, parties, and
(3) The respondent abandons the States. witnesses;
request for a hearing; or
(c) Fees for any services (9) Examine witnesses;
performed on behalf of a party
(4) The respondent's hearing
by an attorney are not subject to
request fails to raise any issue (10) Receive, rule on, exclude,
that may properly be addressed the provisions of 42 U.S.C. 406, or limit evidence;
in a hearing. which authorizes the Secretary
to specify or limit their fees.
(11) Upon motion of a party,
§ 160.506 Rights of the take official notice of facts;
§ 160.508 Authority of the
parties.
ALJ.
(12) Conduct any conference,
(a) Except as otherwise limited argument or hearing in person
(a) The ALJ must conduct a fair
by this subpart, each party or, upon agreement of the
and impartial hearing, avoid
may— parties, by telephone; and
delay, maintain order, and
ensure that a record of the
(1) Be accompanied, proceeding is made. (13) Upon motion of a party,
represented, and advised by an decide cases, in whole or in part,
attorney; by summary judgment where
(b) The ALJ may—
there is no disputed issue of
(2) Participate in any conference material fact. A summary
(1) Set and change the date, time judgment decision constitutes a
held by the ALJ;
and place of the hearing upon hearing on the record for the
reasonable notice to the parties; purposes of this subpart.
(3) Conduct discovery of
documents as permitted by this
subpart; (2) Continue or recess the (c) The ALJ—
hearing in whole or in part for a
reasonable period of time;
(4) Agree to stipulations of fact (1) May not find invalid or
or law that will be made part of refuse to follow Federal statutes,
the record; (3) Hold conferences to identify regulations, or Secretarial
or simplify the issues, or to delegations of authority and
consider other matters that may must give deference to
(5) Present evidence relevant to aid in the expeditious published guidance to the extent
the issues at the hearing; disposition of the proceeding; not inconsistent with statute or
regulation;
(6) Present and cross-examine (4) Administer oaths and
witnesses; affirmations;
28
March 2013
(2) May not enter an order in the (2) The necessity or desirability of § 160.514 Authority to settle.
nature of a directed verdict; amendments to the pleadings,
including the need for a more The Secretary has exclusive
(3) May not compel settlement definite statement; authority to settle any issue or case
negotiations; without the consent of the ALJ.
(3) Stipulations and admissions of
(4) May not enjoin any act of the fact or as to the contents and § 160.516 Discovery.
Secretary; or authenticity of documents;
(a) A party may make a request to
(5) May not review the exercise of (4) Whether the parties can agree to another party for production of
discretion by the Secretary with submission of the case on a documents for inspection and
respect to whether to grant an stipulated record; copying that are relevant and
extension under material to the issues before the
§ 160.410(b)(2)(ii)(B) or (c)(2)(ii) (5) Whether a party chooses to ALJ.
of this part or to provide technical waive appearance at an oral hearing
assistance under 42 U.S.C. 1320d- and to submit only documentary (b) For the purpose of this section,
5(b)(2)(B). evidence (subject to the objection the term “documents” includes
of the other party) and written information, reports, answers,
§ 160.510 Ex parte contacts. argument; records, accounts, papers and other
data and documentary evidence.
No party or person (except (6) Limitation of the number of Nothing contained in this section
employees of the ALJ's office) may witnesses; may be interpreted to require the
communicate in any way with the creation of a document, except that
ALJ on any matter at issue in a (7) Scheduling dates for the requested data stored in an
case, unless on notice and exchange of witness lists and of electronic data storage system must
opportunity for both parties to proposed exhibits; be produced in a form accessible to
participate. This provision does not the requesting party.
prohibit a party or person from (8) Discovery of documents as
inquiring about the status of a case permitted by this subpart; (c) Requests for documents,
or asking routine questions requests for admissions, written
concerning administrative functions interrogatories, depositions and any
(9) The time and place for the
or procedures. forms of discovery, other than
hearing;
those permitted under paragraph (a)
§ 160.512 Prehearing of this section, are not authorized.
(10) The potential for the
conferences. settlement of the case by the
(d) This section may not be
parties; and
(a) The ALJ must schedule at least construed to require the disclosure
one prehearing conference, and of interview reports or statements
(11) Other matters as may tend to obtained by any party, or on behalf
may schedule additional prehearing encourage the fair, just and
conferences as appropriate, upon of any party, of persons who will
expeditious disposition of the not be called as witnesses by that
reasonable notice, which may not proceedings, including the
be less than 14 business days, to the party, or analyses and summaries
protection of privacy of prepared in conjunction with the
parties. individually identifiable health investigation or litigation of the
information that may be submitted case, or any otherwise privileged
(b) The ALJ may use prehearing into evidence or otherwise used in documents.
conferences to discuss the the proceeding, if appropriate.
following—
(e)(1) When a request for
(c) The ALJ must issue an order production of documents has
(1) Simplification of the issues; containing the matters agreed upon
by the parties or ordered by the
ALJ at a prehearing conference.
29
March 2013
been received, within 30 days including copies of any written (ii) If the ALJ finds that there is
the party receiving that request statements that the party intends substantial prejudice, the ALJ
must either fully respond to the to offer in lieu of live testimony may exclude the evidence, or, if
request, or state that the request in accordance with § 160.538, he or she does not exclude the
is being objected to and the not more than 60, and not less evidence, must postpone the
reasons for that objection. If than 15, days before the hearing for such time as is
objection is made to part of an scheduled hearing, except that if necessary for the objecting party
item or category, the part must a respondent intends to to prepare and respond to the
be specified. Upon receiving any introduce the evidence of a evidence, unless the objecting
objections, the party seeking statistical expert, the respondent party waives postponement.
production may then, within 30 must provide the Secretarial
days or any other time frame set party with a copy of the (c) Unless the other party
by the ALJ, file a motion for an statistical expert's report not less objects within a reasonable
order compelling discovery. The than 30 days before the period of time before the
party receiving a request for scheduled hearing. hearing, documents exchanged
production may also file a in accordance with paragraph (a)
motion for protective order any (b)(1) If, at any time, a party of this section will be deemed to
time before the date the objects to the proposed be authentic for the purpose of
production is due. admission of evidence not admissibility at the hearing.
exchanged in accordance with
(2) The ALJ may grant a motion paragraph (a) of this section, the § 160.520 Subpoenas for
for protective order or deny a ALJ must determine whether the attendance at hearing.
motion for an order compelling failure to comply with paragraph
discovery if the ALJ finds that (a) of this section should result
(a) A party wishing to procure
the discovery sought— in the exclusion of that the appearance and testimony of
evidence.
any person at the hearing may
(i) Is irrelevant; make a motion requesting the
(2) Unless the ALJ finds that ALJ to issue a subpoena if the
(ii) Is unduly costly or extraordinary circumstances appearance and testimony are
burdensome; justified the failure timely to reasonably necessary for the
exchange the information listed presentation of a party's case.
under paragraph (a) of this
(iii) Will unduly delay the
section, the ALJ must exclude
proceeding; or (b) A subpoena requiring the
from the party's case-in-chief—
attendance of a person in
(iv) Seeks privileged accordance with paragraph (a)
(i) The testimony of any witness of this section may also require
information.
whose name does not appear on the person (whether or not the
the witness list; and person is a party) to produce
(3) The ALJ may extend any of
the time frames set forth in relevant and material evidence
paragraph (e)(1) of this section. (ii) Any exhibit not provided to at or before the hearing.
the opposing party as specified
in paragraph (a) of this section. (c) When a subpoena is served
(4) The burden of showing that
by a respondent on a particular
discovery should be allowed is
on the party seeking discovery. (3) If the ALJ finds that employee or official or
extraordinary circumstances particular office of HHS, the
existed, the ALJ must then Secretary may comply by
§ 160.518 Exchange of determine whether the designating any knowledgeable
witness lists, witness admission of that evidence HHS representative to appear
statements, and exhibits. would cause substantial and testify.
prejudice to the objecting party.
(a) The parties must exchange (d) A party seeking a subpoena
witness lists, copies of prior (i) If the ALJ finds that there is must file a written motion not
written statements of proposed no substantial prejudice, the less than 30 days before the date
witnesses, and copies of evidence may be admitted. fixed for the hearing, unless
proposed hearing exhibits, otherwise allowed by the ALJ
30
March 2013
for good cause shown. That a proceeding in United States (c) Proof of service. A
motion must— District Court. A check for certificate of the natural person
witness fees and mileage must serving the document by
(1) Specify any evidence to be accompany the subpoena when personal delivery or by mail,
produced; served, except that, when a setting forth the manner of
subpoena is issued on behalf of service, constitutes proof of
the Secretary, a check for service.
(2) Designate the witnesses; and
witness fees and mileage need
not accompany the subpoena. § 160.526 Computation of
(3) Describe the address and
location with sufficient time.
particularity to permit those § 160.524 Form, filing, and
witnesses to be found. service of papers. (a) In computing any period of
time under this subpart or in an
(a) Forms. (1) Unless the ALJ order issued thereunder, the time
(e) The subpoena must specify
directs the parties to do begins with the day following
the time and place at which the
otherwise, documents filed with the act, event or default, and
witness is to appear and any
the ALJ must include an original includes the last day of the
evidence the witness is to
produce. and two copies. period unless it is a Saturday,
Sunday, or legal holiday
(2) Every pleading and paper observed by the Federal
(f) Within 15 days after the Government, in which event it
filed in the proceeding must
written motion requesting includes the next business day.
contain a caption setting forth
issuance of a subpoena is
served, any party may file an the title of the action, the case
opposition or other response. number, and a designation of the (b) When the period of time
paper, such as motion to quash allowed is less than 7 days,
subpoena. intermediate Saturdays,
(g) If the motion requesting Sundays, and legal holidays
issuance of a subpoena is observed by the Federal
granted, the party seeking the (3) Every pleading and paper
must be signed by and must Government must be excluded
subpoena must serve it by from the computation.
contain the address and
delivery to the person named, or
telephone number of the party or
by certified mail addressed to
the person on whose behalf the (c) Where a document has been
that person at the person's last
dwelling place or principal place paper was filed, or his or her served or issued by placing it in
of business. representative. the mail, an additional 5 days
must be added to the time
(4) Papers are considered filed permitted for any response. This
(h) The person to whom the paragraph does not apply to
when they are mailed.
subpoena is directed may file requests for hearing under
with the ALJ a motion to quash § 160.504.
the subpoena within 10 days (b) Service. A party filing a
after service. document with the ALJ or the
Board must, at the time of filing, § 160.528 Motions.
serve a copy of the document on
(i) The exclusive remedy for
contumacy by, or refusal to obey the other party. Service upon (a) An application to the ALJ for
a subpoena duly served upon, any party of any document must an order or ruling must be by
be made by delivering a copy, or motion. Motions must state the
any person is specified in 42
placing a copy of the document relief sought, the authority relied
U.S.C. 405(e).
in the United States mail, upon and the facts alleged, and
postage prepaid and addressed, must be filed with the ALJ and
§ 160.522 Fees. or with a private delivery served on all other parties.
service, to the party's last known
The party requesting a subpoena address. When a party is (b) Except for motions made
must pay the cost of the fees and represented by an attorney, during a prehearing conference
mileage of any witness service must be made upon the or at the hearing, all motions
subpoenaed in the amounts that attorney in lieu of the party. must be in writing. The ALJ
would be payable to a witness in
31
March 2013
may require that oral motions be (d) Staying the proceedings; waived pursuant to § 160.412 of
reduced to writing. this part; and
(e) Dismissal of the action;
(c) Within 10 days after a (iv) Compliance with subpart D
written motion is served, or such (f) Entering a decision by of part 164, as provided under
other time as may be fixed by default; § 164.414(b).
the ALJ, any party may file a
response to the motion. (g) Ordering the party or (2) The Secretary has the burden
attorney to pay the attorney's of going forward and the burden
(d) The ALJ may not grant a fees and other costs caused by of persuasion with respect to all
written motion before the time the failure or misconduct; and other issues, including issues of
for filing responses has expired, liability other than with respect
except upon consent of the (h) Refusing to consider any to subpart D of part 164, and the
parties or following a hearing on existence of any factors
motion or other action that is not
the motion, but may overrule or considered aggravating factors
filed in a timely manner.
deny the motion without in determining the amount of the
awaiting a response. proposed penalty.
§ 160.532 Collateral estoppel.
(e) The ALJ must make a (3) The burden of persuasion
reasonable effort to dispose of When a final determination that will be judged by a
all outstanding motions before the respondent violated an preponderance of the evidence.
the beginning of the hearing. administrative simplification
provision has been rendered in
any proceeding in which the (c) The hearing must be open to
§ 160.530 Sanctions. the public unless otherwise
respondent was a party and had
ordered by the ALJ for good
an opportunity to be heard, the
The ALJ may sanction a person, cause shown.
respondent is bound by that
including any party or attorney, determination in any proceeding
for failing to comply with an under this part. (d)(1) Subject to the 15-day rule
order or procedure, for failing to under § 160.518(a) and the
defend an action or for other admissibility of evidence under
§ 160.534 The hearing.
misconduct that interferes with § 160.540, either party may
the speedy, orderly or fair introduce, during its case in
conduct of the hearing. The (a) The ALJ must conduct a chief, items or information that
sanctions must reasonably relate hearing on the record in order to arose or became known after the
to the severity and nature of the determine whether the date of the issuance of the notice
failure or misconduct. The respondent should be found of proposed determination or the
sanctions may include— liable under this part. request for hearing, as
applicable. Such items and
(a) In the case of refusal to (b) (1) The respondent has the information may not be admitted
provide or permit discovery burden of going forward and the into evidence, if introduced—
under the terms of this part, burden of persuasion with
drawing negative factual respect to any: (i) By the Secretary, unless they
inferences or treating the refusal are material and relevant to the
as an admission by deeming the (i) Affirmative defense pursuant acts or omissions with respect to
matter, or certain facts, to be to § 160.410 of this part; which the penalty is proposed in
established; the notice of proposed
(ii) Challenge to the amount of a determination pursuant to
(b) Prohibiting a party from proposed penalty pursuant to § 160.420 of this part, including
introducing certain evidence or §§ 160.404-160.408 of this part, circumstances that may increase
otherwise supporting a particular including any factors raised as penalties; or
claim or defense; mitigating factors; or
(ii) By the respondent, unless
(c) Striking pleadings, in whole (iii) Claim that a proposed they are material and relevant to
or in part; penalty should be reduced or an admission, denial or
32
March 2013
explanation of a finding of fact the opportunity to rebut this examination of witnesses as may
in the notice of proposed evidence. be required for a full and true
determination under § 160.420 disclosure of the facts.
of this part, or to a specific § 160.538 Witnesses.
circumstance or argument (e) The ALJ may order
expressly stated in the request witnesses excluded so that they
(a) Except as provided in
for hearing under § 160.504, cannot hear the testimony of
paragraph (b) of this section,
including circumstances that testimony at the hearing must be other witnesses, except that the
may reduce penalties. given orally by witnesses under ALJ may not order to be
oath or affirmation. excluded—
(2) After both parties have
presented their cases, evidence (1) A party who is a natural
(b) At the discretion of the ALJ,
may be admitted in rebuttal even testimony of witnesses other person;
if not previously exchanged in than the testimony of expert
accordance with § 160.518.
witnesses may be admitted in (2) In the case of a party that is
the form of a written statement. not a natural person, the officer
[71 FR 8428, Feb. 16, 2006, as The ALJ may, at his or her or employee of the party
amended at 74 FR 42767, Aug. discretion, admit prior sworn appearing for the entity pro se or
24, 2009; 78 FR 5692, Jan. 25, testimony of experts that has designated as the party's
2013] been subject to adverse representative; or
examination, such as a
§ 160.536 Statistical deposition or trial testimony. (3) A natural person whose
sampling. Any such written statement must presence is shown by a party to
be provided to the other party, be essential to the presentation
(a) In meeting the burden of along with the last known of its case, including a person
proof set forth in § 160.534, the address of the witness, in a engaged in assisting the attorney
Secretary may introduce the manner that allows sufficient for the Secretary.
results of a statistical sampling time for the other party to
study as evidence of the number subpoena the witness for cross-
§ 160.540 Evidence.
of violations under § 160.406 of examination at the hearing. Prior
this part, or the factors written statements of witnesses
proposed to testify at the hearing (a) The ALJ must determine the
considered in determining the
must be exchanged as provided admissibility of evidence.
amount of the civil money
penalty under § 160.408 of this in § 160.518.
part. Such statistical sampling (b) Except as provided in this
study, if based upon an (c) The ALJ must exercise subpart, the ALJ is not bound by
appropriate sampling and reasonable control over the the Federal Rules of Evidence.
computed by valid statistical mode and order of interrogating However, the ALJ may apply
methods, constitutes prima facie witnesses and presenting the Federal Rules of Evidence
evidence of the number of evidence so as to: where appropriate, for example,
violations and the existence of to exclude unreliable evidence.
factors material to the proposed (1) Make the interrogation and
civil money penalty as described presentation effective for the (c) The ALJ must exclude
in §§ 160.406 and 160.408. ascertainment of the truth; irrelevant or immaterial
evidence.
(b) Once the Secretary has made (2) Avoid repetition or needless
a prima facie case, as described consumption of time; and (d) Although relevant, evidence
in paragraph (a) of this section, may be excluded if its probative
the burden of going forward value is substantially
(3) Protect witnesses from
shifts to the respondent to outweighed by the danger of
harassment or undue
produce evidence reasonably unfair prejudice, confusion of
embarrassment.
calculated to rebut the findings the issues, or by considerations
of the statistical sampling study. of undue delay or needless
The Secretary will then be given (d) The ALJ must permit the presentation of cumulative
parties to conduct cross- evidence.
33
March 2013
(e) Although relevant, evidence (b) The transcript of the ALJ fails to meet the deadline
must be excluded if it is testimony, exhibits, and other contained in this paragraph, he
privileged under Federal law. evidence admitted at the or she must notify the parties of
hearing, and all papers and the reason for the delay and set a
(f) Evidence concerning offers requests filed in the proceeding new deadline.
of compromise or settlement are constitute the record for decision
inadmissible to the extent by the ALJ and the Secretary. (d) Unless the decision of the
provided in Rule 408 of the ALJ is timely appealed as
Federal Rules of Evidence. (c) The record may be inspected provided for in § 160.548, the
and copied (upon payment of a decision of the ALJ will be final
(g) Evidence of crimes, wrongs, reasonable fee) by any person, and binding on the parties 60
or acts other than those at issue unless otherwise ordered by the days from the date of service of
in the instant case is admissible ALJ for good cause shown. the ALJ's decision.
in order to show motive,
opportunity, intent, knowledge, (d) For good cause, the ALJ may § 160.548 Appeal of the
preparation, identity, lack of order appropriate redactions ALJ's decision.
mistake, or existence of a made to the record.
scheme. This evidence is (a) Any party may appeal the
admissible regardless of whether § 160.544 Post hearing briefs. decision of the ALJ to the Board
the crimes, wrongs, or acts by filing a notice of appeal with
occurred during the statute of the Board within 30 days of the
The ALJ may require the parties
limitations period applicable to date of service of the ALJ
to file post-hearing briefs. In any
the acts or omissions that decision. The Board may extend
event, any party may file a post-
constitute the basis for liability hearing brief. The ALJ must fix the initial 30 day period for a
in the case and regardless of period of time not to exceed 30
the time for filing the briefs. The
whether they were referenced in days if a party files with the
time for filing may not exceed
the Secretary's notice of Board a request for an extension
60 days from the date the parties
proposed determination under within the initial 30 day period
receive the transcript of the
§ 160.420 of this part. hearing or, if applicable, the and shows good cause.
stipulated record. The briefs
(h) The ALJ must permit the may be accompanied by (b) If a party files a timely
parties to introduce rebuttal proposed findings of fact and notice of appeal with the Board,
witnesses and evidence. conclusions of law. The ALJ the ALJ must forward the record
may permit the parties to file of the proceeding to the Board.
(i) All documents and other reply briefs.
evidence offered or taken for the (c) A notice of appeal must be
record must be open to § 160.546 ALJ's decision. accompanied by a written brief
examination by both parties, specifying exceptions to the
unless otherwise ordered by the (a) The ALJ must issue a initial decision and reasons
ALJ for good cause shown. decision, based only on the supporting the exceptions. Any
record, which must contain party may file a brief in
§ 160.542 The record. findings of fact and conclusions opposition to the exceptions,
of law. which may raise any relevant
(a) The hearing must be issue not addressed in the
recorded and transcribed. (b) The ALJ may affirm, exceptions, within 30 days of
Transcripts may be obtained receiving the notice of appeal
increase, or reduce the penalties
following the hearing from the and the accompanying brief. The
imposed by the Secretary.
ALJ. A party that requests a Board may permit the parties to
transcript of hearing proceedings file reply briefs.
(c) The ALJ must issue the
must pay the cost of preparing
decision to both parties within
the transcript unless, for good (d) There is no right to appear
60 days after the time for
cause shown by the party, the personally before the Board or
submission of post-hearing
payment is waived by the ALJ to appeal to the Board any
briefs and reply briefs, if
or the Board, as appropriate. permitted, has expired. If the interlocutory ruling by the ALJ.
34
March 2013
(e) Except for an affirmative with respect to a decision to on the date of service of the
defense under § 160.410(a)(1) or remand to the ALJ or if decision, except with respect to
(2) of this part, the Board may reconsideration is requested a decision to remand to the ALJ.
not consider any issue not raised under this paragraph.
in the parties' briefs, nor any (5) If service of a ruling or
issue in the briefs that could (2) The Board will reconsider its decision issued under this
have been raised before the ALJ decision only if it determines section is by mail, the date of
but was not. that the decision contains a clear service will be deemed to be 5
error of fact or error of law. days from the date of mailing.
(f) If any party demonstrates to New evidence will not be a basis
the satisfaction of the Board that for reconsideration unless the (k)(1) A respondent's petition
additional evidence not party demonstrates that the for judicial review must be filed
presented at such hearing is evidence is newly discovered within 60 days of the date on
relevant and material and that and was not previously which the decision of the Board
there were reasonable grounds available. becomes the final decision of the
for the failure to adduce such Secretary under paragraph (j) of
evidence at the hearing, the (3) A party may file a motion for this section.
Board may remand the matter to reconsideration with the Board
the ALJ for consideration of before the date the decision (2) In compliance with 28
such additional evidence. becomes final under paragraph U.S.C. 2112(a), a copy of any
(j)(1) of this section. A motion petition for judicial review filed
(g) The Board may decline to for reconsideration must be in any U.S. Court of Appeals
review the case, or may affirm, accompanied by a written brief challenging the final decision of
increase, reduce, reverse or specifying any alleged error of the Secretary must be sent by
remand any penalty determined fact or law and, if the party is certified mail, return receipt
by the ALJ. relying on additional evidence, requested, to the General
explaining why the evidence Counsel of HHS. The petition
(h) The standard of review on a was not previously available. copy must be a copy showing
disputed issue of fact is whether Any party may file a brief in that it has been time-stamped by
the initial decision of the ALJ is opposition within 15 days of the clerk of the court when the
supported by substantial receiving the motion for original was filed with the court.
evidence on the whole record. reconsideration and the
The standard of review on a accompanying brief unless this
(3) If the General Counsel of
disputed issue of law is whether time limit is extended by the
HHS received two or more
the decision is erroneous. Board for good cause shown. petitions within 10 days after the
Reply briefs are not permitted. final decision of the Secretary,
(i) Within 60 days after the time the General Counsel will notify
for submission of briefs and (4) The Board must rule on the the U.S. Judicial Panel on
reply briefs, if permitted, has motion for reconsideration not Multidistrict Litigation of any
expired, the Board must serve later than 30 days from the date petitions that were received
on each party to the appeal a the opposition brief is due. If the within the 10 day period.
copy of the Board's decision and Board denies the motion, the
a statement describing the right decision issued under paragraph
§ 160.550 Stay of the
of any respondent who is (i) of this section becomes the
Secretary's decision.
penalized to seek judicial final decision of the Secretary
review. on the date of service of the
ruling. If the Board grants the (a) Pending judicial review, the
motion, the Board will issue a respondent may file a request for
(j)(1) The Board's decision stay of the effective date of any
reconsidered decision, after such
under paragraph (i) of this penalty with the ALJ. The
procedures as the Board
section, including a decision to request must be accompanied by
decline review of the initial determines necessary to address
the effect of any error. The a copy of the notice of appeal
decision, becomes the final filed with the Federal court. The
Board's decision on
decision of the Secretary 60 filing of the request
reconsideration becomes the
days after the date of service of automatically stays the effective
final decision of the Secretary
the Board's decision, except date of the penalty until such
35
March 2013
time as the ALJ rules upon the

request.
(b) The ALJ may not grant a

respondent's request for stay of
any penalty unless the
respondent posts a bond or
provides other adequate
security.
(c) The ALJ must rule upon a

respondent's request for stay
within 10 days of receipt.
§ 160.552 Harmless error.
No error in either the admission

or the exclusion of evidence,
and no error or defect in any
ruling or order or in any act
done or omitted by the ALJ or
by any of the parties is ground
for vacating, modifying or
otherwise disturbing an
otherwise appropriate ruling or
order or act, unless refusal to
take such action appears to the
ALJ or the Board inconsistent
with substantial justice. The ALJ
and the Board at every stage of
the proceeding must disregard
any error or defect in the
proceeding that does not affect
the substantial rights of the
parties.
36
March 2013
§ 162.512 Implementation § 162.1101 Health care claims

specifications: Health plans. or equivalent encounter
PART 162— § 162.514 Other entity information transaction.
ADMINISTRATIVE identifier. § 162.1102 Standards for
REQUIREMENTS health care claims or equivalent
Subpart F—Standard Unique encounter information
Employer Identifier transaction.
Contents
§ 162.600 Compliance dates of Subpart L—Eligibility for a
the implementation of the Health Plan
Subpart A—General Provisions
standard unique employer
§ 162.100 Applicability. identifier. § 162.1201 Eligibility for a
§ 162.103 Definitions. § 162.605 Standard unique health plan transaction.
employer identifier. § 162.1202 Standards for
§ 162.610 Implementation eligibility for a health plan
Subparts B-C [Reserved] specifications for covered transaction.
entities. § 162.1203 Operating rules for
Subpart D—Standard Unique eligibility for a health plan
Health Identifier for Health Care Subparts G-H [Reserved] transaction.
Providers
Subpart I—General Provisions Subpart M—Referral
§ 162.402 [Reserved] for Transactions Certification and Authorization
§ 162.404 Compliance dates of
the implementation of the § 162.1301 Referral
§ 162.900 [Reserved]
standard unique health identifier certification and authorization
§ 162.910 Maintenance of
for health care providers. transaction.
standards and adoption of
§ 162.406 Standard unique § 162.1302 Standards for
health identifier for health care modifications and new
standards. referral certification and
providers. authorization transaction.
§ 162.915 Trading partner
§ 162.408 National Provider
agreements.
System.
§ 162.920 Availability of Subpart N—Health Care Claim
§ 162.410 Implementation
specifications: Health care implementation specifications Status
providers. and operating rules.
§ 162.923 Requirements for § 162.1401 Health care claim
covered entities. status transaction.
specifications: Health plans.
§ 162.925 Additional § 162.1402 Standards for
requirements for health plans. health care claim status
specifications: Health care
clearinghouses. § 162.930 Additional rules for transaction.
health care clearinghouses. § 162.1403 Operating rules for
§ 162.940 Exceptions from health care claim status
Subpart E—Standard Unique standards to permit testing of transaction.
Health Identifier for Health proposed modifications.
Plans
Subpart O—Enrollment and
Subpart J—Code Sets Disenrollment in a Health Plan
§ 162.504 Compliance
§ 162.1000 General § 162.1501 Enrollment and
requirements for the
requirements. disenrollment in a health plan
implementation of the standard
unique health plan identifier. § 162.1002 Medical data code transaction.
sets. § 162.1502 Standards for
§ 162.506 Standard unique
§ 162.1011 Valid code sets. enrollment and disenrollment in
health plan identifier.
§ 162.508 Enumeration a health plan transaction.
System. Subpart K—Health Care Claims
§ 162.510 Full implementation or Equivalent Encounter
requirements: Covered entities. Information
37
March 2013
Subpart P—Health Care 2034 (42 U.S.C. 1320d-2(note), its/their business activities,
Electronic Funds Transfers and secs. 1104 and 10109 of actions, or policies.
(EFT) and Remittance Advice Pub. L. 111-148, 124 Stat. 146-
154 and 915-917. Covered health care provider
§ 162.1601 Health care means a health care provider
electronic funds transfers (EFT) SOURCE: 65 FR 50367, Aug. 17, that meets the definition at
and remittance advice 2000, unless otherwise noted. paragraph (3) of the definition of
transaction. “covered entity” at § 160.103.
§ 162.1602 Standards for Subpart A—General
health care electronic funds Provisions Data condition means the rule
transfers (EFT) and remittance that describes the circumstances
advice transaction. under which a covered entity
§ 162.1603 Operating rules for must use a particular data
health care electronic funds element or segment.
transfers (EFT) and remittance Covered entities (as defined in
advice transaction. § 160.103 of this subchapter)
must comply with the applicable Data content means all the data
requirements of this part. elements and code sets inherent
Subpart Q—Health Plan to a transaction, and not related
Premium Payments to the format of the transaction.
Data elements that are related to
§ 162.1701 Health plan the format are not data content.
premium payments transaction. For purposes of this part, the
§ 162.1702 Standards for following definitions apply:
Data element means the smallest
health plan premium payments named unit of information in a
transaction. Code set means any set of codes transaction.
used to encode data elements,
Subpart R—Coordination of such as tables of terms, medical
concepts, medical diagnostic Data set means a semantically
Benefits meaningful unit of information
codes, or medical procedure
exchanged between two parties
codes. A code set includes the
§ 162.1801 Coordination of to a transaction.
codes and the descriptors of the
benefits transaction.
codes.
§ 162.1802 Standards for Descriptor means the text
coordination of benefits defining a code.
information transaction. Code set maintaining
organization means an
organization that creates and Designated standard
Subpart S—Medicaid Pharmacy maintenance organization
maintains the code sets adopted
Subrogation by the Secretary for use in the (DSMO) means an organization
transactions for which standards designated by the Secretary
§ 162.1901 Medicaid are adopted in this part. under § 162.910(a).
pharmacy subrogation
transaction. Direct data entry means the
Controlling health plan (CHP)
§ 162.1902 Standard for means a health plan that— direct entry of data (for
Medicaid pharmacy subrogation example, using dumb terminals
transaction. or web browsers) that is
(1) Controls its own business
immediately transmitted into a
activities, actions, or policies; or
health plan's computer.
AUTHORITY: Secs. 1171 through
1180 of the Social Security Act (2)(i) Is controlled by an entity
Format refers to those data
(42 U.S.C. 1320d-1320d-9), as that is not a health plan; and
elements that provide or control
added by sec. 262 of Pub. L. the enveloping or hierarchical
104-191, 110 Stat. 2021-2031, (ii) If it has a subhealth plan(s) structure, or assist in identifying
sec. 105 of Pub. L. 110-233, 122 (as defined in this section), data content of, a transaction.
Stat. 881-922, and sec. 264 of exercises sufficient control over
Pub. L. 104-191, 110 Stat. 2033- the subhealth plan(s) to direct
38
March 2013
HCPCS stands for the Health Subhealth plan (SHP) means a must comply with the
[Care Financing Administration] health plan whose business implementation specifications in
Common Procedure Coding activities, actions, or policies are § 162.414 no later than May 23,
System. directed by a controlling health 2007.
plan.
Maintain or maintenance refers [69 FR 3468, Jan. 23, 2004, as
to activities necessary to support [65 FR 50367, Aug. 17, 2000, as amended at 77 FR 54719, Sept.
the use of a standard adopted by amended at 68 FR 8374, Feb. 5, 2012]
the Secretary, including 20, 2003; 74 FR 3324, Jan. 16,
technical corrections to an 2009; 76 FR 40495, July 8, § 162.406 Standard unique
implementation specification, 2011; 77 FR 1589, Jan. 10, health identifier for health
and enhancements or expansion 2012; 77 FR 54719, Sept. 5, care providers.
of a code set. This term excludes 2012]
the activities related to the (a) Standard. The standard
adoption of a new standard or Subparts B-C [Reserved] unique health identifier for
implementation specification, or
health care providers is the
modification to an adopted
Subpart D—Standard Unique National Provider Identifier
standard or implementation
Health Identifier for Health (NPI). The NPI is a 10-position
specification. numeric identifier, with a check
Care Providers
digit in the 10th position, and no
Maximum defined data set intelligence about the health
SOURCE: 69 FR 3468, Jan. 23,
means all of the required data care provider in the number.
2004, unless otherwise noted.
elements for a particular
standard based on a specific (b) Required and permitted uses
implementation specification. § 162.402 [Reserved]
for the NPI. (1) The NPI must
be used as stated in § 162.410,
Operating rules means the § 162.404 Compliance dates
§ 162.412, and § 162.414.
necessary business rules and of the implementation of the
guidelines for the electronic standard unique health
identifier for health care (2) The NPI may be used for any
exchange of information that are
providers. other lawful purpose.
not defined by a standard or its
implementation specifications as
adopted for purposes of this (a) Health care providers. A § 162.408 National Provider
part. covered health care provider System.
must comply with the
Segment means a group of implementation specifications in National Provider System. The
related data elements in a § 162.410 no later than May 23, National Provider System (NPS)
transaction. 2007. shall do the following:
Stage 1 payment initiation (b) Health plans. A health plan (a) Assign a single, unique NPI
means a health plan's order, must comply with the to a health care provider,
instruction or authorization to its implementation specifications in provided that—
financial institution to make a § 162.412 no later than one of
health care claims payment the following dates: (1) The NPS may assign an NPI
using an electronic funds to a subpart of a health care
transfer (EFT) through the ACH (1) A health plan that is not a provider in accordance with
Network. small health plan—May 23, paragraph (g); and
2007.
Standard transaction means a (2) The Secretary has sufficient
transaction that complies with (2) A small health plan—May information to permit the
an applicable standard and 23, 2008. assignment to be made.
associated operating rules
adopted under this part. (c) Health care clearinghouses. (b) Collect and maintain
A health care clearinghouse information about each health
39
March 2013
care provider that has been standard transactions that it (c) A health care provider that is
assigned an NPI and perform conducts where its health care not a covered entity may obtain,
tasks necessary to update that provider identifier is required. by application if necessary, an
information. NPI from the NPS.
(3) Disclose its NPI, when
(c) If appropriate, deactivate an requested, to any entity that [69 FR 3468, Jan. 23, 2004, as
NPI upon receipt of appropriate needs the NPI to identify that amended at 77 FR 54719, Sept.
information concerning the covered health care provider in a 5, 2012]
dissolution of the health care standard transaction.
provider that is an organization, § 162.412 Implementation
the death of the health care (4) Communicate to the NPS specifications: Health plans.
provider who is an individual, or any changes in its required data
other circumstances justifying elements in the NPS within 30 (a) A health plan must use the
deactivation. days of the change. NPI of any health care provider
(or subpart(s), if applicable) that
(d) If appropriate, reactivate a (5) If it uses one or more has been assigned an NPI to
deactivated NPI upon receipt of business associates to conduct identify that health care provider
appropriate information. standard transactions on its on all standard transactions
behalf, require its business where that health care provider's
(e) Not assign a deactivated NPI associate(s) to use its NPI and identifier is required.
to any other health care other NPIs appropriately as
provider. required by the transactions that (b) A health plan may not
the business associate(s) require a health care provider
(f) Disseminate NPS conducts on its behalf. that has been assigned an NPI to
information upon approved obtain an additional NPI.
requests. (6) If it has been assigned NPIs
for one or more subparts, § 162.414 Implementation
(g) Assign an NPI to a subpart comply with the requirements of specifications: Health care
of a health care provider on paragraphs (a)(2) through (a)(5) clearinghouses.
request if the identifying data for of this section with respect to
the subpart are unique. each of those NPIs.
A health care clearinghouse
must use the NPI of any health
§ 162.410 Implementation (b) An organization covered care provider (or subpart(s), if
specifications: Health care health care provider that has as a applicable) that has been
providers. member, employs, or contracts assigned an NPI to identify that
with, an individual health care health care provider on all
provider who is not a covered standard transactions where that
(a) A covered entity that is a
covered health care provider entity and is a prescriber, must health care provider's identifier
must: require such health care provider is required.
to—
(1) Obtain, by application if Subpart E—Standard Unique
(1) Obtain an NPI from the Health Identifier for Health
necessary, an NPI from the
National Provider System (NPS) National Plan and Provider Plans
for itself or for any subpart of Enumeration System (NPPES);
and
the covered entity that would be SOURCE: 77 FR 54719, Sept. 5,
a covered health care provider if 2012, unless otherwise noted.
it were a separate legal entity. A (2) To the extent the prescriber
covered entity may obtain an writes a prescription while
NPI for any other subpart that acting within the scope of the
qualifies for the assignment of prescriber's relationship with the
organization, disclose the NPI § 162.504 Compliance
an NPI.
upon request to any entity that requirements for the
needs it to identify the prescriber implementation of the
(2) Use the NPI it obtained from standard unique health plan
the NPS to identify itself on all in a standard transaction.
identifier.
40
March 2013
(a) Covered entities. A covered sufficient information to permit HPID to identify a health plan
entity must comply with the the assignment to be made; or that has an HPID when the
implementation requirements in business associate(s) identifies a
§ 162.510 no later than (2) OEID to an entity eligible to health plan in a transaction for
November 7, 2016. receive one under § 162.514(a), which the Secretary has adopted
provided that the Secretary has a standard under this part.
(b) Health plans. A health plan sufficient information to permit
must comply with the the assignment to be made. § 162.512 Implementation
implementation specifications in specifications: Health plans.
§ 162.512 no later than one of (b) Collect and maintain
the following dates: information about each health (a) A controlling health plan
plan that applies for or has been must do all of the following:
(1) A health plan that is not a assigned an HPID and each
small health plan— November entity that applies for or has (1) Obtain an HPID from the
5, 2014. been assigned an OEID, and Enumeration System for itself.
perform tasks necessary to
(2) A health plan that is a small update that information.
(2) Disclose its HPID, when
health plan— November 5, requested, to any entity that
2015. (c) If appropriate, deactivate an needs the HPID to identify the
HPID or OEID upon receipt of health plan in a standard
[77 FR 54719, Sept. 5, 2012, as sufficient information transaction.
amended at 77 FR 60630, Oct. concerning circumstances
4, 2012] justifying deactivation. (3) Communicate to the
Enumeration System any
§ 162.506 Standard unique (d) If appropriate, reactivate a changes in its required data
health plan identifier. deactivated HPID or OEID upon elements in the Enumeration
receipt of sufficient information System within 30 days of the
(a) Standard. The standard justifying reactivation. change.
unique health plan identifier is
the Health Plan Identifier (e) Not assign a deactivated (b) A controlling health plan
(HPID) that is assigned by the HPID to any other health plan or may do the following:
Enumeration System identified OEID to any other entity.
in § 162.508. (1) Obtain an HPID from the
(f) Disseminate Enumeration Enumeration System for a
(b) Required and permitted uses System information upon subhealth plan of the controlling
for the HPID. (1) The HPID approved requests. health plan.
must be used as specified in
§ 162.510 and § 162.512. § 162.510 Full (2) Direct a subhealth plan of
implementation requirements: the controlling health plan to
(2) The HPID may be used for Covered entities. obtain an HPID from the
any other lawful purpose. Enumeration System.
(a) A covered entity must use an
§ 162.508 Enumeration HPID to identify a health plan (c) A subhealth plan may obtain
System. that has an HPID when a an HPID from the Enumeration
covered entity identifies a health System.
plan in a transaction for which
The Enumeration System must
do all of the following: the Secretary has adopted a (d) A subhealth plan that is
standard under this part. assigned an HPID from the
(a) Assign a single, unique— Enumeration System must
(b) If a covered entity uses one comply with the requirements
or more business associates to that apply to a controlling health
(1) HPID to a health plan, conduct standard transactions on plan in paragraphs (a)(2) and
provided that the Secretary has its behalf, it must require its (a)(3) of this section.
business associate(s) to use an
41
March 2013
§ 162.514 Other entity (b) Health plans. A health plan (1) The Employer Identifier
identifier. must comply with the must be used as stated in
requirements of this subpart no § 162.610(b).
(a) An entity may obtain an later than one of the following
Other Entity Identifier (OEID) dates: (2) The Employer Identifier may
to identify itself if the entity be used for any other lawful
meets all of the following: (1) Health plans other than purpose.
small health plans —July 30,
(1) Needs to be identified in a 2004. [67 FR 38020, May 31, 2002, as
transaction for which the amended at 69 FR 3469, Jan. 23,
Secretary has adopted a standard (2) Small health plans —August 2004]
under this part. 1, 2005.
Subparts G-H [Reserved]
(2) Is not eligible to obtain an (c) Health care clearinghouses.
HPID. Health care clearinghouses must Subpart I—General
comply with the requirements of Provisions for Transactions
(3) Is not eligible to obtain an this subpart no later than July
NPI. 30, 2004.
(4) Is not an individual. § 162.605 Standard unique

§ 162.910 Maintenance of
employer identifier.
standards and adoption of
(b) An OEID must be obtained modifications and new
from the Enumeration System The Secretary adopts the EIN as standards.
identified in § 162.508. the standard unique employer
identifier provided for by 42
(a) Designation of DSMOs. (1)
U.S.C. 1320d-2(b).
(c) Uses for the OEID. (1) An The Secretary may designate as
other entity may use the OEID it a DSMO an organization that
obtained from the Enumeration § 162.610 Implementation agrees to conduct, to the
System to identify itself or have specifications for covered satisfaction of the Secretary, the
itself identified on all covered entities. following functions:
transactions in which it needs to
be identified. (a) The standard unique (i) Maintain standards adopted
employer identifier of an under this subchapter.
(2) The OEID may be used for employer of a particular
any other lawful purpose. employee is the EIN that
(ii) Receive and process requests
appears on that employee's IRS for adopting a new standard or
Form W-2, Wage and Tax modifying an adopted standard.
Subpart F—Standard Unique
Statement, from the employer.
Employer Identifier
(2) The Secretary designates a
(b) A covered entity must use
SOURCE: 67 FR 38020, May 31, DSMO by notice in the
2002, unless otherwise noted. the standard unique employer FEDERAL REGISTER.
identifier (EIN) of the
appropriate employer in
§ 162.600 Compliance dates standard transactions that (b) Maintenance of standards.
of the implementation of the require an employer identifier to Maintenance of a standard by
standard unique employer identify a person or entity as an the appropriate DSMO
identifier. employer, including where constitutes maintenance of the
situationally required. standard for purposes of this
(a) Health care providers. part, if done in accordance with
Health care providers must the processes the Secretary may
(c) Required and permitted uses
comply with the requirements of require.
for the Employer Identifier.
this subpart no later than July
30, 2004. (c) Process for modification of
existing standards and adoption
42
March 2013
of new standards. The Secretary (b) Add any data elements or are also available from the
considers a recommendation for segments to the maximum sources listed below.
a proposed modification to an defined data set.
existing standard, or a proposed (a) ASC X12N specifications and
new standard, only if the (c) Use any code or data the ASC X12 Standards for
recommendation is developed elements that are either marked Electronic Data Interchange
through a process that provides “not used” in the standard's Technical Report Type 3. The
for the following: implementation specification or implementation specifications
are not in the standard's for the ASC X12N and the ASC
(1) Open public access. implementation specification(s). X12 Standards for Electronic
Data Interchange Technical
(2) Coordination with other (d) Change the meaning or Report Type 3 (and
DSMOs. intent of the standard's accompanying Errata or Type 1
implementation specification(s). Errata) may be obtained from
the ASC X12, 7600 Leesburg
(3) An appeals process for each
Pike, Suite 430, Falls Church,
of the following, if dissatisfied [65 FR 50367, Aug. 17, 2000, as
VA 22043; Telephone (703)
with the decision on the request: amended at 76 FR 40495, July
970-4480; and FAX (703) 970-
8, 2011]
4488. They are also available
(i) The requestor of the proposed through the internet at
modification. § 162.920 Availability of http://www.X12.org. A fee is
implementation specifications charged for all implementation
(ii) A DSMO that participated in and operating rules. specifications, including
the review and analysis of the Technical Reports Type 3.
request for the proposed Certain material is incorporated Charging for such publications
modification, or the proposed by reference into this subpart is consistent with the policies of
new standard. with the approval of the Director other publishers of standards.
of the Federal Register under 5 The transaction implementation
(4) Expedited process to address U.S.C. 552(a) and 1 CFR part specifications are as follows:
content needs identified within 51. To enforce any edition other
the industry, if appropriate. than that specified in this (1) The ASC X12N 837—
section, the Department of Health Care Claim: Dental,
(5) Submission of the Health and Human Services Version 4010, May 2000,
recommendation to the National must publish notice of change in Washington Publishing
the FEDERAL REGISTER and the Company, 004010X097 and
Committee on Vital and Health
material must be available to the Addenda to Health Care Claim:
Statistics (NCVHS).
public. All approved material is Dental, Version 4010, October
available for inspection at the 2002, Washington Publishing
§ 162.915 Trading partner National Archives and Records
agreements. Company, 004010X097A1, as
Administration (NARA). For referenced in § 162.1102 and
information on the availability § 162.1802.
A covered entity must not enter of this material at NARA, call
into a trading partner agreement (202) 714-6030, or go to:
that would do any of the (2) The ASC X12N 837—
http://www.archives.gov/federal
following: Health Care Claim:
_register/code_of_federal_regul
Professional, Volumes 1 and 2,
ations/ibr_locations.html. The
materials are also available for Version 4010, May 2000,
(a) Change the definition, data
Washington Publishing
condition, or use of a data inspection by the public at the
Company, 004010X098 and
element or segment in a standard Centers for Medicare &
Addenda to Health Care Claim:
or operating rule, except where Medicaid Services (CMS), 7500
Professional, Volumes 1 and 2,
necessary to implement State or Security Boulevard, Baltimore,
Maryland 21244. For more Version 4010, October 2002,
Federal law, or to protect against
information on the availability Washington Publishing
fraud and abuse.
Company, 004010X098A1, as
on the materials at CMS, call
referenced in § 162.1102 and
(410) 786-6597. The materials
§ 162.1802.
43
March 2013
(3) The ASC X12N 837— Request for Review and Technical Report Type 3—
Health Care Claim: Institutional, Response, Version 4010, May Health Care Claim: Professional
Volumes 1 and 2, Version 4010, 2000, Washington Publishing (837), May 2006, ASC X12,
May 2000, Washington Company, 004010X094 and 005010X222, as referenced in
Publishing Company, Addenda to Health Care § 162.1102 and § 162.1802.
004010X096 and Addenda to Services Review—Request for
Health Care Claim: Institutional, Review and Response, Version (12) The ASC X12 Standards
Volumes 1 and 2, Version 4010, 4010, October 2002, for Electronic Data Interchange
October 2002, Washington Washington Publishing Technical Report Type 3—
Publishing Company, Company, 004010X094A1, as Health Care Claim: Institutional
004010X096A1 as referenced in referenced in § 162.1302. (837), May 2006, ASC
§ 162.1102 and § 162.1802. X12/N005010X223, and Type 1
(8) The ASC X12N-276/277 Errata to Health Care Claim:
(4) The ASC X12N 835— Health Care Claim Status Institutional (837), ASC X12
Health Care Claim Request and Response, Version Standards for Electronic Data
Payment/Advice, Version 4010, 4010, May 2000, Washington Interchange Technical Report
May 2000, Washington Publishing Company, Type 3, October 2007, ASC
Publishing Company, 004010X093 and Addenda to X12N/005010X223A1, as
004010X091, and Addenda to Health Care Claim Status referenced in § 162.1102 and
Health Care Claim Request and Response, Version § 162.1802.
Payment/Advice, Version 4010, 4010, October 2002,
October 2002, Washington Washington Publishing (13) The ASC X12 Standards
Publishing Company, Company, 004010X093A1, as for Electronic Data Interchange
004010X091A1 as referenced in referenced in § 162.1402. Technical Report Type 3—
§ 162.1602. Health Care Claim
(9) The ASC X12N 270/271— Payment/Advice (835), April
(5) ASC X12N 834—Benefit Health Care Eligibility Benefit 2006, ASC X12N/005010X221,
Enrollment and Maintenance, Inquiry and Response, Version as referenced in § 162.1602.
Version 4010, May 2000, 4010, May 2000, Washington
Washington Publishing Publishing Company, (14) The ASC X12 Standards
Company, 004010X095 and 004010X092 and Addenda to for Electronic Data Interchange
Addenda to Benefit Enrollment Health Care Eligibility Benefit Technical Report Type 3—
and Maintenance, Version 4010, Inquiry and Response, Version Benefit Enrollment and
October 2002, Washington 4010, October 2002, Maintenance (834), August
Publishing Company, Washington Publishing 2006, ASC X12N/005010X220,
004010X095A1, as referenced Company, 004010X092A1, as as referenced in § 162.1502.
in § 162.1502. referenced in § 162.1202.
(15) The ASC X12 Standards
(6) The ASC X12N 820— (10) The ASC X12 Standards for Electronic Data Interchange
Payroll Deducted and Other for Electronic Data Interchange Technical Report Type 3—
Group Premium Payment for Technical Report Type 3— Payroll Deducted and Other
Insurance Products, Version Health Care Claim: Dental Group Premium Payment for
4010, May 2000, Washington (837), May 2006, ASC Insurance Products (820),
Publishing Company, X12N/005010X224, and Type 1 February 2007, ASC
004010X061, and Addenda to Errata to Health Care Claim X12N/005010X218, as
Payroll Deducted and Other Dental (837), ASC X12 referenced in § 162.1702.
Group Premium Payment for Standards for Electronic Data
Insurance Products, Version Interchange Technical Report
(16) The ASC X12 Standards
4010, October 2002, Type 3, October 2007, ASC
for Electronic Data Interchange
Washington Publishing X12N/005010X224A1, as
Technical Report Type 3—
Company, 004010X061A1, as referenced in § 162.1102 and Health Care Services Review—
referenced in § 162.1702. § 162.1802. Request for Review and
Response (278), May 2006,
(7) The ASC X12N 278— (11) The ASC X12 Standards ASC X12N/005010X217, and
Health Care Services Review— for Electronic Data Interchange Errata to Health Care Services
44
March 2013
Review—Request for Review is consistent with the policies of § 162.1202, § 162.1302, and
and Response (278), ASC X12 other publishers of standards. § 162.1802.
Standards for Electronic Data The transaction implementation
Interchange Technical Report specifications are as follows: (6) The Batch Standard
Type 3, April 2008, ASC Medicaid Subrogation
X12N/005010X217E1, as (1) The Telecommunication Implementation Guide, Version
referenced in § 162.1302. Standard Implementation Guide 3, Release 0 (Version 3.0), July
Version 5, Release 1 (Version 2007, National Council for
(17) The ASC X12 Standards 5.1), September 1999, National Prescription Drug Programs, as
for Electronic Data Interchange Council for Prescription Drug referenced in § 162.1902.
Technical Report Type 3— Programs, as referenced in
Health Care Claim Status § 162.1102, § 162.1202, (c) Council for Affordable
Request and Response § 162.1302, § 162.1602, and Quality Healthcare's (CAQH)
(276/277), August 2006, ASC § 162.1802. Committee on Operating Rules
X12N/005010X212, and Errata for Information Exchange
to Health Care Claim Status (2) The Batch Standard Batch (CORE), 601 Pennsylvania
Request and Response Implementation Guide, Version Avenue, NW. South Building,
(276/277), ASC X12 Standards 1, Release 1 (Version 1.1), Suite 500 Washington, DC
for Electronic Data Interchange January 2000, supporting 20004; Telephone (202) 861-
Technical Report Type 3, April Telecommunication Standard 1492; Fax (202) 861- 1454; E-
2008, ASC Implementation Guide, Version mail info@CAQH.org; and
X12N/005010X212E1, as 5, Release 1 (Version 5.1) for Internet at
referenced in § 162.1402. the NCPDP Data Record in the http://www.caqh.org/benefits.ph
Detail Data Record, National p.
(18) The ASC X12 Standards Council for Prescription Drug
for Electronic Data Interchange Programs, as referenced in (1) CAQH, Committee on
Technical Report Type 3— § 162.1102, § 162.1202, Operating Rules for Information
Health Care Eligibility Benefit § 162.1302, and § 162.1802. Exchange, CORE Phase I
Inquiry and Response (270/271), Policies and Operating Rules,
April 2008, ASC (3) The National Council for Approved April 2006, v5010
X12N/005010X279, as Prescription Drug Programs Update March 2011.
referenced in § 162.1202. (NCPDP) equivalent NCPDP
Batch Standard Batch (i) Phase I CORE 152:
(b) Retail pharmacy Implementation Guide, Version Eligibility and Benefit Real
specifications and Medicaid 1, Release 0, February 1, 1996, Time Companion Guide Rule,
subrogation implementation as referenced in § 162.1102, version 1.1.0, March 2011, as
guides. The implementation § 162.1202, § 162.1602, and referenced in § 162.1203.
specifications for the retail § 162.1802.
pharmacy standards and the
(ii) Phase I CORE 153:
implementation specifications (4) The Telecommunication Eligibility and Benefits
for the batch standard for the Standard Implementation Guide, Connectivity Rule, version
Medicaid pharmacy subrogation Version D, Release 0 (Version 1.1.0, March 2011, as referenced
transaction may be obtained D.0), August 2007, National in § 162.1203.
from the National Council for Council for Prescription Drug
Prescription Drug Programs, Programs, as referenced in
9240 East Raintree Drive, (iii) Phase I CORE 154:
§ 162.1102, § 162.1202,
Scottsdale, AZ 85260. Eligibility and Benefits 270/271
§ 162.1302, and § 162.1802.
Telephone (480) 477-1000; Data Content Rule, version
FAX (480) 767-1042. They are 1.1.0, March 2011, as referenced
(5) The Batch Standard in § 162.1203.
also available through the
Implementation Guide, Version
Internet at 1, Release 2 (Version 1.2),
http://www.ncpdp.org. A fee is (iv) Phase I CORE 155:
January 2006, National Council
charged for all NCPDP Eligibility and Benefits Batch
for Prescription Drug Programs,
Implementation Guides. Response Time Rule, version
as referenced in § 162.1102,
Charging for such publications
45
March 2013
1.1.0, March 2011, as referenced (iv) Phase II CORE 260: Batch Acknowledgement
in § 162.1203. Eligibility & Benefits Data Requirements”.
Content (270/271) Rule, version
(v) Phase I CORE 156: 2.1.0, March 2011, as referenced (d) The National Automated
Eligibility and Benefits Real in § 162.1203. Clearing House Association
Time Response Time Rule, (NACHA), The Electronic
version 1.1.0, March 2011, as (v) Phase II CORE 270: Payments Association, 1350
referenced in § 162.1203. Connectivity Rule, version Sunrise Valle Drive, Suite 100,
2.2.0, March 2011, as referenced Herndon, Virginia 20171
(vi) Phase I CORE 157: in § 162.1203 and § 162.1403. (Phone) (703) 561-1100; (Fax)
Eligibility and Benefits System (703) 713-1641; Email:
Availability Rule, version 1.1.0, (4) Council for Affordable info@nacha.org; and Internet at
March 2011, as referenced in Quality Healthcare (CAQH) http://www.nacha.org. The
§ 162.1203. Phase III Committee on implementation specifications
Operating Rules for Information are as follows:
(2) ACME Health Plan, HIPAA Exchange (CORE) EFT & ERA
Transaction Standard Operating Rule Set, Approved (1) 2011 NACHA Operating
Companion Guide, Refers to the June 2012, as specified in this Rules & Guidelines, A
Implementation Guides Based paragraph and referenced in Complete Guide to the Rules
on ASC X12 version 005010, § 162.1603. Governing the ACH Network,
CORE v5010 Master NACHA Operating Rules,
Companion Guide Template, (i) Phase III CORE 380 EFT Appendix One: ACH File
005010, 1.2, (CORE v 5010 Enrollment Data Rule, version Exchange Specifications
Master Companion Guide 3.0.0, June 2012. (Operating Rule 59) as
Template, 005010, 1.2), March referenced in § 162.1602.
2011, as referenced in (ii) Phase III CORE 382 ERA
§§ 162.1203, 162.1403, and Enrollment Data Rule, version (2) 2011 NACHA Operating
162.1603. 3.0.0, June 2012. Rules & Guidelines, A
Complete Guide to the Rules
(3) CAQH, Committee on Governing the ACH Network,
(iii) Phase III 360 CORE
Operating Rules for Information NACHA Operating Rules
Uniform Use of CARCs and
Exchange, CORE Phase II Appendix Three: ACH Record
RARCs (835) Rule, version
Policies and Operating Rules, Format Specifications
3.0.0, June 2012.
Approved July 2008, v5010 (Operating Rule 78), Part 3.1,
Update March 2011. Subpart 3.1.8 Sequence of
(iv) CORE-required Code Records for CCD Entries as
Combinations for CORE- referenced in § 162.1602.
(i) Phase II CORE 250: Claim defined Business Scenarios for
Status Rule, version 2.1.0, the Phase III CORE 360
March 2011, as referenced in Uniform Use of Claim [68 FR 8396, Feb. 20, 2003, as
§ 162.1403. Adjustment Reason Codes and amended at 69 FR 18803, Apr.
9, 2004; 74 FR 3324, Jan. 16,
Remittance Advice Remark
2009; 76 FR 40495, July 8,
(ii) Phase II CORE 258: Codes (835) Rule, version 3.0.0,
2011; 77 FR 1590, Jan. 10,
Eligibility and Benefits 270/271 June 2012.
2012; 77 FR 48043, Aug. 10,
Normalizing Patient Last Name
Rule, version 2.1.0, March 2011, 2012]
(v) Phase III CORE 370 EFT &
as referenced in § 162.1203. ERA Reassociation (CCD+/835)
Rule, version 3.0.0, June 2012. § 162.923 Requirements for
(iii) Phase II CORE 259: covered entities.
Eligibility and Benefits 270/271 (vi) Phase III CORE 350 Health
AAA Error Code Reporting (a) General rule. Except as
Care Claim Payment/Advice
Rule, version 2.1.0, March 2011, otherwise provided in this part,
(835) Infrastructure Rule,
as referenced in § 162.1203. if a covered entity conducts,
version 3.0.0, June 2012, except
with another covered entity that
Requirement 4.2 titled “Health
Care Claim Payment/Advice is required to comply with a
transaction standard adopted
46
March 2013
under this part (or within the a transaction as a standard benefits with another health plan
same covered entity), using transaction, the health plan must (or another payer), it must store
electronic media, a transaction do so. the coordination of benefits data
for which the Secretary has it needs to forward the standard
adopted a standard under this (2) A health plan may not delay transaction to the other health
part, the covered entity must or reject a transaction, or plan (or other payer).
conduct the transaction as a attempt to adversely affect the
standard transaction. other entity or the transaction, (c) Code sets. A health plan
because the transaction is a must meet each of the following
(b) Exception for direct data standard transaction. requirements:
entry transactions. A health care
provider electing to use direct (3) A health plan may not reject (1) Accept and promptly process
data entry offered by a health a standard transaction on the any standard transaction that
plan to conduct a transaction for basis that it contains data contains codes that are valid, as
which a standard has been elements not needed or used by provided in subpart J of this
adopted under this part must use the health plan (for example, part.
the applicable data content and coordination of benefits
data condition requirements of information). (2) Keep code sets for the
the standard when conducting current billing period and
the transaction. The health care (4) A health plan may not offer appeals periods still open to
provider is not required to use
an incentive for a health care processing under the terms of
the format requirements of the
provider to conduct a transaction the health plan's coverage.
standard.
covered by this part as a
transaction described under the [65 FR 50367, Aug. 17, 2000, as
(c) Use of a business associate. exception provided for in amended at 74 FR 3325, Jan. 16,
A covered entity may use a § 162.923(b). 2009]
business associate, including a
health care clearinghouse, to
(5) A health plan that operates § 162.930 Additional rules for
conduct a transaction covered by as a health care clearinghouse,
this part. If a covered entity health care clearinghouses.
or requires an entity to use a
chooses to use a business
health care clearinghouse to
associate to conduct all or part When acting as a business
receive, process, or transmit a
of a transaction on behalf of the associate for another covered
standard transaction may not entity, a health care
covered entity, the covered
charge fees or costs in excess of clearinghouse may perform the
entity must require the business the fees or costs for normal
associate to do the following: following functions:
telecommunications that the
entity incurs when it directly
(1) Comply with all applicable transmits, or receives, a standard (a) Receive a standard
requirements of this part. transaction to, or from, a health transaction on behalf of the
plan. covered entity and translate it
(2) Require any agent or into a nonstandard transaction
subcontractor to comply with all (for example, nonstandard
(6) During the period from
applicable requirements of this format and/or nonstandard data
March 17, 2009 through
part. content) for transmission to the
December 31, 2011, a health covered entity.
plan may not delay or reject a
[65 FR 50367, Aug. 17, 2000, as standard transaction, or attempt
amended at 74 FR 3325, Jan. 16, to adversely affect the other (b) Receive a nonstandard
2009] entity or the transaction, on the transaction (for example,
basis that it does not comply nonstandard format and/or
with another adopted standard nonstandard data content) from
§ 162.925 Additional the covered entity and translate
requirements for health plans. for the same period.
it into a standard transaction for
transmission on behalf of the
(a) General rules. (1) If an entity (b) Coordination of benefits. If a
covered entity.
requests a health plan to conduct health plan receives a standard
transaction and coordinates
47
March 2013
§ 162.940 Exceptions from (vi) Have timely development, (b) Basis for granting an
standards to permit testing of testing, implementation, and exception. The Secretary may
proposed modifications. updating procedures to achieve grant an initial exception, for a
administrative simplification period not to exceed 3 years,
(a) Requests for an exception. benefits faster. based on, but not limited to, the
An organization may request an following criteria:
exception from the use of a (vii) Be technologically
standard from the Secretary to independent of the computer (1) An assessment of whether
test a proposed modification to platforms and transmission the proposed modification
that standard. For each proposed protocols used in electronic demonstrates a significant
modification, the organization health transactions, unless they improvement to the current
must meet the following are explicitly part of the standard.
requirements: standard.
(2) The extent and length of
(1) Comparison to a current (viii) Be precise, unambiguous, time of the exception.
standard. Provide a detailed and as simple as possible.
explanation, no more than 10 (3) Consultations with DSMOs.
pages in length, of how the (ix) Result in minimum data
proposed modification would be collection and paperwork (c) Secretary's decision on
a significant improvement to the burdens on users. exception. The Secretary makes
current standard in terms of the
a decision and notifies the
following principles:
(x) Incorporate flexibility to organization requesting the
adapt more easily to changes in exception whether the request is
(i) Improve the efficiency and the health care infrastructure granted or denied.
effectiveness of the health care (such as new services,
system by leading to cost organizations, and provider (1) Exception granted. If the
reductions for, or improvements types) and information Secretary grants an exception,
in benefits from, electronic technology. the notification includes the
health care transactions. following information:
(2) Specifications for the
(ii) Meet the needs of the health proposed modification. Provide (i) The length of time for which
data standards user community, specifications for the proposed the exception applies.
particularly health care modification, including any
providers, health plans, and additional system requirements.
health care clearinghouses. (ii) The trading partners and
geographical areas the Secretary
(3) Testing of the proposed approves for testing.
(iii) Be uniform and consistent modification. Provide an
with the other standards adopted explanation, no more than 5
under this part and, as (iii) Any other conditions for
pages in length, of how the
appropriate, with other private approving the exception.
organization intends to test the
and public sector health data standard, including the number
standards. and types of health plans and (2) Exception denied. If the
health care providers expected Secretary does not grant an
(iv) Have low additional to be involved in the test, exception, the notification
development and geographical areas, and explains the reasons the
implementation costs relative to beginning and ending dates of Secretary considers the proposed
the benefits of using the the test. modification would not be a
standard. significant improvement to the
current standard and any other
(4) Trading partner
rationale for the denial.
(v) Be supported by an ANSI- concurrences. Provide written
accredited SSO or other private concurrences from trading
or public organization that partners who would agree to (d) Organization's report on test
would maintain the standard participate in the test. results. Within 90 days after the
over time. test is completed, an
organization that receives an
48
March 2013
exception must submit a report (1) International Classification (ii) Biologics.

on the results of the test, of Diseases, 9th Edition,
including a cost-benefit analysis, Clinical Modification, (ICD-9- (4) Code on Dental Procedures
to a location specified by the CM), Volumes 1 and 2 and Nomenclature, as
Secretary by notice in the (including The Official ICD-9- maintained and distributed by
FEDERAL REGISTER. CM Guidelines for Coding and the American Dental
Reporting), as maintained and Association, for dental services.
(e) Extension allowed. If the distributed by HHS, for the
report submitted in accordance following conditions: (5) The combination of Health
with paragraph (d) of this Care Financing Administration
section recommends a (i) Diseases. Common Procedure Coding
modification to the standard, the System (HCPCS), as maintained
Secretary, on request, may grant (ii) Injuries. and distributed by HHS, and
an extension to the period Current Procedural
granted for the exception. Terminology, Fourth Edition
(iii) Impairments.
(CPT-4), as maintained and
Subpart J—Code Sets distributed by the American
(iv) Other health problems and
their manifestations. Medical Association, for
§ 162.1000 General physician services and other
requirements. health care services. These
(v) Causes of injury, disease, services include, but are not
impairment, or other health limited to, the following:
When conducting a transaction problems.
covered by this part, a covered
entity must meet the following (i) Physician services.
(2) International Classification
requirements:
of Diseases, 9th Edition,
(ii) Physical and occupational
Clinical Modification, Volume 3
(a) Medical data code sets. Use therapy services.
Procedures (including The
the applicable medical data code Official ICD-9-CM Guidelines
sets described in § 162.1002 as for Coding and Reporting), as (iii) Radiologic procedures.
specified in the implementation maintained and distributed by
specification adopted under this HHS, for the following (iv) Clinical laboratory tests.
part that are valid at the time the procedures or other actions
health care is furnished. taken for diseases, injuries, and (v) Other medical diagnostic
impairments on hospital procedures.
(b) Nonmedical data code sets. inpatients reported by hospitals:
Use the nonmedical data code
(vi) Hearing and vision services.
sets as described in the (i) Prevention.
implementation specifications
adopted under this part that are (vii) Transportation services
(ii) Diagnosis. including ambulance.
valid at the time the transaction
is initiated.
(iii) Treatment. (6) The Health Care Financing
§ 162.1002 Medical data code Administration Common
sets. (iv) Management. Procedure Coding System
(HCPCS), as maintained and
(3) National Drug Codes distributed by HHS, for all other
The Secretary adopts the
(NDC), as maintained and substances, equipment, supplies,
following maintaining or other items used in health
organization's code sets as the distributed by HHS, in
collaboration with drug care services. These items
standard medical data code sets:
manufacturers, for the include, but are not limited to,
following: the following:
(a) For the period from October
16, 2002 through October 15, (i) Medical supplies.
2003: (i) Drugs
49
March 2013
(ii) Orthotic and prosthetic Coding and Reporting), as Subpart K—Health Care
devices. maintained and distributed by Claims or Equivalent
HHS, for the following Encounter Information
(iii) Durable medical equipment. conditions:
§ 162.1101 Health care claims
(b) For the period on and after (i) Diseases. or equivalent encounter
October 16, 2003 through information transaction.
September 30, 2014: (ii) Injuries.
The health care claims or
(1) The code sets specified in (iii) Impairments. equivalent encounter
paragraphs (a)(1), (a)(2),(a)(4), information transaction is the
and (a)(5) of this section. (iv) Other health problems and transmission of either of the
their manifestations. following:
(2) National Drug Codes
(NDC), as maintained and (a) A request to obtain payment,
(v) Causes of injury, disease,
distributed by HHS, for and the necessary accompanying
impairment, or other health
reporting the following by retail problems. information from a health care
pharmacies: provider to a health plan, for
health care.
(3) International Classification
(i) Drugs. of Diseases, 10th Revision,
(b) If there is no direct claim,
Procedure Coding System (ICD-
(ii) Biologics. 10-PCS) (including The Official because the reimbursement
ICD-10-PCS Guidelines for contract is based on a
mechanism other than charges
(3) The Healthcare Common Coding and Reporting), as
or reimbursement rates for
Procedure Coding System maintained and distributed by
specific services, the transaction
(HCPCS), as maintained and HHS, for the following
is the transmission of encounter
distributed by HHS, for all other procedures or other actions
taken for diseases, injuries, and information for the purpose of
substances, equipment, supplies, reporting health care.
or other items used in health impairments on hospital
care services, with the exception inpatients reported by hospitals:
of drugs and biologics. These § 162.1102 Standards for
items include, but are not (i) Prevention. health care claims or
limited to, the following: equivalent encounter
information transaction.
(ii) Diagnosis.
(i) Medical supplies.
(iii) Treatment. following standards for the
(ii) Orthotic and prosthetic health care claims or equivalent
devices. (iv) Management. encounter information
transaction:
(iii) Durable medical equipment. [65 FR 50367, Aug. 17, 2000, as
amended at 68 FR 8397, Feb. (a) For the period from October
(c) For the period on and after 20, 2003; 74 FR 3362, Jan. 16, 16, 2003 through March 16,
October 1, 2014: 2009; 77 FR 54720, Sept. 5, 2009:
2012]
(1) The code sets specified in (1) Retail pharmacy drugs
paragraphs (a)(4), (a)(5), (b)(2), § 162.1011 Valid code sets. claims. The National Council for
and (b)(3) of this section. Prescription Drug Programs
Each code set is valid within the (NCPDP) Telecommunication
(2) International Classification dates specified by the Standards Implementation
of Diseases, 10th Revision, organization responsible for Guide, Version 5, Release 1,
Clinical Modification (ICD-10- maintaining that code set. September 1999, and equivalent
CM) (including The Official NCPDP Batch Standards Batch
ICD-10-CM Guidelines for Implementation Guide, Version
50
March 2013
1, Release 1, (Version 1.1), (1)(i) The standards identified in for Electronic Data Interchange
January 2000, supporting paragraph (a) of this section; and Technical Report Type 3—
Telecomunication Version 5.1 Health Care Claim: Institutional
for the NCPDP Data Record in (ii) For retail pharmacy supplies (837), May 2006, ASC
the Detail Data Record. and professional services claims, X12N/005010X223, and Type 1
(Incorporated by reference in the following: The ASC X12N Errata to Health Care Claim:
§ 162.920). 837—Health Care Claim: Institutional (837) ASC X12
Professional, Volumes 1 and 2, Standards for Electronic Data
(2) Dental, health care claims. Version 4010, May 2000, Interchange Technical Report
The ASC X12N 837—Health Washington Publishing Type 3, October 2007, ASC
Care Claim: Dental, Version Company, 004010X096, X12N/005010X223A1.
4010, May 2000, Washington October 2002 (Incorporated by (Incorporated by reference in
Publishing Company, reference in § 162.920); and § 162.920.)
004010X097. and Addenda to
Health Care Claim: Dental, (2)(i) Retail pharmacy drug (v) Retail pharmacy supplies
Version 4010, October 2002, claims. The Telecommunication and professional services
Washington Publishing Standard Implementation Guide, claims. (A) The
Company, 004010X097A1. Version D, Release 0 (Version Telecommunication Standard,
(Incorporated by reference in D.0), August 2007 and Implementation Guide Version
§ 162.920). equivalent Batch Standard 5, Release 1, September 1999.
Implementation Guide, Version (Incorporated by reference in
(3) Professional health care 1, Release 2 (Version 1.2), § 162.920.)
claims. The ASC X12N 837— National Council for
Health Care Claims: Prescription Drug Programs. (B) The Telecommunication
Professional, Volumes 1 and 2, (Incorporated by reference in Standard Implementation Guide,
Version 4010, may 2000, § 162.920.) Version D, Release 0 (Version
Washington Publishing D.0), August 2007, and
Company, 004010X098 and (ii) Dental health care claims. equivalent Batch Standard
Addenda to Health Care Claims: The ASC X12 Standards for Implementation Guide, Version
Professional, Volumes 1 and 2, Electronic Data Interchange 1, Release 2 (Version 1.2),
Version 4010, October 2002, Technical Report Type 3— National Council for
Washington Publishing Health Care Claim: Dental Prescription Drug Programs
Company, 004010x098A1. (837), May 2006, ASC (Incorporated by reference in
(Incorporated by reference in X12N/005010X224, and Type 1 § 162.920); and
§ 162.920). Errata to Health Care Claim:
Dental (837) ASC X12 (C) The ASC X12 Standards for
(4) Institutional health care Standards for Electronic Date Electronic Data Interchange
claims. The ASC X12N 837— Interchange Technical Report Technical Report Type 3—
Health Care Claim: Institutional, Type 3, October 2007, ASC Health Care Claim: Professional
Volumes 1 and 2, Version 4010, X12N/005010X224A1. (837), May 2006, ASC
May 2000, Washington (Incorporated by reference in X12N/005010X222.
Publishing Company, § 162.920.) (Incorporated by reference in
004010X096 and Addenda to § 162.920.)
Health Care Claim: Institutional, (iii) Professional health care
Volumes 1 and 2, Version 4010, claims. The ASC X12 Standards (c) For the period on and after
October 2002, Washington for Electronic Data Interchange the January 1, 2012, the
Publishing Company, Technical Report Type 3— standards identified in paragraph
004010X096A1. (Incorporated Health Care Claim: Professional (b)(2) of this section, except the
by reference in § 162.920). (837), May 2006, ASC standard identified in paragraph
X12N/005010X222. (b)(2)(v)(A) of this section.
(b) For the period from March (Incorporated by reference in
17, 2009 through December 31, § 162.920.) [68 FR 8397, Feb. 20, 2003; 68
2011, both: FR 11445, Mar. 10, 2003, as
(iv) Institutional health care amended at 74 FR 3325, Jan. 16,
claims. The ASC X12 Standards 2009]
51
March 2013
Subpart L—Eligibility for a Implementation Guide, Version Benefit Inquiry and Response
Health Plan 1, Release 1 (Version 1.1), (270/271), April 2008, ASC
January 2000 supporting X12N/005010X279.
§ 162.1201 Eligibility for a Telecommunications Standard (Incorporated by reference in
health plan transaction. Implementation Guide, Version § 162.920.)
5, Release 1 (Version 5.1) for
the NCPDP Data Record in the (c) For the period on and after
The eligibility for a health plan
transaction is the transmission of Detail Data Record. January 1, 2012, the standards
either of the following: (Incorporated by reference in identified in paragraph (b)(2) of
§ 162.920). this section.
(a) An inquiry from a health
(2) Dental, professional, and [68 FR 8398, Feb. 20, 2003; 68
care provider to a health plan, or
from one health plan to another institutional health care FR 11445, Mar. 10, 2003, as
health plan, to obtain any of the eligibility benefit inquiry and amended at 74 FR 3326, Jan. 16,
response. The ASC X12N 2009]
following information about a
270/271—Health Care
benefit plan for an enrollee:
Eligibility Benefit Inquiry and
§ 162.1203 Operating rules
Response, Version 4010, May
(1) Eligibility to receive health for eligibility for a health plan
2000, Washington Publishing
care under the health plan. transaction.
Company, 004010X092 and
Addenda to Health Care
(2) Coverage of health care Eligibility Benefit Inquiry and On and after January 1, 2013,
under the health plan. Response, Version 4010, the Secretary adopts the
October 2002, Washington following:
(3) Benefits associated with the Publishing Company,
benefit plan. 004010X092A1. (Incorporated (a) Except as specified in
by reference in § 162.920). paragraph (b) of this section, the
(b) A response from a health following CAQH CORE Phase I
(b) For the period from March and Phase II operating rules
plan to a health care provider's
17, 2009 through December 31, (updated for Version 5010) for
(or another health plan's) inquiry
2011 both: the eligibility for a health plan
described in paragraph (a) of
transaction:
this section.
(1) The standards identified in
paragraph (a) of this section; and (1) Phase I CORE 152:
§ 162.1202 Standards for
Eligibility and Benefit Real
eligibility for a health plan
Time Companion Guide Rule,
transaction. (2)(i) Retail pharmacy drugs.
version 1.1.0, March 2011, and
The Telecommunication
CORE v5010 Master
The Secretary adopts the Standard Implementation Guide
Companion Guide Template.
following standards for the Version D, Release 0 (Version (Incorporated by reference in
eligibility for a health plan D.0), August 2007, and § 162.920).
transaction: equivalent Batch Standard
1, Release 2 (Version 1.2), (2) Phase I CORE 153:
(a) For the period from October Eligibility and Benefits
16, 2003 through March 16, National Council for
Prescription Drug Programs. Connectivity Rule, version
2009: 1.1.0, March 2011.
(Incorporated by reference in
§ 162.920.) (Incorporated by reference in
(1) Retail pharmacy drugs. The § 162.920).
National Council for
Prescription Drug Programs (ii) Dental, professional, and
institutional health care (3) Phase I CORE 154:
Telecommunication Standard Eligibility and Benefits 270/271
Implementation Guide, Version eligibility benefit inquiry and
response. The ASC X12 Data Content Rule, version
5, Release 1 (Version 5.1), 1.1.0, March 2011.
September 1999, and equivalent Standards for Electronic Data
Interchange Technical Report (Incorporated by reference in
NCPDP Batch Standard Batch § 162.920).
Type 3—Health Care Eligibility
52
March 2013
(4) Phase I CORE 155: Subpart M—Referral 1, Release 1 (Version 1.1),

Eligibility and Benefits Batch Certification and January 2000, supporting
Response Time Rule, version Authorization Telecommunications Standard
1.1.0, March 2011. Implementation Guide, Version
(Incorporated by reference in § 162.1301 Referral 5, Release 1 (Version 5.1) for
§ 162.920). certification and authorization the NCPDP Data Record in the
transaction. Detail Data Record.
(5) Phase I CORE 156: (Incorporated by reference in
Eligibility and Benefits Real The referral certification and § 162.920).
Time Response Rule, version authorization transaction is any
1.1.0, March 2011. of the following transmissions: (2) Dental, professional, and
(Incorporated by reference in institutional referral
§ 162.920). (a) A request from a health care certification and authorization.
provider to a health plan for the The ASC X12N 278—Health
(6) Phase I CORE 157: Care Services Review—Request
review of health care to obtain
Eligibility and Benefits System for Review and Response,
an authorization for the health
Availability Rule, version 1.1.0, Version 4010, May 2000,
care.
March 2011. (Incorporated by Washington Publishing
reference in § 162.920). Company, 004010X094 and
(b) A request from a health care Addenda to Health Care
provider to a health plan to Services Review—Request for
(7) Phase II CORE 258: obtain authorization for referring Review and Response, Version
Eligibility and Benefits 270/271 an individual to another health 4010, October 2002,
Normalizing Patient Last Name care provider. Washington Publishing
Rule, version 2.1.0, March 2011.
(Incorporated by reference in Company, 004010X094A1.
(c) A response from a health (Incorporated by reference in
§ 162.920).
plan to a health care provider to § 162.920).
a request described in paragraph
(8) Phase II CORE 259: (a) or paragraph (b) of this
Eligibility and Benefits 270/271 (b) For the period from March
section. 17, 2009 through December 31,
AAA Error Code Reporting
2011 both—
Rule, version 2.1.0.
[74 FR 3326, Jan. 16, 2009]
§ 162.920). (1) The standards identified in
§ 162.1302 Standards for paragraph (a) of this section; and
referral certification and
(9) Phase II CORE 260:
authorization transaction. (2)(i) Retail pharmacy drugs.
Eligibility & Benefits Data
Content (270/271) Rule, version The Telecommunication
2.1.0, March 2011. The Secretary adopts the Standard Implementation Guide
(Incorporated by reference in following standards for the Version D, Release 0 (Version
§ 162.920). referral certification and D.0), August 2007, and
authorization transaction: equivalent Batch Standard
(10) Phase II CORE 270:
(a) For the period from October 1, Release 2 (Version 1.2),
Connectivity Rule, version
16, 2003 through March 16, National Council for
2.2.0, March 2011.
(Incorporated by reference in 2009: Prescription Drug Programs.
§ 162.920).
(1) Retail pharmacy drug § 162.920.)
(b) Excluding where the CAQH referral certification and
CORE rules reference and authorization. The NCPDP (ii) Dental, professional, and
pertain to acknowledgements Telecommunication Standard institutional request for review
Implementation Guide, Version and response. The ASC X12
and CORE certification.
5, Release 1 (Version 5.1), Standards for Electronic Data
September 1999, and equivalent Interchange Technical Report
[76 FR 40496, July 8, 2011] NCPDP Batch Standard Batch Type 3—Health Care Services
Implementation Guide, Version Review—Request for Review
53
March 2013
and Response (278), May 2006, (a) For the period from October (a) Except as specified in
ASC X12N/005010X217, and 16, 2003 through March 16, paragraph (b) of this section, the
Errata to Health Care Services 2009: The ASC X12N-276/277 following CAQH CORE Phase
Review-—Request for Review Health Care Claim Status II operating rules (updated for
and Response (278), ASC X12 Request and Response, Version Version 5010) for the health
Standards for Electronic Data 4010, May 2000, Washington care claim status transaction:
Interchange Technical Report Publishing Company,
Type 3, April 2008, ASC 004010X093 and Addenda to (1) Phase II CORE 250: Claim
X12N/005010X217E1. Health Care Claim Status Status Rule, version 2.1.0,
(Incorporated by reference in Request and Response, Version March 2011, and CORE v5010
§ 162.920.) 4010, October 2002, Master Companion Guide,
Washington Publishing 00510, 1.2, March 2011.
(c) For the period on and after Company, 004010X093A1. (Incorporated by reference in
January 1, 2012, the standards (Incorporated by reference in § 162.920).
identified in paragraph (b)(2) of § 162.920.)
this section. (2) Phase II CORE 270:
(b) For the period from March Connectivity Rule, version
[68 FR 8398, Feb. 20, 2003, as 17, 2009 through December 31, 2.2.0, March 2011.
amended at 74 FR 3326, Jan. 16, 2011, both: (Incorporated by reference in
2009] § 162.920).
(1) The standard identified in
Subpart N—Health Care paragraph (a) of this section; and (b) Excluding where the CAQH
Claim Status CORE rules reference and
(2) The ASC X12 Standards for pertain to acknowledgements
§ 162.1401 Health care claim Electronic Data Interchange and CORE certification.
status transaction. Technical Report Type 3—
Health Care Claim Status [76 FR 40496, July 8, 2011]
The health care claim status Request and Response
transaction is the transmission of (276/277), August 2006, ASC
Subpart O—Enrollment and
X12N/005010X212, and Errata
either of the following: Disenrollment in a Health
to Health Care Claim Status
Plan
Request and Response
(a) An inquiry from a health (276/277), ASC X12 Standards
care provider to a health plan to for Electronic Data Interchange § 162.1501 Enrollment and
determine the status of a health Technical Report Type 3, April disenrollment in a health plan
care claim. 2008, ASC transaction.
X12N/005010X212E1.
(b) A response from a health (Incorporated by reference in The enrollment and
plan to a health care provider § 162.920.) disenrollment in a health plan
about the status of a health care transaction is the transmission of
claim. (c) For the period on and after subscriber enrollment
January 1, 2012, the standard information from the sponsor of
[74 FR 3326, Jan. 16, 2009] identified in paragraph (b)(2) of the insurance coverage, benefits,
this section. or policy, to a health plan to
establish or terminate insurance
coverage.
health care claim status [74 FR 3326, Jan. 16, 2009]
transaction.
[74 FR 3327, Jan. 16, 2009]
§ 162.1403 Operating rules
The Secretary adopts the for health care claim status
following standards for the transaction. § 162.1502 Standards for
health care claim status enrollment and disenrollment
transaction: in a health plan transaction.
On and after January 1, 2013,
the Secretary adopts the
following: The Secretary adopts the
following standards for
54
March 2013
enrollment and disenrollment in (a) The transmission of any of (1) The standard identified in
a health plan transaction. the following from a health plan paragraph (a) of this section.
to a health care provider:
(a) For the period from October (2) The ASC X12 Standards for
16, 2003 through March 16, (1) Payment. Electronic Data Interchange
2009: ASC X12N 834—Benefit Technical Report Type 3—
Enrollment and Maintenance, (2) Information about the Health Care Claim
Version 4010, May 2000, transfer of funds. Payment/Advice (835), April
Washington Publishing 2006, ASC X12N/005010X221.
Company, 004010X095 and (Incorporated by reference in
(3) Payment processing
Addenda to Benefit Enrollment § 162.920.)
information.
and Maintenance, Version 4010,
October 2002, Washington (c) For the period from January
Publishing Company, (b) The transmission of either of
1, 2012 through December 31,
004010X095A1. (Incorporated the following from a health plan
2013, the standard identified in
by reference in § 162.920.) to a health care provider:
paragraph (b)(2) of this section.
(b) For the period from March (1) Explanation of benefits.

(d) For the period on and after
17, 2009 through December 31, January 1, 2014, the following
2011, both: (2) Remittance advice. standards:
(1) The standard identified in [65 FR 50367, Aug. 17, 2000, as (1) Except when transmissions
paragraph (a) of this section; and amended at 77 FR 1590, Jan. 10, as described in § 162.1601(a)
2012; 77 FR 48043, Aug. 10, and (b) are contained within the
(2) The ASC X12 Standards for 2012] same transmission, for Stage 1
Electronic Data Interchange Payment Initiation transmissions
Technical Report Type 3— § 162.1602 Standards for described in § 162.1601(a), all
Benefit Enrollment and health care electronic funds of the following standards:
Maintenance (834), August transfers (EFT) and
2006, ASC X12N/005010X220 remittance advice transaction. (i) The National Automated
(Incorporated by reference in Clearing House Association
§ 162.920) The Secretary adopts the (NACHA) Corporate Credit or
following standards: Deposit Entry with Addenda
(c) For the period on and after Record (CCD+) implementation
January 1, 2012, the standard (a) For the period from October specifications as contained in
identified in paragraph (b)(2) of 16, 2003 through March 16, the 2011 NACHA Operating
this section. 2009: Health care claims and Rules & Guidelines, A
remittance advice. The ASC Complete Guide to the Rules
[74 FR 3327, Jan. 16, 2009] X12N 835—Health Care Claim Governing the ACH Network as
Payment/Advice, Version 4010, follows (incorporated by
May 2000, Washington reference in § 162.920)—
Subpart P—Health Care
Electronic Funds Transfers Publishing Company,
(EFT) and Remittance Advice 004010X091, and Addenda to (A) NACHA Operating Rules,
Health Care Claim Appendix One: ACH File
Payment/Advice, Version 4010, Exchange Specifications; and
§ 162.1601 Health care October 2002, Washington
electronic funds transfers Publishing Company,
(EFT) and remittance advice (B) NACHA Operating Rules,
004010X091A1. (Incorporated Appendix Three: ACH Record
transaction. by reference in § 162.920.) Format Specifications, Subpart
3.1.8 Sequence of Records for
The health care electronic funds
(b) For the period from March CCD Entries.
transfers (EFT) and remittance
17, 2009 through December 31,
advice transaction is the 2011, both of the following
transmission of either of the (ii) For the CCD Addenda
standards: Record (“7”), field 3, of the
following for health care:
55
March 2013
standard identified in (2) Phase III CORE 382 ERA following from the entity that is
1602(d)(1)(i), the Accredited Enrollment Data Rule, version arranging for the provision of
Standards Committee (ASC) 3.0.0, June 2012. health care or is providing health
X12 Standards for Electronic care coverage payments for an
Data Interchange Technical (3) Phase III 360 CORE individual to a health plan:
Report Type 3, “Health Care Uniform Use of CARCs and
Claim Payment/Advice (835), RARCs (835) Rule, version (a) Payment.
April 2006: Section 2.4: 835 3.0.0, June 2012.
Segment Detail: “TRN (b) Information about the
Reassociation Trace Number,”
(4) CORE-required Code transfer of funds.
Washington Publishing
Combinations for CORE-
Company, 005010X221
defined Business Scenarios for (c) Detailed remittance
the Phase III CORE 360 information about individuals
§ 162.920). Uniform Use of Claim for whom premiums are being
Adjustment Reason Codes and paid.
(2) For transmissions described Remittance Advice Remark
in § 162.1601(b), including Codes (835) Rule, version 3.0.0,
when transmissions as described (d) Payment processing
June 2012. information to transmit health
in § 162.1601(a) and (b) are
contained within the same care premium payments
(5) Phase III CORE 370 EFT & including any of the following:
transmission, the ASC X12
ERA Reassociation (CCD+/835)
Standards for Electronic Data
Rule, version 3.0.0, June 2012.
Interchange Technical Report (1) Payroll deductions.
Type 3, “Health Care Claim
Payment/Advice (835), April (6) Phase III CORE 350 Health
(2) Other group premium
2006, ASC X12N/005010X221. Care Claim Payment/Advice
payments.
(Incorporated by reference in (835) Infrastructure Rule,
§ 162.920). version 3.0.0, June 2012, except
Requirement 4.2 titled “Health (3) Associated group premium
Care Claim Payment/Advice payment information.
[77 FR 1590, Jan. 10, 2012] Batch Acknowledgement
Requirements”. § 162.1702 Standards for
§ 162.1603 Operating rules health plan premium
for health care electronic (b) ACME Health Plan, CORE payments transaction.
funds transfers (EFT) and v5010 Master Companion Guide
remittance advice transaction. Template, 005010, 1.2, March The Secretary adopts the
2011 (incorporated by reference following standards for the
On and after January 1, 2014, in § 162.920), as required by the health plan premium payments
the Secretary adopts the Phase III CORE 350 Health transaction:
following for the health care Care Claim Payment/Advice
electronic funds transfers (EFT) (835) Infrastructure Rule, (a) For the period from October
and remittance advice version 3.0.0, June 2012. 16, 2003 through March 16,
transaction: 2009: The ASC X12N 820—
[77 FR 48043, Aug. 10, 2012] Payroll Deducted and Other
(a) The Phase III CORE EFT & Group Premium Payment for
ERA Operating Rule Set, Insurance Products, Version
Subpart Q—Health Plan
Approved June 2012 4010, May 2000, Washington
Premium Payments
(Incorporated by reference in Publishing Company,
§ 162.920) which includes the 004010X061, and Addenda to
following rules: § 162.1701 Health plan Payroll Deducted and Other
premium payments Group Premium Payment for
transaction. Insurance Products, Version
(1) Phase III CORE 380 EFT
Enrollment Data Rule, version 4010, October 2002,
3.0.0, June 2012. The health plan premium Washington Publishing
payment transaction is the Company, 004010X061A1.
transmission of any of the
56
March 2013
(Incorporated by reference in coordination of benefits (4) Institutional health care

§ 162.920.) information transaction. claims. The ASC X12N 837—
Health Care Claim: Institutional,
(b) For the period from March (a) For the period from October Volumes 1 and 2, Version 4010,
17, 2009 through December 31, 16, 2003 through March 16, May 2000, Washington
2011, both: 2009: Publishing Company,
004010X096 and Addenda to
(1) The standard identified in (1) Retail pharmacy drug Health Care Claim: Institutional,
paragraph (a) of this section, and claims. The National Council for Volumes 1 and 2, Version 4010,
October 2002, Washington
Prescription Drug Programs
Publishing Company,
(2) The ASC X12 Standards for Telecommunication Standard
004010X096A1. (Incorporated
Electronic Data Interchange Implementation Guide, Version
by reference in § 162.920).
Technical Report Type 3— 5, Release 1 (Version 5.1),
Payroll Deducted and Other September 1999, and equivalent
NCPDP Batch Standard Batch (b) For the period from March
Group Premium Payment for
Implementation Guide, Version 17, 2009 through December 31,
Insurance Products (820),
1, Release 1 (Version 1.1), 2011, both:
February 2007, ASC
X12N/005010X218. January 2000, supporting
(Incorporated by reference in Telecommunications Standard (1) The standards identified in
§ 162.920.) Implementation Guide, Version paragraph (a) of this section; and
5, Release 1 (Version 5.1) for
the NCPDP Data Record in the (2)(i) Retail pharmacy drug
(c) For the period on and after
Detail Data Record. claims. The Telecommunication
January 1, 2012, the standard
identified in paragraph (b)(2) of (Incorporated by reference in Standard Implementation Guide,
§ 162.920). Version D, Release 0 (Version
this section.
D.0), August 2007, and
(2) Dental health care claims. equivalent Batch Standard
[74 FR 3327, Jan. 16, 2009]
The ASC X12N 837—Health Implementation Guide, Version
Care Claim: Dental, Version 1, Release 2 (Version 1.2),
Subpart R—Coordination of 4010, May 2000, Washington National Council for
Benefits Publishing Company, Prescription Drug Programs.
004010X097 and Addenda to (Incorporated by reference in
§ 162.1801 Coordination of Health Care Claim: Dental, § 162.920.)
benefits transaction. Version 4010, October 2002,
Washington Publishing (ii) The ASC X12 Standards for
The coordination of benefits Company, 004010X097A1. Electronic Data Interchange
transaction is the transmission (Incorporated by reference in Technical Report Type 3—
from any entity to a health plan § 162.920). Health Care Claim: Dental
for the purpose of determining (837), May 2006, ASC
the relative payment (3) Professional health care X12N/005010X224, and Type 1
responsibilities of the health claims. The ASC X12N 837— Errata to Health Care Claim:
plan, of either of the following Health Care Claim: Dental (837), ASC X12
for health care: Professional, Volumes 1 and 2, Standards for Electronic Date
Version 4010, May 2000, Interchange Technical Report
(a) Claims. Washington Publishing Type 3, October 2007, ASC
Company, 004010X098 and X12N/005010X224A1.
(b) Payment information. Addenda to Health Care Claim: (Incorporated by reference in
Professional, Volumes 1 and 2, § 162.920.)
Version 4010, October 2002,
Washington Publishing (iii) The ASC X12 Standards for
coordination of benefits
Company, 004010X098A1. Electronic Data Interchange
information transaction.
(Incorporated by reference in Technical Report Type 3—
§ 162.920). Health Care Claim: Professional
(837), May 2006, ASC
following standards for the
X12N/005010X222.
57
March 2013
(Incorporated by reference in Implementation Guide, Version

§ 162.920.) 3, Release 0 (Version 3.0), July
2007, National Council for
(iv) The ASC X12 Standards for Prescription Drug Programs, as
Electronic Data Interchange referenced in § 162.1902
Technical Report Type 3— (Incorporated by reference at
Health Care Claim: Institutional § 162.920):
(837), May 2006, ASC
X12N/005010X223, and Type 1 (a) For the period on and after
Errata to Health Care Claim: January 1, 2012, for covered
Institutional (837), ASC X12 entities that are not small health
Standards for Electronic Data plans;
Interchange Technical Report
Type 3, October 2007, ASC (b) For the period on and after
X12N/005010X223A1. January 1, 2013 for small health
(Incorporated by reference in plans.
§ 162.920.)
(c) For the period on and after

January 1, 2012, the standards
identified in paragraph (b)(2) of
this section.
[68 FR 8399, Feb. 20, 2003, as

amended at 74 FR 3327, Jan. 16,
2009]
Subpart S—Medicaid
Pharmacy Subrogation
SOURCE: 74 FR 3328, Jan. 16,

2009, unless otherwise noted.
§ 162.1901 Medicaid
pharmacy subrogation
transaction.
The Medicaid pharmacy

subrogation transaction is the
transmission of a claim from a
Medicaid agency to a payer for
the purpose of seeking
reimbursement from the
responsible health plan for a
pharmacy claim the State has
paid on behalf of a Medicaid
recipient.
§ 162.1902 Standard for

Medicaid pharmacy
subrogation transaction.
The Secretary adopts the Batch

Standard Medicaid Subrogation
58
March 2013
media. § 164.532 Transition

§ 164.408 Notification to the provisions.
PART 164—SECURITY AND Secretary. § 164.534 Compliance dates
PRIVACY § 164.410 Notification by a for initial implementation of the
business associate. privacy standards.
§ 164.412 Law enforcement
delay.
Contents
§ 164.414 Administrative AUTHORITY: 42 U.S.C. 1302(a);
requirements and burden of 42 U.S.C. 1320d-1320d-9; sec.
Subpart A—General Provisions proof. 264, Pub. L. 104-191, 110 Stat.
2033-2034 (42 U.S.C. 1320d-
§ 164.102 Statutory basis. Subpart E—Privacy of 2(note)); and secs. 13400-13424,
§ 164.103 Definitions. Individually Identifiable Health Pub. L. 111-5, 123 Stat. 258-
§ 164.104 Applicability. Information 279.
§ 164.105 Organizational
requirements.
§ 164.500 Applicability. SOURCE: 65 FR 82802, Dec. 28,
§ 164.106 Relationship to other
§ 164.501 Definitions. 2000, unless otherwise noted.
parts.
§ 164.502 Uses and disclosures
of protected health information: Subpart A—General
Subpart B [Reserved] general rules. Provisions
§ 164.504 Uses and
Subpart C—Security Standards disclosures: Organizational
for the Protection of Electronic § 164.102 Statutory basis.
requirements.
Protected Health Information § 164.506 Uses and disclosures
to carry out treatment, payment, The provisions of this part are
or health care operations. adopted pursuant to the
§ 164.508 Uses and disclosures Secretary's authority to prescribe
§ 164.306 Security standards: for which an authorization is standards, requirements, and
required. implementation specifications
General rules.
§ 164.510 Uses and disclosures under part C of title XI of the
§ 164.308 Administrative
requiring an opportunity for the Act, section 264 of Public Law
safeguards.
individual to agree or to object. 104-191, and sections 13400-
§ 164.310 Physical safeguards.
§ 164.312 Technical § 164.512 Uses and disclosures 13424 of Public Law 111-5.
safeguards. for which an authorization or
§ 164.314 Organizational opportunity to agree or object is [78 FR 5692, Jan. 25, 2013]
requirements. not required.
§ 164.316 Policies and § 164.514 Other requirements § 164.103 Definitions.
procedures and documentation relating to uses and disclosures
requirements. of protected health information. As used in this part, the
§ 164.318 Compliance dates § 164.520 Notice of privacy following terms have the
for the initial implementation of practices for protected health following meanings:
the security standards. information.
Appendix A to Subpart C of Part § 164.522 Rights to request
Common control exists if an
164—Security Standards: privacy protection for protected
entity has the power, directly or
Matrix health information.
indirectly, significantly to
§ 164.524 Access of
influence or direct the actions or
Subpart D—Notification in the individuals to protected health
policies of another entity.
Case of Breach of Unsecured information.
Protected Health Information § 164.526 Amendment of
protected health information. Common ownership exists if an
§ 164.528 Accounting of entity or entities possess an
§ 164.400 Applicability. ownership or equity interest of 5
disclosures of protected health
§ 164.402 Definitions. percent or more in another
information.
§ 164.404 Notification to entity.
individuals.
requirements.
§ 164.406 Notification to the
59
March 2013
Covered functions means those or disclosure of protected health [68 FR 8375, Feb. 20, 2003, as
functions of a covered entity the information and that is amended at 78 FR 5692, Jan. 25,
performance of which makes the enforceable in a court of law. 2013]
entity a health plan, health care Required by law includes, but is
provider, or health care not limited to, court orders and § 164.105 Organizational
clearinghouse. court-ordered warrants; requirements.
subpoenas or summons issued
Health care component means a by a court, grand jury, a (a)(1) Standard: Health care
component or combination of governmental or tribal inspector component. If a covered entity is
components of a hybrid entity general, or an administrative
a hybrid entity, the requirements
designated by the hybrid entity body authorized to require the
of this part, other than the
in accordance with production of information; a
requirements of this section,
§ 164.105(a)(2)(iii)(D). civil or an authorized
§ 164.314, and § 164.504, apply
investigative demand; Medicare only to the health care
Hybrid entity means a single conditions of participation with component(s) of the entity, as
respect to health care providers
legal entity: specified in this section.
participating in the program; and
statutes or regulations that
(1) That is a covered entity; require the production of (2) Implementation
information, including statutes specifications:
(2) Whose business activities or regulations that require such
include both covered and non- information if payment is sought (i) Application of other
covered functions; and under a government program provisions. In applying a
providing public benefits. provision of this part, other than
(3) That designates health care the requirements of this section,
components in accordance with [68 FR 8374, Feb. 20, 2003, as § 164.314, and § 164.504, to a
paragraph amended at 74 FR 42767, Aug. hybrid entity:
§ 164.105(a)(2)(iii)(D). 24, 2009]
(A) A reference in such
Law enforcement official means § 164.104 Applicability. provision to a “covered entity”
an officer or employee of any refers to a health care
agency or authority of the component of the covered
(a) Except as otherwise
United States, a State, a entity;
provided, the standards,
territory, a political subdivision requirements, and
of a State or territory, or an implementation specifications (B) A reference in such
Indian tribe, who is empowered adopted under this part apply to provision to a “health plan,”
by law to: the following entities: “covered health care provider,”
or “health care clearinghouse,”
(1) Investigate or conduct an refers to a health care
(1) A health plan. component of the covered entity
official inquiry into a potential
violation of law; or if such health care component
(2) A health care clearinghouse. performs the functions of a
health plan, health care provider,
(2) Prosecute or otherwise
conduct a criminal, civil, or (3) A health care provider who or health care clearinghouse, as
administrative proceeding transmits any health information applicable;
in electronic form in connection
arising from an alleged violation
with a transaction covered by (C) A reference in such
of law.
this subchapter. provision to “protected health
Plan sponsor is defined as information” refers to protected
(b) Where provided, the health information that is
defined at section 3(16)(B) of
standards, requirements, and created or received by or on
ERISA, 29 U.S.C. 1002(16)(B).
implementation specifications behalf of the health care
adopted under this part apply to component of the covered
Required by law means a a business associate. entity; and
mandate contained in law that
compels an entity to make a use
60
March 2013
(D) A reference in such work for the health care (b)(1) Standard: Affiliated
provision to “electronic component in a way prohibited covered entities. Legally
protected health information” by subpart E of this part. separate covered entities that are
refers to electronic protected affiliated may designate
health information that is (iii) Responsibilities of the themselves as a single covered
created, received, maintained, or covered entity. A covered entity entity for purposes of this part.
transmitted by or on behalf of that is a hybrid entity has the
the health care component of the following responsibilities: (2) Implementation
covered entity. specifications.
(A) For purposes of subpart C of
(ii) Safeguard requirements. The part 160 of this subchapter, (i) Requirements for designation
covered entity that is a hybrid pertaining to compliance and of an affiliated covered entity.
entity must ensure that a health enforcement, the covered entity
care component of the entity has the responsibility of (A) Legally separate covered
complies with the applicable complying with this part. entities may designate
requirements of this part. In
themselves (including any health
particular, and without limiting
(B) The covered entity is care component of such covered
this requirement, such covered
responsible for complying with entity) as a single affiliated
entity must ensure that: § 164.316(a) and § 164.530(i), covered entity, for purposes of
pertaining to the implementation this part, if all of the covered
(A) Its health care component of policies and procedures to entities designated are under
does not disclose protected ensure compliance with common ownership or control.
health information to another applicable requirements of this
component of the covered entity part, including the safeguard (B) The designation of an
in circumstances in which requirements in paragraph affiliated covered entity must be
subpart E of this part would (a)(2)(ii) of this section. documented and the
prohibit such disclosure if the
documentation maintained as
health care component and the
(C) The covered entity is required by paragraph (c) of this
other component were separate responsible for complying with section.
and distinct legal entities; § 164.314 and § 164.504
regarding business associate (ii) Safeguard requirements. An
(B) Its health care component arrangements and other affiliated covered entity must
protects electronic protected organizational requirements. ensure that it complies with the
health information with respect applicable requirements of this
to another component of the (D) The covered entity is part, including, if the affiliated
covered entity to the same extent
responsible for designating the covered entity combines the
that it would be required under
components that are part of one functions of a health plan, health
subpart C of this part to protect
or more health care components care provider, or health care
such information if the health
of the covered entity and clearinghouse,
care component and the other documenting the designation in § 164.308(a)(4)(ii)(A) and
component were separate and accordance with paragraph (c) § 164.504(g), as applicable.
distinct legal entities;
of this section, provided that, if
the covered entity designates (c)(1) Standard: Documentation.
(C) If a person performs duties one or more health care A covered entity must maintain
for both the health care components, it must include any a written or electronic record of
component in the capacity of a component that would meet the a designation as required by
member of the workforce of definition of a covered entity or paragraphs (a) or (b) of this
such component and for another business associate if it were a section.
component of the entity in the separate legal entity. Health care
same capacity with respect to component(s) also may include
that component, such workforce (2) Implementation
a component only to the extent
member must not use or disclose specification: Retention period .
that it performs covered
protected health information A covered entity must retain the
functions.
created or received in the course documentation as required by
of or incident to the member's paragraph (c)(1) of this section
61
March 2013
for 6 years from the date of its Access means the ability or the that shares common
creation or the date when it last means necessary to read, write, functionality. A system
was in effect, whichever is later. modify, or communicate normally includes hardware,
data/information or otherwise software, information, data,
[68 FR 8375, Feb. 20, 2003, as use any system resource. (This applications, communications,
amended at 78 FR 5692, Jan. 25, definition applies to “access” as and people.
2013] used in this subpart, not as used
in subparts D or E of this part.) Integrity means the property that
§ 164.106 Relationship to data or information have not
other parts. Administrative safeguards are been altered or destroyed in an
administrative actions, and unauthorized manner.
policies and procedures, to
In complying with the
requirements of this part, manage the selection, Malicious software means
covered entities and, where development, implementation, software, for example, a virus,
and maintenance of security designed to damage or disrupt a
provided, business associates,
measures to protect electronic system.
are required to comply with the
protected health information and
applicable provisions of parts
to manage the conduct of the
160 and 162 of this subchapter. Password means confidential
covered entity's or business authentication information
associate's workforce in relation composed of a string of
[78 FR 5693, Jan. 25, 2013] to the protection of that
characters.
information.
Subpart B [Reserved]
Physical safeguards are physical
Authentication means the measures, policies, and
Subpart C—Security corroboration that a person is the
procedures to protect a covered
Standards for the Protection one claimed.
entity's or business associate's
of Electronic Protected Health
electronic information systems
Information Availability means the property and related buildings and
that data or information is equipment, from natural and
AUTHORITY: 42 U.S.C. 1320d-2 accessible and useable upon environmental hazards, and
and 1320d-4; sec. 13401, Pub. demand by an authorized unauthorized intrusion.
L. 111-5, 123 Stat. 260. person.
Security or Security measures
SOURCE: 68 FR 8376, Feb. 20, Confidentiality means the encompass all of the
2003, unless otherwise noted. property that data or information administrative, physical, and
is not made available or technical safeguards in an
§ 164.302 Applicability. disclosed to unauthorized information system.
persons or processes.
A covered entity or business Security incident means the
associate must comply with the Encryption means the use of an attempted or successful
applicable standards, algorithmic process to transform unauthorized access, use,
implementation specifications, data into a form in which there disclosure, modification, or
and requirements of this subpart is a low probability of assigning destruction of information or
with respect to electronic meaning without use of a interference with system
protected health information of a confidential process or key. operations in an information
covered entity. system.
Facility means the physical
[78 FR 5693, Jan. 25, 2013] premises and the interior and Technical safeguards means the
exterior of a building(s). technology and the policy and
§ 164.304 Definitions. procedures for its use that
Information system means an protect electronic protected
As used in this subpart, the interconnected set of health information and control
following terms have the information resources under the access to it.
following meanings: same direct management control
62
March 2013
User means a person or entity specifications as specified in this (2) When a standard adopted in
with authorized access. subpart. § 164.308, § 164.310,
§ 164.312, § 164.314, or
Workstation means an electronic (2) In deciding which security § 164.316 includes required
computing device, for example, measures to use, a covered implementation specifications, a
a laptop or desktop computer, or entity or business associate must covered entity or business
any other device that performs take into account the following associate must implement the
similar functions, and electronic factors: implementation specifications.
media stored in its immediate
environment. (i) The size, complexity, and (3) When a standard adopted in
capabilities of the covered entity § 164.308, § 164.310,
[68 FR 8376, Feb. 20, 2003, as or business associate. § 164.312, § 164.314, or
amended at 74 FR 42767, Aug. § 164.316 includes addressable
24, 2009; 78 FR 5693, Jan. 25, (ii) The covered entity's or the implementation specifications, a
2013] covered entity or business
business associate's technical
associate must—
infrastructure, hardware, and
§ 164.306 Security standards: software security capabilities.
General rules. (i) Assess whether each
(iii) The costs of security implementation specification is
a reasonable and appropriate
(a) General requirements. measures.
safeguard in its environment,
Covered entities and business
when analyzed with reference to
associates must do the (iv) The probability and the likely contribution to
following: criticality of potential risks to protecting electronic protected
electronic protected health health information; and
(1) Ensure the confidentiality, information.
integrity, and availability of all
(ii) As applicable to the covered
electronic protected health (c) Standards. A covered entity
information the covered entity entity or business associate—
or business associate must
or business associate creates, comply with the applicable
receives, maintains, or transmits. (A) Implement the
standards as provided in this
implementation specification if
section and in § 164.308,
reasonable and appropriate; or
(2) Protect against any § 164.310, § 164.312, § 164.314
reasonably anticipated threats or and § 164.316 with respect to all
hazards to the security or electronic protected health (B) If implementing the
integrity of such information. information. implementation specification is
not reasonable and
appropriate—
(3) Protect against any (d) Implementation
reasonably anticipated uses or specifications. In this subpart:
disclosures of such information (1) Document why it would not
that are not permitted or be reasonable and appropriate to
(1) Implementation
required under subpart E of this implement the implementation
specifications are required or
part. specification; and
addressable. If an
implementation specification is
(4) Ensure compliance with this required, the word “Required” (2) Implement an equivalent
subpart by its workforce. appears in parentheses after the alternative measure if reasonable
title of the implementation and appropriate.
(b) Flexibility of approach. specification. If an
(1) Covered entities and implementation specification is (e) Maintenance. A covered
business associates may use any addressable, the word entity or business associate must
security measures that allow the “Addressable” appears in review and modify the security
covered entity or business parentheses after the title of the measures implemented under
associate to reasonably and implementation specification. this subpart as needed to
appropriately implement the continue provision of reasonable
standards and implementation and appropriate protection of
63
March 2013
electronic protected health (D) Information system activity (C) Termination procedures
information, and update review (Required). Implement (Addressable). Implement
documentation of such security procedures to regularly review procedures for terminating
measures in accordance with records of information system access to electronic protected
§ 164.316(b)(2)(iii). activity, such as audit logs, health information when the
access reports, and security employment of, or other
[68 FR 8376, Feb. 20, 2003; 68 incident tracking reports. arrangement with, a workforce
FR 17153, Apr. 8, 2003; 78 FR member ends or as required by
5693, Jan. 25, 2013] (2) Standard: Assigned security determinations made as
responsibility. Identify the specified in paragraph
security official who is (a)(3)(ii)(B) of this section.
safeguards. responsible for the development
and implementation of the (4)(i) Standard: Information
(a) A covered entity or business policies and procedures required access management. Implement
by this subpart for the covered policies and procedures for
associate must, in accordance
entity or business associate. authorizing access to electronic
with § 164.306:
protected health information that
(3)(i) Standard: Workforce are consistent with the
(1)(i) Standard: Security applicable requirements of
management process. security. Implement policies and
procedures to ensure that all subpart E of this part.
Implement policies and
members of its workforce have
procedures to prevent, detect,
appropriate access to electronic (ii) Implementation
contain, and correct security
protected health information, as specifications:
violations.
provided under paragraph (a)(4)
of this section, and to prevent (A) Isolating health care
(ii) Implementation those workforce members who clearinghouse functions
specifications: do not have access under (Required). If a health care
paragraph (a)(4) of this section clearinghouse is part of a larger
(A) Risk analysis (Required). from obtaining access to organization, the clearinghouse
Conduct an accurate and electronic protected health must implement policies and
thorough assessment of the information. procedures that protect the
potential risks and electronic protected health
vulnerabilities to the (ii) Implementation information of the clearinghouse
confidentiality, integrity, and specifications: from unauthorized access by the
availability of electronic larger organization.
protected health information
(A) Authorization and/or
held by the covered entity or
supervision (Addressable). (B) Access authorization
business associate.
Implement procedures for the (Addressable). Implement
authorization and/or supervision policies and procedures for
(B) Risk management of workforce members who granting access to electronic
(Required). Implement security work with electronic protected protected health information, for
measures sufficient to reduce health information or in example, through access to a
risks and vulnerabilities to a locations where it might be workstation, transaction,
reasonable and appropriate level accessed. program, process, or other
to comply with § 164.306(a). mechanism.
(B) Workforce clearance
(C) Sanction policy (Required). procedure (Addressable). (C) Access establishment and
Apply appropriate sanctions Implement procedures to modification (Addressable).
against workforce members who determine that the access of a Implement policies and
fail to comply with the security workforce member to electronic procedures that, based upon the
policies and procedures of the protected health information is covered entity's or the business
covered entity or business appropriate. associate's access authorization
associate. policies, establish, document,
review, and modify a user's right
64
March 2013
of access to a workstation, (7)(i) Standard: Contingency initially upon the standards

transaction, program, or process. plan. Establish (and implement implemented under this rule and,
as needed) policies and subsequently, in response to
(5)(i) Standard: Security procedures for responding to an environmental or operational
awareness and training. emergency or other occurrence changes affecting the security of
Implement a security awareness (for example, fire, vandalism, electronic protected health
and training program for all system failure, and natural information, that establishes the
members of its workforce disaster) that damages systems extent to which a covered
(including management). that contain electronic protected entity's or business associate's
health information. security policies and procedures
meet the requirements of this
(ii) Implementation
(ii) Implementation subpart.
specifications. Implement:
specifications:
(A) Security reminders (b)(1) Business associate
(A) Data backup plan contracts and other
(Addressable). Periodic security
(Required). Establish and arrangements. A covered entity
updates.
implement procedures to create may permit a business associate
and maintain retrievable exact to create, receive, maintain, or
(B) Protection from malicious transmit electronic protected
software (Addressable). copies of electronic protected
health information. health information on the
Procedures for guarding against, covered entity's behalf only if
detecting, and reporting the covered entity obtains
malicious software. (B) Disaster recovery plan
satisfactory assurances, in
(Required). Establish (and
accordance with § 164.314(a),
(C) Log-in monitoring implement as needed)
procedures to restore any loss of that the business associate will
(Addressable). Procedures for appropriately safeguard the
data.
monitoring log-in attempts and information. A covered entity is
reporting discrepancies. not required to obtain such
(C) Emergency mode operation satisfactory assurances from a
plan (Required). Establish (and business associate that is a
(D) Password management
implement as needed) subcontractor.
(Addressable). Procedures for
procedures to enable
creating, changing, and
continuation of critical business
safeguarding passwords. (2) A business associate may
processes for protection of the
permit a business associate that
security of electronic protected
(6)(i) Standard: Security health information while is a subcontractor to create,
incident procedures. Implement operating in emergency mode. receive, maintain, or transmit
policies and procedures to electronic protected health
address security incidents. information on its behalf only if
(D) Testing and revision the business associate obtains
procedures (Addressable). satisfactory assurances, in
(ii) Implementation Implement procedures for
specification: Response and accordance with § 164.314(a),
periodic testing and revision of that the subcontractor will
reporting (Required). Identify contingency plans.
and respond to suspected or appropriately safeguard the
known security incidents; information.
mitigate, to the extent (E) Applications and data
criticality analysis (3) Implementation
practicable, harmful effects of
(Addressable). Assess the specifications: Written contract
security incidents that are
relative criticality of specific or other arrangement
known to the covered entity or
applications and data in support (Required). Document the
business associate; and
document security incidents and of other contingency plan satisfactory assurances required
components. by paragraph (b)(1) or (b)(2) of
their outcomes.
this section through a written
(8) Standard: Evaluation. contract or other arrangement
Perform a periodic technical and with the business associate that
nontechnical evaluation, based
65
March 2013
meets the applicable software programs for testing (ii) Media re-use (Required).
requirements of § 164.314(a). and revision. Implement procedures for
removal of electronic protected
[68 FR 8376, Feb. 20, 2003, as (iv) Maintenance records health information from
amended at 78 FR 5694, Jan. 25, (Addressable). Implement electronic media before the
2013] policies and procedures to media are made available for re-
document repairs and use.
§ 164.310 Physical modifications to the physical
safeguards. components of a facility which (iii) Accountability
are related to security (for (Addressable). Maintain a
example, hardware, walls, doors, record of the movements of
A covered entity or business
and locks). hardware and electronic media
associate must, in accordance
with § 164.306: and any person responsible
(b) Standard: Workstation use. therefore.
Implement policies and
(a)(1) Standard: Facility access
procedures that specify the (iv) Data backup and storage
controls. Implement policies and
proper functions to be (Addressable). Create a
procedures to limit physical
access to its electronic performed, the manner in which retrievable, exact copy of
information systems and the those functions are to be electronic protected health
performed, and the physical information, when needed,
facility or facilities in which
attributes of the surroundings of before movement of equipment.
they are housed, while ensuring
a specific workstation or class of
that properly authorized access
workstation that can access [68 FR 8376, Feb. 20, 2003, as
is allowed.
electronic protected health amended at 78 FR 5694, Jan. 25,
information. 2013]
(2) Implementation
specifications:
(c) Standard: Workstation § 164.312 Technical
security. Implement physical safeguards.
(i) Contingency operations safeguards for all workstations
(Addressable). Establish (and that access electronic protected
implement as needed) A covered entity or business
health information, to restrict
procedures that allow facility associate must, in accordance
access to authorized users.
access in support of restoration with § 164.306:
of lost data under the disaster
recovery plan and emergency (d)(1) Standard: Device and (a)(1) Standard: Access control.
media controls. Implement
mode operations plan in the Implement technical policies
policies and procedures that
event of an emergency. and procedures for electronic
govern the receipt and removal
information systems that
of hardware and electronic
(ii) Facility security plan maintain electronic protected
media that contain electronic health information to allow
(Addressable). Implement protected health information into
policies and procedures to access only to those persons or
and out of a facility, and the
safeguard the facility and the software programs that have
movement of these items within
equipment therein from been granted access rights as
the facility.
unauthorized physical access, specified in § 164.308(a)(4).
tampering, and theft.
(2) Implementation (2) Implementation
specifications:
(iii) Access control and specifications:
validation procedures
(i) Disposal (Required).
(Addressable). Implement (i) Unique user identification
procedures to control and Implement policies and (Required). Assign a unique
procedures to address the final
validate a person's access to name and/or number for
disposition of electronic
facilities based on their role or identifying and tracking user
protected health information,
function, including visitor identity.
and/or the hardware or
control, and control of access to
electronic media on which it is
stored.
66
March 2013
(ii) Emergency access procedure (e)(1) Standard: Transmission (B) In accordance with
(Required). Establish (and security. Implement technical § 164.308(b)(2), ensure that any
implement as needed) security measures to guard subcontractors that create,
procedures for obtaining against unauthorized access to receive, maintain, or transmit
necessary electronic protected electronic protected health electronic protected health
health information during an information that is being information on behalf of the
emergency. transmitted over an electronic business associate agree to
communications network. comply with the applicable
(iii) Automatic logoff requirements of this subpart by
(Addressable). Implement (2) Implementation entering into a contract or other
electronic procedures that specifications: arrangement that complies with
terminate an electronic session this section; and
after a predetermined time of (i) Integrity controls
inactivity. (Addressable). Implement (C) Report to the covered entity
security measures to ensure that any security incident of which it
(iv) Encryption and decryption electronically transmitted becomes aware, including
(Addressable). Implement a electronic protected health breaches of unsecured protected
mechanism to encrypt and information is not improperly health information as required
decrypt electronic protected modified without detection until by § 164.410.
health information. disposed of.
(ii) Other arrangements. The
(b) Standard: Audit controls. (ii) Encryption (Addressable). covered entity is in compliance
Implement hardware, software, Implement a mechanism to with paragraph (a)(1) of this
and/or procedural mechanisms encrypt electronic protected section if it has another
that record and examine activity health information whenever arrangement in place that meets
in information systems that deemed appropriate. the requirements of
contain or use electronic § 164.504(e)(3).
protected health information. [68 FR 8376, Feb. 20, 2003, as
amended at 78 FR 5694, Jan. 25, (iii) Business associate contracts
(c)(1) Standard: Integrity. 2013] with subcontractors. The
Implement policies and requirements of paragraphs
procedures to protect electronic (a)(2)(i) and (a)(2)(ii) of this
§ 164.314 Organizational
protected health information section apply to the contract or
requirements.
from improper alteration or other arrangement between a
destruction. business associate and a
(a)(1) Standard: Business subcontractor required by
associate contracts or other § 164.308(b)(4) in the same
(2) Implementation arrangements. The contract or manner as such requirements
specification: Mechanism to other arrangement required by apply to contracts or other
authenticate electronic § 164.308(b)(3) must meet the
protected health information arrangements between a covered
requirements of paragraph entity and business associate.
(Addressable). Implement (a)(2)(i), (a)(2)(ii), or (a)(2)(iii)
electronic mechanisms to of this section, as applicable.
corroborate that electronic (b)(1) Standard: Requirements
protected health information has for group health plans. Except
(2) Implementation when the only electronic
not been altered or destroyed in specifications (Required).
an unauthorized manner. protected health information
disclosed to a plan sponsor is
(i) Business associate contracts. disclosed pursuant to
(d) Standard: Person or entity
The contract must provide that § 164.504(f)(1)(ii) or (iii), or as
authentication. Implement the business associate will—
procedures to verify that a authorized under § 164.508, a
person or entity seeking access group health plan must ensure
(A) Comply with the applicable that its plan documents provide
to electronic protected health
requirements of this subpart; that the plan sponsor will
information is the one claimed.
reasonably and appropriately
safeguard electronic protected
67
March 2013
health information created, (a) Standard: Policies and which the documentation
received, maintained, or procedures. Implement pertains.
transmitted to or by the plan reasonable and appropriate
sponsor on behalf of the group policies and procedures to (iii) Updates (Required).
health plan. comply with the standards, Review documentation
implementation specifications, periodically, and update as
(2) Implementation or other requirements of this needed, in response to
specifications (Required). The subpart, taking into account environmental or operational
plan documents of the group those factors specified in changes affecting the security of
health plan must be amended to § 164.306(b)(2)(i), (ii), (iii), and the electronic protected health
incorporate provisions to require (iv). This standard is not to be information.
the plan sponsor to— construed to permit or excuse an
action that violates any other
[68 FR 8376, Feb. 20, 2003, as
(i) Implement administrative, standard, implementation amended at 78 FR 5695, Jan. 25,
physical, and technical specification, or other 2013]
requirements of this subpart. A
safeguards that reasonably and
covered entity or business
appropriately protect the § 164.318 Compliance dates
associate may change its
confidentiality, integrity, and for the initial implementation
policies and procedures at any
availability of the electronic of the security standards.
protected health information that time, provided that the changes
it creates, receives, maintains, or are documented and are
implemented in accordance with (a) Health plan. (1) A health
transmits on behalf of the group
this subpart. plan that is not a small health
health plan;
plan must comply with the
(b)(1) Standard: applicable requirements of this
(ii) Ensure that the adequate subpart no later than April 20,
Documentation. (i) Maintain the
separation required by 2005.
policies and procedures
§ 164.504(f)(2)(iii) is supported
implemented to comply with
by reasonable and appropriate (2) A small health plan must
this subpart in written (which
security measures; comply with the applicable
may be electronic) form; and
requirements of this subpart no
(iii) Ensure that any agent to later than April 20, 2006.
(ii) If an action, activity or
whom it provides this
assessment is required by this
information agrees to implement (b) Health care clearinghouse.
subpart to be documented,
reasonable and appropriate A health care clearinghouse
security measures to protect the maintain a written (which may
be electronic) record of the must comply with the applicable
information; and
action, activity, or assessment. requirements of this subpart no
later than April 20, 2005.
(iv) Report to the group health
(2) Implementation
plan any security incident of (c) Health care provider. A
which it becomes aware. specifications:
covered health care provider
(i) Time limit (Required). Retain must comply with the applicable
[68 FR 8376, Feb. 20, 2003, as requirements of this subpart no
the documentation required by
amended at 78 FR 5694, Jan. 25, later than April 20, 2005.
paragraph (b)(1) of this section
2013]
for 6 years from the date of its
creation or the date when it last
§ 164.316 Policies and was in effect, whichever is later.
procedures and
documentation requirements.
(ii) Availability (Required).
Make documentation available
A covered entity or business to those persons responsible for
associate must, in accordance implementing the procedures to
with § 164.306:
68
March 2013
Appendix A to Subpart C of Part

164—Security Standards: Matrix
Implementation Specifications (R)=Required,

Standards Sections
(A)=Addressable
Administrative Safeguards
Security Management Process 164.308(a)(1) Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
Information System Activity Review (R)
Assigned Security Responsibility 164.308(a)(2) (R)
Workforce Security 164.308(a)(3) Authorization and/or Supervision (A)
Workforce Clearance Procedure (A)
Termination Procedures (A)
Information Access Management 164.308(a)(4) Isolating Health care Clearinghouse Function (R)
Access Authorization (A)
Access Establishment and Modification (A)
Security Awareness and Training 164.308(a)(5) Security Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)
Security Incident Procedures 164.308(a)(6) Response and Reporting (R)
Contingency Plan 164.308(a)(7) Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedure (A)
Applications and Data Criticality Analysis (A)
Evaluation 164.308(a)(8) (R)
Business Associate Contracts and Other
164.308(b)(1) Written Contract or Other Arrangement (R)
Arrangement
Physical Safeguards
Facility Access Controls 164.310(a)(1) Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A)
Workstation Use 164.310(b) (R)
Workstation Security 164.310(c) (R)
Device and Media Controls 164.310(d)(1) Disposal (R)
Media Re-use (R)
Accountability (A)
Data Backup and Storage (A)
Technical Safeguards(see § 164.312)
Access Control 164.312(a)(1) Unique User Identification (R)
Emergency Access Procedure (R)
Automatic Logoff (A)
69
March 2013
Implementation Specifications (R)=Required,

Standards Sections
(A)=Addressable
Encryption and Decryption (A)
Audit Controls 164.312(b) (R)
Mechanism to Authenticate Electronic Protected Health
Integrity 164.312(c)(1)
Information (A)
Person or Entity Authentication 164.312(d) (R)
Transmission Security 164.312(e)(1) Integrity Controls (A)
Encryption (A)
70
March 2013
Subpart D—Notification in the disclosed in a manner not permitted [78 FR 5695, Jan. 25, 2013]
Case of Breach of Unsecured under subpart E of this part.
Protected Health Information § 164.404 Notification to
(iii) A disclosure of protected health individuals.
SOURCE: 74 FR 42767, Aug. 24, information where a covered entity
2009, unless otherwise noted. or business associate has a good faith (a) Standard —(1) General rule. A
belief that an unauthorized person to covered entity shall, following the
§ 164.400 Applicability. whom the disclosure was made discovery of a breach of unsecured
would not reasonably have been able protected health information, notify
to retain such information. each individual whose unsecured
The requirements of this subpart
protected health information has
shall apply with respect to breaches
(2) Except as provided in paragraph been, or is reasonably believed by the
of protected health information
occurring on or after September 23, (1) of this definition, an acquisition, covered entity to have been,
2009. access, use, or disclosure of protected accessed, acquired, used, or disclosed
health information in a manner not as a result of such breach.
permitted under subpart E is
presumed to be a breach unless the (2) Breaches treated as discovered.
covered entity or business associate, For purposes of paragraph (a)(1) of
As used in this subpart, the following as applicable, demonstrates that there this section, §§ 164.406(a), and
terms have the following meanings: is a low probability that the protected 164.408(a), a breach shall be treated
health information has been as discovered by a covered entity as
Breach means the acquisition, access, compromised based on a risk of the first day on which such breach
use, or disclosure of protected health assessment of at least the following is known to the covered entity, or, by
information in a manner not factors: exercising reasonable diligence
permitted under subpart E of this part would have been known to the
which compromises the security or (i) The nature and extent of the covered entity. A covered entity shall
privacy of the protected health protected health information be deemed to have knowledge of a
information. involved, including the types of breach if such breach is known, or by
identifiers and the likelihood of re- exercising reasonable diligence
(1) Breach excludes: identification; would have been known, to any
person, other than the person
(i) Any unintentional acquisition, committing the breach, who is a
(ii) The unauthorized person who
access, or use of protected health workforce member or agent of the
used the protected health information
information by a workforce member or to whom the disclosure was made; covered entity (determined in
or person acting under the authority accordance with the federal common
of a covered entity or a business law of agency).
(iii) Whether the protected health
associate, if such acquisition, access, information was actually acquired or
or use was made in good faith and (b) Implementation specification:
viewed; and
within the scope of authority and Timeliness of notification. Except as
does not result in further use or provided in § 164.412, a covered
(iv) The extent to which the risk to entity shall provide the notification
disclosure in a manner not permitted
the protected health information has required by paragraph (a) of this
under subpart E of this part.
been mitigated. section without unreasonable delay
(ii) Any inadvertent disclosure by a and in no case later than 60 calendar
Unsecured protected health days after discovery of a breach.
person who is authorized to access
information means protected health
protected health information at a
information that is not rendered (c) Implementation specifications:
covered entity or business associate
unusable, unreadable, or Content of notification —(1)
to another person authorized to
access protected health information indecipherable to unauthorized Elements. The notification required
persons through the use of a by paragraph (a) of this section shall
at the same covered entity or
technology or methodology specified include, to the extent possible:
business associate, or organized
by the Secretary in the guidance
health care arrangement in which the
issued under section 13402(h)(2) of
covered entity participates, and the (A) A brief description of what
information received as a result of Public Law 111-5.
happened, including the date of the
such disclosure is not further used or
71
March 2013
breach and the date of the discovery specified under § 164.502(g)(4) of (3) Additional notice in urgent
of the breach, if known; subpart E), written notification by situations. In any case deemed by the
first-class mail to either the next of covered entity to require urgency
(B) A description of the types of kin or personal representative of the because of possible imminent misuse
unsecured protected health individual. The notification may be of unsecured protected health
information that were involved in the provided in one or more mailings as information, the covered entity may
breach (such as whether full name, information is available. provide information to individuals by
social security number, date of birth, telephone or other means, as
home address, account number, (2) Substitute notice. In the case in appropriate, in addition to notice
diagnosis, disability code, or other which there is insufficient or out-of- provided under paragraph (d)(1) of
types of information were involved); date contact information that this section.
precludes written notification to the
(C) Any steps individuals should take individual under paragraph (d)(1)(i) § 164.406 Notification to the
to protect themselves from potential of this section, a substitute form of media.
harm resulting from the breach; notice reasonably calculated to reach
the individual shall be provided. (a) Standard. For a breach of
Substitute notice need not be unsecured protected health
(D) A brief description of what the
provided in the case in which there is information involving more than 500
covered entity involved is doing to
investigate the breach, to mitigate insufficient or out-of-date contact residents of a State or jurisdiction, a
harm to individuals, and to protect information that precludes written covered entity shall, following the
notification to the next of kin or discovery of the breach as provided
against any further breaches; and
personal representative of the in § 164.404(a)(2), notify prominent
individual under paragraph (d)(1)(ii). media outlets serving the State or
(E) Contact procedures for
individuals to ask questions or learn jurisdiction.
(i) In the case in which there is
additional information, which shall
insufficient or out-of-date contact (b) Implementation specification:
include a toll-free telephone number,
information for fewer than 10 Timeliness of notification. Except as
an e-mail address, Web site, or postal
individuals, then such substitute provided in § 164.412, a covered
address.
notice may be provided by an entity shall provide the notification
alternative form of written notice, required by paragraph (a) of this
(2) Plain language requirement. The telephone, or other means.
section without unreasonable delay
notification required by paragraph (a)
and in no case later than 60 calendar
of this section shall be written in
(ii) In the case in which there is days after discovery of a breach.
plain language.
insufficient or out-of-date contact
information for 10 or more (c) Implementation specifications:
(d) Implementation specifications: individuals, then such substitute Content of notification. The
Methods of individual notification. notice shall: notification required by paragraph (a)
The notification required by
of this section shall meet the
paragraph (a) of this section shall be
provided in the following form: (A) Be in the form of either a requirements of § 164.404(c).
conspicuous posting for a period of
90 days on the home page of the Web [74 FR 42740, Aug. 24, 2009, as
(1) Written notice. (i) Written site of the covered entity involved, or amended at 78 FR 5695, Jan. 25,
notification by first-class mail to the conspicuous notice in major print or
2013]
individual at the last known address broadcast media in geographic areas
of the individual or, if the individual where the individuals affected by the
agrees to electronic notice and such § 164.408 Notification to the
breach likely reside; and
agreement has not been withdrawn, Secretary.
by electronic mail. The notification
(B) Include a toll-free phone number
may be provided in one or more (a) Standard. A covered entity shall,
mailings as information is available. that remains active for at least 90 following the discovery of a breach
days where an individual can learn of unsecured protected health
whether the individual's unsecured
(ii) If the covered entity knows the information as provided in
protected health information may be
individual is deceased and has the § 164.404(a)(2), notify the Secretary.
included in the breach.
address of the next of kin or personal
representative of the individual (as
72
March 2013
(b) Implementation specifications: is known, or by exercising reasonable (a) If the statement is in writing and
Breaches involving 500 or more diligence would have been known, to specifies the time for which a delay
individuals. For breaches of any person, other than the person is required, delay such notification,
unsecured protected health committing the breach, who is an notice, or posting for the time period
information involving 500 or more employee, officer, or other agent of specified by the official; or
individuals, a covered entity shall, the business associate (determined in
except as provided in § 164.412, accordance with the Federal common (b) If the statement is made orally,
provide the notification required by law of agency). document the statement, including
paragraph (a) of this section the identity of the official making the
contemporaneously with the notice (b) Implementation specifications: statement, and delay the notification,
required by § 164.404(a) and in the Timeliness of notification. Except as notice, or posting temporarily and no
manner specified on the HHS Web provided in § 164.412, a business longer than 30 days from the date of
site. associate shall provide the the oral statement, unless a written
notification required by paragraph (a) statement as described in paragraph
(c) Implementation specifications: of this section without unreasonable (a) of this section is submitted during
Breaches involving less than 500 delay and in no case later than 60 that time.
individuals. For breaches of calendar days after discovery of a
unsecured protected health breach. § 164.414 Administrative
information involving less than 500 requirements and burden of proof.
individuals, a covered entity shall (c) Implementation specifications:
maintain a log or other Content of notification. (1) The (a) Administrative requirements. A
documentation of such breaches and, notification required by paragraph (a)
covered entity is required to comply
not later than 60 days after the end of of this section shall include, to the
with the administrative requirements
each calendar year, provide the extent possible, the identification of of § 164.530(b), (d), (e), (g), (h), (i),
notification required by paragraph (a) each individual whose unsecured and (j) with respect to the
of this section for breaches protected health information has requirements of this subpart.
discovered during the preceding been, or is reasonably believed by the
calendar year, in the manner business associate to have been,
specified on the HHS web site. (b) Burden of proof. In the event of a
accessed, acquired, used, or disclosed use or disclosure in violation of
during the breach. subpart E, the covered entity or
[74 FR 42740, Aug. 24, 2009, as
business associate, as applicable,
amended at 78 FR 5695, Jan. 25, (2) A business associate shall provide shall have the burden of
2013] the covered entity with any other demonstrating that all notifications
available information that the were made as required by this
§ 164.410 Notification by a covered entity is required to include subpart or that the use or disclosure
business associate. in notification to the individual under did not constitute a breach, as
§ 164.404(c) at the time of the defined at § 164.402.
(a) Standard —(1) General rule. A notification required by paragraph (a)
business associate shall, following of this section or promptly thereafter
Subpart E—Privacy of
the discovery of a breach of as information becomes available.
Individually Identifiable Health
unsecured protected health Information
information, notify the covered entity [74 FR 42740, Aug. 24, 2009, as
of such breach. amended at 78 FR 5695, Jan. 25,
AUTHORITY: 42 U.S.C. 1320d-2,
2013]
1320d-4, and 1320d-9; sec. 264 of
(2) Breaches treated as discovered. Pub. L. 104-191, 110 Stat. 2033-
For purposes of paragraph (a)(1) of § 164.412 Law enforcement delay. 2034 (42 U.S.C. 1320d-2 (note)); and
this section, a breach shall be treated secs. 13400-13424, Pub. L. 111-5,
as discovered by a business associate If a law enforcement official states to 123 Stat. 258-279.
as of the first day on which such a covered entity or business associate
breach is known to the business that a notification, notice, or posting § 164.500 Applicability.
associate or, by exercising reasonable required under this subpart would
diligence, would have been known to impede a criminal investigation or
the business associate. A business (a) Except as otherwise provided
cause damage to national security, a
associate shall be deemed to have herein, the standards, requirements,
covered entity or business associate and implementation specifications of
knowledge of a breach if the breach shall:
73
March 2013
this subpart apply to covered entities (2) When a health care clearinghouse justice system, witnesses, or others
with respect to protected health creates or receives protected health awaiting charges or trial.
information. information other than as a business
associate of a covered entity, the Data aggregation means, with
(b) Health care clearinghouses must clearinghouse must comply with all respect to protected health
comply with the standards, of the standards, requirements, and information created or received by a
requirements, and implementation implementation specifications of this business associate in its capacity as
specifications as follows: subpart. the business associate of a covered
entity, the combining of such
(1) When a health care clearinghouse (c) Where provided, the standards, protected health information by the
creates or receives protected health requirements, and implementation business associate with the protected
information as a business associate of specifications adopted under this health information received by the
another covered entity, the subpart apply to a business associate business associate in its capacity as a
clearinghouse must comply with: with respect to the protected health business associate of another covered
information of a covered entity. entity, to permit data analyses that
relate to the health care operations of
(i) Section 164.500 relating to
(d) The standards, requirements, and the respective covered entities.
applicability;
implementation specifications of this
(ii) Section 164.501 relating to subpart do not apply to the Designated record set means:
Department of Defense or to any
definitions;
other federal agency, or non- (1) A group of records maintained by
governmental organization acting on or for a covered entity that is:
(iii) Section 164.502 relating to uses its behalf, when providing health care
and disclosures of protected health to overseas foreign national
information, except that a (i) The medical records and billing
beneficiaries.
clearinghouse is prohibited from records about individuals maintained
using or disclosing protected health by or for a covered health care
[65 FR 82802, Dec. 28, 2000, as provider;
information other than as permitted
in the business associate contract amended at 67 FR 53266, Aug. 14,
under which it created or received the 2002; 68 FR 8381, Feb. 20, 2003; 78 (ii) The enrollment, payment, claims
FR 5695, Jan. 25, 2013]
protected health information; adjudication, and case or medical
management record systems
(iv) Section 164.504 relating to the § 164.501 Definitions. maintained by or for a health plan; or
organizational requirements for
covered entities; As used in this subpart, the following (iii) Used, in whole or in part, by or
terms have the following meanings: for the covered entity to make
(v) Section 164.512 relating to uses decisions about individuals.
and disclosures for which individual Correctional institution means any
authorization or an opportunity to penal or correctional facility, jail, (2) For purposes of this paragraph,
agree or object is not required, except reformatory, detention center, work the term record means any item,
that a clearinghouse is prohibited farm, halfway house, or residential collection, or grouping of
from using or disclosing protected community program center operated information that includes protected
health information other than as by, or under contract to, the United health information and is maintained,
permitted in the business associate States, a State, a territory, a political collected, used, or disseminated by or
contract under which it created or subdivision of a State or territory, or for a covered entity.
received the protected health an Indian tribe, for the confinement
information; or rehabilitation of persons charged
Direct treatment relationship means
with or convicted of a criminal
a treatment relationship between an
offense or other persons held in
(vi) Section 164.532 relating to individual and a health care provider
transition requirements; and lawful custody. Other persons held in that is not an indirect treatment
lawful custody includes juvenile
relationship.
offenders adjudicated delinquent,
(vii) Section 164.534 relating to aliens detained awaiting deportation,
compliance dates for initial persons committed to mental Health care operations means any of
implementation of the privacy institutions through the criminal the following activities of the
standards. covered entity to the extent that the
74
March 2013
activities are related to covered and abuse detection and compliance or contract with such public agency,
functions: programs; including the employees or agents of
such public agency or its contractors
(1) Conducting quality assessment (5) Business planning and or persons or entities to whom it has
and improvement activities, development, such as conducting granted authority, that is authorized
including outcomes evaluation and cost-management and planning- by law to oversee the health care
development of clinical guidelines, related analyses related to managing system (whether public or private) or
provided that the obtaining of and operating the entity, including government programs in which
generalizable knowledge is not the formulary development and health information is necessary to
primary purpose of any studies administration, development or determine eligibility or compliance,
resulting from such activities; patient improvement of methods of payment or to enforce civil rights laws for
safety activities (as defined in 42 or coverage policies; and which health information is relevant.
CFR 3.20); population-based
activities relating to improving health (6) Business management and Indirect treatment relationship
or reducing health care costs, general administrative activities of means a relationship between an
protocol development, case the entity, including, but not limited individual and a health care provider
management and care coordination, to: in which:
contacting of health care providers
and patients with information about (i) Management activities relating to (1) The health care provider delivers
treatment alternatives; and related implementation of and compliance health care to the individual based on
functions that do not include the orders of another health care
with the requirements of this
treatment; provider; and
subchapter;
(2) Reviewing the competence or (ii) Customer service, including the (2) The health care provider typically
qualifications of health care provides services or products, or
provision of data analyses for policy
professionals, evaluating practitioner reports the diagnosis or results
holders, plan sponsors, or other
and provider performance, health associated with the health care,
customers, provided that protected
plan performance, conducting directly to another health care
health information is not disclosed to
training programs in which students, such policy holder, plan sponsor, or provider, who provides the services
trainees, or practitioners in areas of customer. or products or reports to the
health care learn under supervision to individual.
practice or improve their skills as
health care providers, training of (iii) Resolution of internal
grievances; Inmate means a person incarcerated
non-health care professionals,
in or otherwise confined to a
accreditation, certification, licensing, correctional institution.
or credentialing activities; (iv) The sale, transfer, merger, or
consolidation of all or part of the
covered entity with another covered Marketing: (1) Except as provided in
(3) Except as prohibited under
entity, or an entity that following paragraph (2) of this definition,
§ 164.502(a)(5)(i), underwriting,
such activity will become a covered marketing means to make a
enrollment, premium rating, and communication about a product or
other activities related to the creation, entity and due diligence related to service that encourages recipients of
renewal, or replacement of a contract such activity; and
the communication to purchase or
of health insurance or health benefits,
use the product or service.
and ceding, securing, or placing a (v) Consistent with the applicable
contract for reinsurance of risk requirements of § 164.514, creating
relating to claims for health care de-identified health information or a (2) Marketing does not include a
(including stop-loss insurance and limited data set, and fundraising for communication made:
excess of loss insurance), provided the benefit of the covered entity.
that the requirements of § 164.514(g) (i) To provide refill reminders or
are met, if applicable; Health oversight agency means an otherwise communicate about a drug
agency or authority of the United or biologic that is currently being
(4) Conducting or arranging for States, a State, a territory, a political prescribed for the individual, only if
medical review, legal services, and subdivision of a State or territory, or any financial remuneration received
auditing functions, including fraud an Indian tribe, or a person or entity by the covered entity in exchange for
acting under a grant of authority from making the communication is
75
March 2013
reasonably related to the covered (i) Except as prohibited under (A) Name and address;
entity's cost of making the § 164.502(a)(5)(i), a health plan to
communication. obtain premiums or to determine or (B) Date of birth;
fulfill its responsibility for coverage
(ii) For the following treatment and and provision of benefits under the
(C) Social security number;
health care operations purposes, health plan; or
except where the covered entity (D) Payment history;
receives financial remuneration in (ii) A health care provider or health
exchange for making the plan to obtain or provide
communication: reimbursement for the provision of (E) Account number; and
health care; and
(A) For treatment of an individual by (F) Name and address of the health
a health care provider, including case (2) The activities in paragraph (1) of care provider and/or health plan.
management or care coordination for this definition relate to the individual
the individual, or to direct or to whom health care is provided and Psychotherapy notes means notes
recommend alternative treatments, include, but are not limited to: recorded (in any medium) by a health
therapies, health care providers, or care provider who is a mental health
settings of care to the individual; (i) Determinations of eligibility or professional documenting or
coverage (including coordination of analyzing the contents of
(B) To describe a health-related benefits or the determination of cost conversation during a private
product or service (or payment for sharing amounts), and adjudication counseling session or a group, joint,
such product or service) that is or subrogation of health benefit or family counseling session and that
provided by, or included in a plan of claims; are separated from the rest of the
benefits of, the covered entity individual's medical record.
making the communication, Psychotherapy notes excludes
(ii) Risk adjusting amounts due based
including communications about: the on enrollee health status and medication prescription and
entities participating in a health care demographic characteristics; monitoring, counseling session start
provider network or health plan and stop times, the modalities and
network; replacement of, or frequencies of treatment furnished,
(iii) Billing, claims management, results of clinical tests, and any
enhancements to, a health plan; and
collection activities, obtaining summary of the following items:
health-related products or services
payment under a contract for Diagnosis, functional status, the
available only to a health plan
reinsurance (including stop-loss treatment plan, symptoms, prognosis,
enrollee that add value to, but are not
insurance and excess of loss and progress to date.
part of, a plan of benefits; or insurance), and related health care
data processing;
(C) For case management or care Public health authority means an
coordination, contacting of agency or authority of the United
(iv) Review of health care services States, a State, a territory, a political
individuals with information about
with respect to medical necessity, subdivision of a State or territory, or
treatment alternatives, and related coverage under a health plan,
functions to the extent these activities appropriateness of care, or an Indian tribe, or a person or entity
do not fall within the definition of acting under a grant of authority from
justification of charges; or contract with such public agency,
treatment.
including the employees or agents of
(v) Utilization review activities, such public agency or its contractors
(3) Financial remuneration means including precertification and or persons or entities to whom it has
direct or indirect payment from or on preauthorization of services, granted authority, that is responsible
behalf of a third party whose product
concurrent and retrospective review for public health matters as part of its
or service is being described. Direct
of services; and official mandate.
or indirect payment does not include
any payment for treatment of an
individual. (vi) Disclosure to consumer reporting Research means a systematic
agencies of any of the following investigation, including research
protected health information relating development, testing, and evaluation,
Payment means:
to collection of premiums or designed to develop or contribute to
reimbursement: generalizable knowledge.
(1) The activities undertaken by:
76
March 2013
Treatment means the provision, pursuant to and in compliance with a (ii) To the covered entity, individual,
coordination, or management of valid authorization under § 164.508; or individual's designee, as necessary
health care and related services by to satisfy a covered entity's
one or more health care providers, (v) Pursuant to an agreement under, obligations under § 164.524(c)(2)(ii)
including the coordination or or as otherwise permitted by, and (3)(ii) with respect to an
management of health care by a § 164.510; and individual's request for an electronic
health care provider with a third copy of protected health information.
party; consultation between health (vi) As permitted by and in
care providers relating to a patient; or compliance with this section, (5) Prohibited uses and disclosures.
the referral of a patient for health
§ 164.512, § 164.514(e), (f), or (g).
care from one health care provider to
(i) Use and disclosure of genetic
another.
(2) Covered entities: Required information for underwriting
disclosures. A covered entity is purposes: Notwithstanding any other
[65 FR 82802, Dec. 28, 2000, as required to disclose protected health provision of this subpart, a health
amended at 67 FR 53266, Aug. 14, plan, excluding an issuer of a long-
information:
2002; 68 FR 8381, Feb. 20, 2003; 74 term care policy falling within
FR 42769, Aug. 24, 2009; 78 FR paragraph (1)(viii) of the definition
5695, Jan. 25, 2013] (i) To an individual, when requested
under, and required by § 164.524 or of health plan, shall not use or
§ 164.528; and disclose protected health information
§ 164.502 Uses and disclosures of that is genetic information for
protected health information: underwriting purposes. For purposes
General rules. (ii) When required by the Secretary of paragraph (a)(5)(i) of this section,
under subpart C of part 160 of this underwriting purposes means, with
subchapter to investigate or respect to a health plan:
(a) Standard. A covered entity or determine the covered entity's
business associate may not use or
compliance with this subchapter.
disclose protected health information, (A) Except as provided in paragraph
except as permitted or required by (a)(5)(i)(B) of this section:
this subpart or by subpart C of part (3) Business associates: Permitted
160 of this subchapter. uses and disclosures. A business
(1) Rules for, or determination of,
associate may use or disclose
eligibility (including enrollment and
protected health information only as
(1) Covered entities: Permitted uses continued eligibility) for, or
permitted or required by its business
and disclosures. A covered entity is determination of, benefits under the
associate contract or other
permitted to use or disclose protected arrangement pursuant to § 164.504(e) plan, coverage, or policy (including
health information as follows: or as required by law. The business changes in deductibles or other cost-
sharing mechanisms in return for
associate may not use or disclose
(i) To the individual; activities such as completing a health
protected health information in a
risk assessment or participating in a
manner that would violate the
wellness program);
(ii) For treatment, payment, or health requirements of this subpart, if done
care operations, as permitted by and by the covered entity, except for the
in compliance with § 164.506; purposes specified under (2) The computation of premium or
§ 164.504(e)(2)(i)(A) or (B) if such contribution amounts under the plan,
uses or disclosures are permitted by coverage, or policy (including
(iii) Incident to a use or disclosure
its contract or other arrangement. discounts, rebates, payments in kind,
otherwise permitted or required by
this subpart, provided that the or other premium differential
covered entity has complied with the (4) Business associates: Required mechanisms in return for activities
such as completing a health risk
applicable requirements of uses and disclosures. A business
assessment or participating in a
§§ 164.502(b), 164.514(d), and associate is required to disclose
wellness program);
164.530(c) with respect to such protected health information:
otherwise permitted or required use
or disclosure; (3) The application of any pre-
(i) When required by the Secretary
existing condition exclusion under
under subpart C of part 160 of this
the plan, coverage, or policy; and
(iv) Except for uses and disclosures subchapter to investigate or
prohibited under § 164.502(a)(5)(i), determine the business associate's
compliance with this subchapter.
77
March 2013
(4) Other activities related to the (iii) For treatment and payment minimum necessary to accomplish
creation, renewal, or replacement of purposes pursuant to § 164.506(a); the intended purpose of the use,
a contract of health insurance or disclosure, or request.
health benefits. (iv) For the sale, transfer, merger, or
consolidation of all or part of the (2) Minimum necessary does not
(B) Underwriting purposes does not covered entity and for related due apply. This requirement does not
include determinations of medical diligence as described in paragraph apply to:
appropriateness where an individual (6)(iv) of the definition of health care
seeks a benefit under the plan, operations and pursuant to (i) Disclosures to or requests by a
coverage, or policy. § 164.506(a); health care provider for treatment;
(ii) Sale of protected health (v) To or by a business associate for (ii) Uses or disclosures made to the
information: activities that the business associate individual, as permitted under
undertakes on behalf of a covered paragraph (a)(1)(i) of this section or
(A) Except pursuant to and in entity, or on behalf of a business as required by paragraph (a)(2)(i) of
compliance with § 164.508(a)(4), a associate in the case of a this section;
covered entity or business associate subcontractor, pursuant to
may not sell protected health §§ 164.502(e) and 164.504(e), and (iii) Uses or disclosures made
information. the only remuneration provided is by pursuant to an authorization under
the covered entity to the business
§ 164.508;
associate, or by the business
(B) For purposes of this paragraph,
associate to the subcontractor, if
sale of protected health information (iv) Disclosures made to the
applicable, for the performance of
means: Secretary in accordance with subpart
such activities;
C of part 160 of this subchapter;
(1) Except as provided in paragraph
(vi) To an individual, when requested
(a)(5)(ii)(B)(2) of this section, a (v) Uses or disclosures that are
under § 164.524 or § 164.528;
disclosure of protected health required by law, as described by
information by a covered entity or § 164.512(a); and
business associate, if applicable, (vii) Required by law as permitted
where the covered entity or business under § 164.512(a); and
(vi) Uses or disclosures that are
associate directly or indirectly
required for compliance with
receives remuneration from or on (viii) For any other purpose permitted applicable requirements of this
behalf of the recipient of the by and in accordance with the subchapter.
protected health information in applicable requirements of this
exchange for the protected health subpart, where the only remuneration
information. received by the covered entity or (c) Standard: Uses and disclosures of
business associate is a reasonable, protected health information subject
cost-based fee to cover the cost to to an agreed upon restriction. A
(2) Sale of protected health covered entity that has agreed to a
information does not include a prepare and transmit the protected
health information for such purpose restriction pursuant to
or a fee otherwise expressly § 164.522(a)(1) may not use or
information:
permitted by other law. disclose the protected health
information covered by the
(i) For public health purposes restriction in violation of such
pursuant to § 164.512(b) or (b) Standard: Minimum necessary restriction, except as otherwise
§ 164.514(e); provided in § 164.522(a).
(1) Minimum necessary applies.
(ii) For research purposes pursuant to When using or disclosing protected (d) Standard: Uses and disclosures
§ 164.512(i) or § 164.514(e), where health information or when of de-identified protected health
the only remuneration received by requesting protected health
information.
the covered entity or business information from another covered
associate is a reasonable cost-based entity or business associate, a
covered entity or business associate (1) Uses and disclosures to create
fee to cover the cost to prepare and
transmit the protected health must make reasonable efforts to limit de-identified information. A covered
protected health information to the entity may use protected health
information for such purposes;
information to create information that
78
March 2013
is not individually identifiable health subcontractor to create, receive, individual who is an unemancipated
information or disclose protected maintain, or transmit protected health minor in making decisions related to
health information only to a business information on its behalf, if the health care, a covered entity must
associate for such purpose, whether business associate obtains treat such person as a personal
or not the de-identified information is satisfactory assurances, in representative under this subchapter,
to be used by the covered entity. accordance with § 164.504(e)(1)(i), with respect to protected health
that the subcontractor will information relevant to such personal
(2) Uses and disclosures of de- appropriately safeguard the representation, except that such
identified information. Health information. person may not be a personal
information that meets the standard representative of an unemancipated
and implementation specifications (2) Implementation specification: minor, and the minor has the
for de-identification under Documentation. The satisfactory authority to act as an individual, with
§ 164.514(a) and (b) is considered assurances required by paragraph respect to protected health
not to be individually identifiable (e)(1) of this section must be information pertaining to a health
health information, i.e., de-identified. documented through a written care service, if:
The requirements of this subpart do contract or other written agreement
not apply to information that has or arrangement with the business (A) The minor consents to such
been de-identified in accordance with associate that meets the applicable health care service; no other consent
the applicable requirements of requirements of § 164.504(e). to such health care service is required
§ 164.514, provided that: by law, regardless of whether the
(f) Standard: Deceased individuals. consent of another person has also
(i) Disclosure of a code or other A covered entity must comply with been obtained; and the minor has not
means of record identification the requirements of this subpart with requested that such person be treated
designed to enable coded or respect to the protected health as the personal representative;
otherwise de-identified information information of a deceased individual
to be re-identified constitutes for a period of 50 years following the (B) The minor may lawfully obtain
disclosure of protected health death of the individual. such health care service without the
information; and consent of a parent, guardian, or
(g)(1) Standard: Personal other person acting in loco parentis,
(ii) If de-identified information is re- representatives. As specified in this and the minor, a court, or another
identified, a covered entity may use paragraph, a covered entity must, person authorized by law consents to
or disclose such re-identified except as provided in paragraphs such health care service; or
information only as permitted or (g)(3) and (g)(5) of this section, treat
required by this subpart. a personal representative as the (C) A parent, guardian, or other
individual for purposes of this person acting in loco parentis assents
(e)(1) Standard: Disclosures to subchapter. to an agreement of confidentiality
business associates. (i) A covered between a covered health care
entity may disclose protected health (2) Implementation specification: provider and the minor with respect
information to a business associate adults and emancipated minors. If to such health care service.
and may allow a business associate to under applicable law a person has
create, receive, maintain, or transmit authority to act on behalf of an (ii) Notwithstanding the provisions of
protected health information on its individual who is an adult or an paragraph (g)(3)(i) of this section:
behalf, if the covered entity obtains emancipated minor in making
satisfactory assurance that the decisions related to health care, a (A) If, and to the extent, permitted or
business associate will appropriately covered entity must treat such person required by an applicable provision
safeguard the information. A covered as a personal representative under of State or other law, including
entity is not required to obtain such this subchapter, with respect to applicable case law, a covered entity
satisfactory assurances from a protected health information relevant may disclose, or provide access in
business associate that is a to such personal representation. accordance with § 164.524 to,
subcontractor. protected health information about an
(3)(i) Implementation specification: unemancipated minor to a parent,
(ii) A business associate may unemancipated minors. If under guardian, or other person acting in
disclose protected health information applicable law a parent, guardian, or loco parentis;
to a business associate that is a other person acting in loco parentis
subcontractor and may allow the has authority to act on behalf of an
79
March 2013
(B) If, and to the extent, prohibited (A) The individual has been or may engaged in conduct that is unlawful
by an applicable provision of State or be subjected to domestic violence, or otherwise violates professional or
other law, including applicable case abuse, or neglect by such person; or clinical standards, or that the care,
law, a covered entity may not services, or conditions provided by
disclose, or provide access in (B) Treating such person as the the covered entity potentially
accordance with § 164.524 to, personal representative could endangers one or more patients,
protected health information about an endanger the individual; and workers, or the public; and
unemancipated minor to a parent,
guardian, or other person acting in (ii) The covered entity, in the (ii) The disclosure is to:
loco parentis; and
exercise of professional judgment,
decides that it is not in the best (A) A health oversight agency or
(C) Where the parent, guardian, or interest of the individual to treat the public health authority authorized by
other person acting in loco parentis, person as the individual's personal law to investigate or otherwise
is not the personal representative representative. oversee the relevant conduct or
under paragraphs (g)(3)(i)(A), (B), or conditions of the covered entity or to
(C) of this section and where there is an appropriate health care
(h) Standard: Confidential
no applicable access provision under accreditation organization for the
communications. A covered health
State or other law, including case purpose of reporting the allegation of
care provider or health plan must
law, a covered entity may provide or comply with the applicable failure to meet professional standards
deny access under § 164.524 to a requirements of § 164.522(b) in or misconduct by the covered entity;
parent, guardian, or other person or
communicating protected health
acting in loco parentis, if such action
information.
is consistent with State or other
(B) An attorney retained by or on
applicable law, provided that such
(i) Standard: Uses and disclosures behalf of the workforce member or
decision must be made by a licensed business associate for the purpose of
health care professional, in the consistent with notice. A covered
entity that is required by § 164.520 to determining the legal options of the
exercise of professional judgment.
have a notice may not use or disclose workforce member or business
protected health information in a associate with regard to the conduct
(4) Implementation specification: manner inconsistent with such notice. described in paragraph (j)(1)(i) of
Deceased individuals. If under A covered entity that is required by this section.
applicable law an executor,
§ 164.520(b)(1)(iii) to include a
administrator, or other person has
specific statement in its notice if it (2) Disclosures by workforce
authority to act on behalf of a
intends to engage in an activity listed members who are victims of a crime.
deceased individual or of the
in § 164.520(b)(1)(iii)(A)-(C), may A covered entity is not considered to
individual's estate, a covered entity not use or disclose protected health have violated the requirements of this
must treat such person as a personal information for such activities, unless subpart if a member of its workforce
representative under this subchapter,
the required statement is included in who is the victim of a criminal act
with respect to protected health
the notice. discloses protected health
information relevant to such personal
information to a law enforcement
representation.
(j) Standard: Disclosures by official, provided that:
whistleblowers and workforce
(5) Implementation specification:
member crime victims (i) The protected health information
Abuse, neglect, endangerment
disclosed is about the suspected
situations. Notwithstanding a State
(1) Disclosures by whistleblowers. A perpetrator of the criminal act; and
law or any requirement of this
paragraph to the contrary, a covered covered entity is not considered to
entity may elect not to treat a person have violated the requirements of this (ii) The protected health information
as the personal representative of an subpart if a member of its workforce disclosed is limited to the
individual if: or a business associate discloses information listed in
protected health information, § 164.512(f)(2)(i).
provided that:
(i) The covered entity has a
reasonable belief that: [65 FR 82802, Dec. 28, 2000, as
(i) The workforce member or amended at 67 FR 53267, Aug. 14,
business associate believes in good 2002; 78 FR 5696, Jan. 25, 2013]
faith that the covered entity has
80
March 2013
§ 164.504 Uses and disclosures: steps to cure the breach or end the (A) Not use or further disclose the
Organizational requirements. violation, as applicable, and, if such information other than as permitted
steps were unsuccessful, terminated or required by the contract or as
(a) Definitions. As used in this the contract or arrangement, if required by law;
section: feasible.
(B) Use appropriate safeguards and
Plan administration functions means (iii) A business associate is not in comply, where applicable, with
administration functions performed compliance with the standards in subpart C of this part with respect to
by the plan sponsor of a group health § 164.502(e) and this paragraph, if electronic protected health
plan on behalf of the group health the business associate knew of a information, to prevent use or
plan and excludes functions pattern of activity or practice of a disclosure of the information other
performed by the plan sponsor in subcontractor that constituted a than as provided for by its contract;
connection with any other benefit or material breach or violation of the
benefit plan of the plan sponsor. subcontractor's obligation under the (C) Report to the covered entity any
contract or other arrangement, unless use or disclosure of the information
the business associate took not provided for by its contract of
Summary health information means
reasonable steps to cure the breach or which it becomes aware, including
information, that may be individually
end the violation, as applicable, and, breaches of unsecured protected
identifiable health information, and:
if such steps were unsuccessful, health information as required by
terminated the contract or § 164.410;
(1) That summarizes the claims arrangement, if feasible.
history, claims expenses, or type of
claims experienced by individuals for (D) In accordance with
(2) Implementation specifications: § 164.502(e)(1)(ii), ensure that any
whom a plan sponsor has provided
health benefits under a group health Business associate contracts. A subcontractors that create, receive,
contract between the covered entity maintain, or transmit protected health
plan; and
and a business associate must: information on behalf of the business
associate agree to the same
(2) From which the information
described at § 164.514(b)(2)(i) has (i) Establish the permitted and restrictions and conditions that apply
been deleted, except that the required uses and disclosures of to the business associate with respect
protected health information by the to such information;
geographic information described in
business associate. The contract may
§ 164.514(b)(2)(i)(B) need only be
not authorize the business associate (E) Make available protected health
aggregated to the level of a five digit
to use or further disclose the information in accordance with
zip code.
information in a manner that would § 164.524;
violate the requirements of this
(b)-(d) [Reserved] subpart, if done by the covered
(F) Make available protected health
entity, except that:
information for amendment and
(e)(1) Standard: Business associate
contracts. (i) The contract or other incorporate any amendments to
(A) The contract may permit the protected health information in
arrangement required by business associate to use and disclose accordance with § 164.526;
§ 164.502(e)(2) must meet the protected health information for the
requirements of paragraph (e)(2), proper management and
(e)(3), or (e)(5) of this section, as (G) Make available the information
administration of the business
applicable. required to provide an accounting of
associate, as provided in paragraph
disclosures in accordance with
(e)(4) of this section; and § 164.528;
(ii) A covered entity is not in
compliance with the standards in (B) The contract may permit the
§ 164.502(e) and this paragraph, if (H) To the extent the business
business associate to provide data
the covered entity knew of a pattern associate is to carry out a covered
aggregation services relating to the entity's obligation under this subpart,
of activity or practice of the business health care operations of the covered
associate that constituted a material comply with the requirements of this
entity.
breach or violation of the business subpart that apply to the covered
associate's obligation under the entity in the performance of such
(ii) Provide that the business obligation.
contract or other arrangement, unless
the covered entity took reasonable associate will:
81
March 2013
(I) Make its internal practices, books, business associate that accomplish information received by the business
and records relating to the use and the objectives of paragraph (e)(2) of associate in its capacity as a business
disclosure of protected health this section and § 164.314(a)(2), if associate to the covered entity, if
information received from, or created applicable. necessary:
or received by the business associate
on behalf of, the covered entity (ii) If a business associate is required (A) For the proper management and
available to the Secretary for by law to perform a function or administration of the business
purposes of determining the covered activity on behalf of a covered entity associate; or
entity's compliance with this subpart; or to provide a service described in
and the definition of business associate in (B) To carry out the legal
§ 160.103 of this subchapter to a responsibilities of the business
(J) At termination of the contract, if covered entity, such covered entity associate.
feasible, return or destroy all may disclose protected health
protected health information received information to the business associate (ii) The contract or other
from, or created or received by the to the extent necessary to comply
arrangement between the covered
business associate on behalf of, the with the legal mandate without
entity and the business associate may
covered entity that the business meeting the requirements of this
permit the business associate to
associate still maintains in any form paragraph and § 164.314(a)(1), if
disclose the protected health
and retain no copies of such applicable, provided that the covered information received by the business
information or, if such return or entity attempts in good faith to obtain associate in its capacity as a business
destruction is not feasible, extend the satisfactory assurances as required by
associate for the purposes described
protections of the contract to the paragraph (e)(2) of this section and
in paragraph (e)(4)(i) of this section,
information and limit further uses § 164.314(a)(1), if applicable, and, if
if:
and disclosures to those purposes that such attempt fails, documents the
make the return or destruction of the attempt and the reasons that such
information infeasible. assurances cannot be obtained. (A) The disclosure is required by
law; or
(iii) Authorize termination of the (iii) The covered entity may omit
contract by the covered entity, if the from its other arrangements the (B)(1) The business associate obtains
covered entity determines that the termination authorization required by reasonable assurances from the
business associate has violated a paragraph (e)(2)(iii) of this section, if person to whom the information is
material term of the contract. such authorization is inconsistent disclosed that it will be held
with the statutory obligations of the confidentially and used or further
covered entity or its business disclosed only as required by law or
(3) Implementation specifications: for the purposes for which it was
Other arrangements. (i) If a covered associate.
disclosed to the person; and
entity and its business associate are
both governmental entities: (iv) A covered entity may comply
with this paragraph and (2) The person notifies the business
§ 164.314(a)(1) if the covered entity associate of any instances of which it
(A) The covered entity may comply is aware in which the confidentiality
with this paragraph and discloses only a limited data set to a
business associate for the business of the information has been breached.
§ 164.314(a)(1), if applicable, by
entering into a memorandum of associate to carry out a health care
understanding with the business operations function and the covered (5) Implementation specifications:
associate that contains terms that entity has a data use agreement with Business associate contracts with
accomplish the objectives of the business associate that complies subcontractors. The requirements of
paragraph (e)(2) of this section and with § 164.514(e)(4) and § 164.504(e)(2) through (e)(4) apply
§ 164.314(a)(2), if applicable. § 164.314(a)(1), if applicable. to the contract or other arrangement
required by § 164.502(e)(1)(ii)
(4) Implementation specifications: between a business associate and a
(B) The covered entity may comply
with this paragraph and Other requirements for contracts and business associate that is a
§ 164.314(a)(1), if applicable, if other arrangements. (i) The contract subcontractor in the same manner as
or other arrangement between the such requirements apply to contracts
other law (including regulations
covered entity and the business or other arrangements between a
adopted by the covered entity or its
associate may permit the business covered entity and business
business associate) contains
associate to use the protected health associate.
requirements applicable to the
82
March 2013
(f)(1) Standard: Requirements for information by the plan sponsor, (H) Make its internal practices,
group health plans. (i) Except as provided that such permitted and books, and records relating to the use
provided under paragraph (f)(1)(ii) or required uses and disclosures may and disclosure of protected health
(iii) of this section or as otherwise not be inconsistent with this subpart. information received from the group
authorized under § 164.508, a group health plan available to the Secretary
health plan, in order to disclose (ii) Provide that the group health plan for purposes of determining
protected health information to the will disclose protected health compliance by the group health plan
plan sponsor or to provide for or information to the plan sponsor only with this subpart;
permit the disclosure of protected upon receipt of a certification by the
health information to the plan plan sponsor that the plan documents (I) If feasible, return or destroy all
sponsor by a health insurance issuer have been amended to incorporate protected health information received
or HMO with respect to the group the following provisions and that the from the group health plan that the
health plan, must ensure that the plan plan sponsor agrees to: sponsor still maintains in any form
documents restrict uses and and retain no copies of such
disclosures of such information by (A) Not use or further disclose the information when no longer needed
the plan sponsor consistent with the for the purpose for which disclosure
information other than as permitted
requirements of this subpart.
or required by the plan documents or was made, except that, if such return
as required by law; or destruction is not feasible, limit
(ii) Except as prohibited by further uses and disclosures to those
§ 164.502(a)(5)(i), the group health (B) Ensure that any agents to whom purposes that make the return or
plan, or a health insurance issuer or destruction of the information
it provides protected health
HMO with respect to the group infeasible; and
information received from the group
health plan, may disclose summary
health plan agree to the same
health information to the plan
restrictions and conditions that apply (J) Ensure that the adequate
sponsor, if the plan sponsor requests to the plan sponsor with respect to separation required in paragraph
the summary health information for (f)(2)(iii) of this section is
such information;
purposes of: established.
(C) Not use or disclose the
(A) Obtaining premium bids from information for employment-related (iii) Provide for adequate separation
health plans for providing health actions and decisions or in between the group health plan and
insurance coverage under the group the plan sponsor. The plan
connection with any other benefit or
health plan; or documents must:
employee benefit plan of the plan
sponsor;
(B) Modifying, amending, or (A) Describe those employees or
terminating the group health plan. (D) Report to the group health plan classes of employees or other persons
any use or disclosure of the under the control of the plan sponsor
(iii) The group health plan, or a information that is inconsistent with to be given access to the protected
health insurance issuer or HMO with the uses or disclosures provided for health information to be disclosed,
respect to the group health plan, may of which it becomes aware; provided that any employee or
disclose to the plan sponsor person who receives protected health
information on whether the information relating to payment
(E) Make available protected health
individual is participating in the under, health care operations of, or
information in accordance with
group health plan, or is enrolled in or other matters pertaining to the group
§ 164.524;
has disenrolled from a health health plan in the ordinary course of
insurance issuer or HMO offered by business must be included in such
the plan. (F) Make available protected health description;
information for amendment and
incorporate any amendments to
(2) Implementation specifications: (B) Restrict the access to and use by
protected health information in
Requirements for plan documents. accordance with § 164.526; such employees and other persons
The plan documents of the group described in paragraph (f)(2)(iii)(A)
health plan must be amended to of this section to the plan
incorporate provisions to: (G) Make available the information administration functions that the plan
required to provide an accounting of sponsor performs for the group
disclosures in accordance with health plan; and
(i) Establish the permitted and § 164.528;
required uses and disclosures of such
83
March 2013
(C) Provide an effective mechanism specifications of this subpart, as required or when another condition
for resolving any issues of applicable to the health plan, health must be met for such use or
noncompliance by persons described care provider, or health care disclosure to be permissible under
in paragraph (f)(2)(iii)(A) of this clearinghouse covered functions this subpart.
section with the plan document performed.
provisions required by this (c) Implementation specifications:
paragraph. (2) A covered entity that performs Treatment, payment, or health care
multiple covered functions may use operations. (1) A covered entity may
(3) Implementation specifications: or disclose the protected health use or disclose protected health
Uses and disclosures. A group health information of individuals who information for its own treatment,
plan may: receive the covered entity's health payment, or health care operations.
plan or health care provider services,
(i) Disclose protected health but not both, only for purposes (2) A covered entity may disclose
information to a plan sponsor to carry related to the appropriate function protected health information for
out plan administration functions that being performed. treatment activities of a health care
the plan sponsor performs only provider.
consistent with the provisions of [65 FR 82802, Dec. 28, 2000, as
paragraph (f)(2) of this section; amended at 67 FR 53267, Aug. 14, (3) A covered entity may disclose
2002; 68 FR 8381, Feb. 20, 2003; 78 protected health information to
(ii) Not permit a health insurance FR 5697, Jan. 25, 2013] another covered entity or a health
issuer or HMO with respect to the care provider for the payment
group health plan to disclose § 164.506 Uses and disclosures to activities of the entity that receives
protected health information to the carry out treatment, payment, or the information.
plan sponsor except as permitted by health care operations.
this paragraph; (4) A covered entity may disclose
(a) Standard: Permitted uses and protected health information to
(iii) Not disclose and may not permit disclosures. Except with respect to another covered entity for health care
a health insurance issuer or HMO to uses or disclosures that require an operations activities of the entity that
disclose protected health information authorization under § 164.508(a)(2) receives the information, if each
to a plan sponsor as otherwise through (4) or that are prohibited entity either has or had a relationship
permitted by this paragraph unless a under § 164.502(a)(5)(i), a covered with the individual who is the subject
statement required by entity may use or disclose protected of the protected health information
§ 164.520(b)(1)(iii)(C) is included in health information for treatment, being requested, the protected health
the appropriate notice; and payment, or health care operations as information pertains to such
set forth in paragraph (c) of this relationship, and the disclosure is:
(iv) Not disclose protected health section, provided that such use or
information to the plan sponsor for disclosure is consistent with other (i) For a purpose listed in paragraph
the purpose of employment-related applicable requirements of this (1) or (2) of the definition of health
actions or decisions or in connection subpart. care operations; or
with any other benefit or employee
benefit plan of the plan sponsor. (b) Standard: Consent for uses and (ii) For the purpose of health care
disclosures permitted. fraud and abuse detection or
(g) Standard: Requirements for a compliance.
covered entity with multiple covered (1) A covered entity may obtain
functions. consent of the individual to use or (5) A covered entity that participates
disclose protected health information in an organized health care
(1) A covered entity that performs to carry out treatment, payment, or arrangement may disclose protected
multiple covered functions that health care operations. health information about an
would make the entity any individual to other participants in the
combination of a health plan, a (2) Consent, under paragraph (b) of organized health care arrangement
covered health care provider, and a this section, shall not be effective to for any health care operations
health care clearinghouse, must permit a use or disclosure of activities of the organized health care
comply with the standards, protected health information when an arrangement.
requirements, and implementation authorization, under § 164.508, is
84
March 2013
[67 FR 53268, Aug. 14, 2002, as § 164.512(d) with respect to the (i) A valid authorization is a
amended at 78 FR 5698, Jan. 25, oversight of the originator of the document that meets the
2013] psychotherapy notes; requirements in paragraphs (a)(3)(ii),
§ 164.512(g)(1); or (a)(4)(ii), (c)(1), and (c)(2) of this
§ 164.508 Uses and disclosures for § 164.512(j)(1)(i). section, as applicable.
which an authorization is required.
(3) Authorization required: (ii) A valid authorization may
(a) Standard: Authorizations for uses Marketing. contain elements or information in
and disclosures —(1) Authorization addition to the elements required by
required: General rule. Except as (i) Notwithstanding any provision of this section, provided that such
otherwise permitted or required by this subpart, other than the transition additional elements or information
this subchapter, a covered entity may provisions in § 164.532, a covered are not inconsistent with the elements
not use or disclose protected health entity must obtain an authorization required by this section.
information without an authorization for any use or disclosure of protected
that is valid under this section. When health information for marketing, (2) Defective authorizations. An
a covered entity obtains or receives a except if the communication is in the authorization is not valid, if the
valid authorization for its use or form of: document submitted has any of the
disclosure of protected health following defects:
information, such use or disclosure (A) A face-to-face communication
must be consistent with such made by a covered entity to an (i) The expiration date has passed or
authorization. individual; or the expiration event is known by the
covered entity to have occurred;
(2) Authorization required: (B) A promotional gift of nominal
Psychotherapy notes. value provided by the covered entity. (ii) The authorization has not been
Notwithstanding any provision of filled out completely, with respect to
this subpart, other than the transition an element described by paragraph
(ii) If the marketing involves
provisions in § 164.532, a covered
financial remuneration, as defined in (c) of this section, if applicable;
entity must obtain an authorization paragraph (3) of the definition of
for any use or disclosure of marketing at § 164.501, to the (iii) The authorization is known by
psychotherapy notes, except:
covered entity from a third party, the the covered entity to have been
authorization must state that such revoked;
(i) To carry out the following remuneration is involved.
treatment, payment, or health care (iv) The authorization violates
operations: (4) Authorization required: Sale of paragraph (b)(3) or (4) of this
protected health information. section, if applicable;
(A) Use by the originator of the
psychotherapy notes for treatment;
(i) Notwithstanding any provision of (v) Any material information in the
this subpart, other than the transition authorization is known by the
(B) Use or disclosure by the covered provisions in § 164.532, a covered covered entity to be false.
entity for its own training programs entity must obtain an authorization
in which students, trainees, or for any disclosure of protected health (3) Compound authorizations. An
practitioners in mental health learn information which is a sale of authorization for use or disclosure of
under supervision to practice or protected health information, as protected health information may not
improve their skills in group, joint, defined in § 164.501 of this subpart. be combined with any other
family, or individual counseling; or (ii) Such authorization must state that document to create a compound
the disclosure will result in authorization, except as follows:
(C) Use or disclosure by the covered remuneration to the covered entity.
entity to defend itself in a legal (i) An authorization for the use or
action or other proceeding brought (b) Implementation specifications: disclosure of protected health
by the individual; and General requirements information for a research study may
be combined with any other type of
(ii) A use or disclosure that is (1) Valid authorizations. written permission for the same or
required by § 164.502(a)(2)(ii) or another research study. This
permitted by § 164.512(a); exception includes combining an
85
March 2013
authorization for the use or (4) Prohibition on conditioning of (ii) If the authorization was obtained
disclosure of protected health authorizations. A covered entity may as a condition of obtaining insurance
information for a research study with not condition the provision to an coverage, other law provides the
another authorization for the same individual of treatment, payment, insurer with the right to contest a
research study, with an authorization enrollment in the health plan, or claim under the policy or the policy
for the creation or maintenance of a eligibility for benefits on the itself.
research database or repository, or provision of an authorization, except:
with a consent to participate in (6) Documentation. A covered entity
research. Where a covered health (i) A covered health care provider must document and retain any signed
care provider has conditioned the may condition the provision of authorization under this section as
provision of research-related research-related treatment on required by § 164.530(j).
treatment on the provision of one of provision of an authorization for the
the authorizations, as permitted under use or disclosure of protected health (c) Implementation specifications:
paragraph (b)(4)(i) of this section, information for such research under Core elements and requirements
any compound authorization created this section;
under this paragraph must clearly
differentiate between the conditioned (1) Core elements. A valid
(ii) A health plan may condition authorization under this section must
and unconditioned components and
enrollment in the health plan or contain at least the following
provide the individual with an
eligibility for benefits on provision of elements:
opportunity to opt in to the research an authorization requested by the
activities described in the health plan prior to an individual's
unconditioned authorization. (i) A description of the information
enrollment in the health plan, if:
to be used or disclosed that identifies
(ii) An authorization for a use or the information in a specific and
(A) The authorization sought is for meaningful fashion.
disclosure of psychotherapy notes the health plan's eligibility or
may only be combined with another
enrollment determinations relating to
authorization for a use or disclosure (ii) The name or other specific
the individual or for its underwriting
of psychotherapy notes. identification of the person(s), or
or risk rating determinations; and class of persons, authorized to make
(iii) An authorization under this the requested use or disclosure.
(B) The authorization is not for a use
section, other than an authorization
or disclosure of psychotherapy notes
for a use or disclosure of (iii) The name or other specific
under paragraph (a)(2) of this
psychotherapy notes, may be identification of the person(s), or
section; and class of persons, to whom the
combined with any other such
authorization under this section, covered entity may make the
except when a covered entity has (iii) A covered entity may condition requested use or disclosure.
conditioned the provision of the provision of health care that is
treatment, payment, enrollment in the solely for the purpose of creating
(iv) A description of each purpose of
health plan, or eligibility for benefits protected health information for the requested use or disclosure. The
under paragraph (b)(4) of this section disclosure to a third party on statement “at the request of the
provision of an authorization for the
on the provision of one of the individual” is a sufficient description
authorizations. The prohibition in disclosure of the protected health
of the purpose when an individual
this paragraph on combining information to such third party.
initiates the authorization and does
authorizations where one not, or elects not to, provide a
authorization conditions the (5) Revocation of authorizations. An statement of the purpose.
provision of treatment, payment, individual may revoke an
enrollment in a health plan, or authorization provided under this
(v) An expiration date or an
eligibility for benefits under section at any time, provided that the
expiration event that relates to the
paragraph (b)(4) of this section does revocation is in writing, except to the
individual or the purpose of the use
not apply to a compound extent that: or disclosure. The statement “end of
authorization created in accordance the research study,” “none,” or
with paragraph (b)(3)(i) of this (i) The covered entity has taken similar language is sufficient if the
section. action in reliance thereon; or authorization is for a use or
information for research, including
86
March 2013
for the creation and maintenance of a plan, or eligibility for benefits on (i) Use the following protected health
research database or research failure to obtain such authorization. information to maintain a directory
repository. of individuals in its facility:
(iii) The potential for information
(vi) Signature of the individual and disclosed pursuant to the (A) The individual's name;
date. If the authorization is signed by authorization to be subject to
a personal representative of the redisclosure by the recipient and no (B) The individual's location in the
individual, a description of such longer be protected by this subpart. covered health care provider's
representative's authority to act for facility;
the individual must also be provided. (3) Plain language requirement. The
authorization must be written in plain (C) The individual's condition
(2) Required statements. In addition language. described in general terms that does
to the core elements, the not communicate specific medical
authorization must contain (4) Copy to the individual. If a information about the individual; and
statements adequate to place the covered entity seeks an authorization
individual on notice of all of the from an individual for a use or (D) The individual's religious
following: disclosure of protected health affiliation; and
information, the covered entity must
(i) The individual's right to revoke provide the individual with a copy of
(ii) Use or disclose for directory
the authorization in writing, and the signed authorization.
purposes such information:
either:
[67 FR 53268, Aug. 14, 2002, as (A) To members of the clergy; or
(A) The exceptions to the right to amended at 78 FR 5699, Jan. 25,
revoke and a description of how the 2013]
individual may revoke the (B) Except for religious affiliation, to
authorization; or other persons who ask for the
§ 164.510 Uses and disclosures individual by name.
requiring an opportunity for the
(B) To the extent that the information individual to agree or to object.
in paragraph (c)(2)(i)(A) of this (2) Opportunity to object. A covered
section is included in the notice health care provider must inform an
A covered entity may use or disclose
required by § 164.520, a reference to protected health information, individual of the protected health
the covered entity's notice. information that it may include in a
provided that the individual is directory and the persons to whom it
informed in advance of the use or
may disclose such information
(ii) The ability or inability to disclosure and has the opportunity to
(including disclosures to clergy of
condition treatment, payment, agree to or prohibit or restrict the use
information regarding religious
enrollment or eligibility for benefits or disclosure, in accordance with the
affiliation) and provide the individual
on the authorization, by stating applicable requirements of this with the opportunity to restrict or
either: section. The covered entity may prohibit some or all of the uses or
orally inform the individual of and
disclosures permitted by paragraph
(A) The covered entity may not obtain the individual's oral agreement
(a)(1) of this section.
condition treatment, payment, or objection to a use or disclosure
enrollment or eligibility for benefits permitted by this section. (3) Emergency circumstances. (i) If
on whether the individual signs the the opportunity to object to uses or
authorization when the prohibition on (a) Standard: Use and disclosure for
disclosures required by paragraph
conditioning of authorizations in facility directories
(a)(2) of this section cannot
paragraph (b)(4) of this section
practicably be provided because of
applies; or (1) Permitted uses and disclosure. the individual's incapacity or an
Except when an objection is emergency treatment circumstance, a
(B) The consequences to the expressed in accordance with covered health care provider may use
individual of a refusal to sign the paragraphs (a)(2) or (3) of this or disclose some or all of the
authorization when, in accordance section, a covered health care protected health information
with paragraph (b)(4) of this section, provider may: permitted by paragraph (a)(1) of this
the covered entity can condition section for the facility's directory, if
treatment, enrollment in the health such disclosure is:
87
March 2013
(A) Consistent with a prior expressed (2) Uses and disclosures with the information to a public or private
preference of the individual, if any, individual present. If the individual is entity authorized by law or by its
that is known to the covered health present for, or otherwise available charter to assist in disaster relief
care provider; and prior to, a use or disclosure permitted efforts, for the purpose of
by paragraph (b)(1) of this section coordinating with such entities the
(B) In the individual's best interest as and has the capacity to make health uses or disclosures permitted by
determined by the covered health care decisions, the covered entity paragraph (b)(1)(ii) of this section.
care provider, in the exercise of may use or disclose the protected The requirements in paragraphs
professional judgment. health information if it: (b)(2), (b)(3), or (b)(5) of this section
apply to such uses and disclosures to
(i) Obtains the individual's the extent that the covered entity, in
(ii) The covered health care provider
agreement; the exercise of professional
must inform the individual and
judgment, determines that the
provide an opportunity to object to
uses or disclosures for directory (ii) Provides the individual with the requirements do not interfere with
purposes as required by paragraph opportunity to object to the the ability to respond to the
emergency circumstances.
(a)(2) of this section when it becomes disclosure, and the individual does
practicable to do so. not express an objection; or
(5) Uses and disclosures when the
(b) Standard: Uses and disclosures (iii) Reasonably infers from the individual is deceased. If the
for involvement in the individual's circumstances, based on the exercise individual is deceased, a covered
entity may disclose to a family
care and notification purposes of professional judgment, that the
member, or other persons identified
individual does not object to the
in paragraph (b)(1) of this section
(1) Permitted uses and disclosures. disclosure.
who were involved in the individual's
care or payment for health care prior
(i) A covered entity may, in (3) Limited uses and disclosures to the individual's death, protected
accordance with paragraphs (b)(2), when the individual is not present. If health information of the individual
(b)(3), or (b)(5) of this section, the individual is not present, or the that is relevant to such person's
disclose to a family member, other opportunity to agree or object to the involvement, unless doing so is
relative, or a close personal friend of use or disclosure cannot practicably inconsistent with any prior expressed
the individual, or any other person be provided because of the preference of the individual that is
identified by the individual, the individual's incapacity or an known to the covered entity.
protected health information directly emergency circumstance, the covered
relevant to such person's involvement entity may, in the exercise of
[65 FR 82802, Dec. 28, 2000, as
with the individual's health care or professional judgment, determine
whether the disclosure is in the best amended at 67 FR 53270, Aug. 14,
payment related to the individual's 2002; 78 FR 5699, Jan. 25, 2013]
health care. interests of the individual and, if so,
disclose only the protected health
information that is directly relevant § 164.512 Uses and disclosures for
(ii) A covered entity may use or which an authorization or
disclose protected health information to the person's involvement with the opportunity to agree or object is
to notify, or assist in the notification individual's care or payment related not required.
to the individual's health care or
of (including identifying or locating),
needed for notification purposes. A
a family member, a personal
covered entity may use professional A covered entity may use or disclose
representative of the individual, or
judgment and its experience with protected health information without
another person responsible for the
care of the individual of the common practice to make reasonable the written authorization of the
inferences of the individual's best individual, as described in § 164.508,
individual's location, general
interest in allowing a person to act on or the opportunity for the individual
condition, or death. Any such use or
behalf of the individual to pick up to agree or object as described in
filled prescriptions, medical supplies, § 164.510, in the situations covered
information for such notification
purposes must be in accordance with X-rays, or other similar forms of by this section, subject to the
paragraphs (b)(2), (b)(3), (b)(4), or protected health information. applicable requirements of this
section. When the covered entity is
(b)(5) of this section, as applicable.
(4) Uses and disclosures for disaster required by this section to inform the
relief purposes. A covered entity may individual of, or when the individual
use or disclose protected health may agree to, a use or disclosure
88
March 2013
permitted by this section, the covered for which that person has (2) To evaluate whether the
entity's information and the responsibility, for the purpose of individual has a work-related illness
individual's agreement may be given activities related to the quality, safety or injury;
orally. or effectiveness of such FDA-
regulated product or activity. Such (B) The protected health information
(a) Standard: Uses and disclosures purposes include: that is disclosed consists of findings
required by law. concerning a work-related illness or
(A) To collect or report adverse injury or a workplace-related medical
(1) A covered entity may use or events (or similar activities with surveillance;
disclose protected health information respect to food or dietary
to the extent that such use or supplements), product defects or (C) The employer needs such
disclosure is required by law and the problems (including problems with findings in order to comply with its
use or disclosure complies with and the use or labeling of a product), or obligations, under 29 CFR parts 1904
is limited to the relevant biological product deviations; through 1928, 30 CFR parts 50
requirements of such law. through 90, or under state law having
(B) To track FDA-regulated a similar purpose, to record such
(2) A covered entity must meet the products; illness or injury or to carry out
requirements described in paragraph responsibilities for workplace
(c), (e), or (f) of this section for uses (C) To enable product recalls, medical surveillance; and
or disclosures required by law. repairs, or replacement, or lookback
(including locating and notifying (D) The covered health care provider
(b) Standard: Uses and disclosures individuals who have received provides written notice to the
for public health activities. (1) products that have been recalled, individual that protected health
Permitted uses and disclosures. A withdrawn, or are the subject of information relating to the medical
covered entity may use or disclose lookback); or surveillance of the workplace and
protected health information for the work-related illnesses and injuries is
public health activities and purposes (D) To conduct post marketing disclosed to the employer:
described in this paragraph to: surveillance;
(1) By giving a copy of the notice to
(i) A public health authority that is (iv) A person who may have been the individual at the time the health
authorized by law to collect or exposed to a communicable disease care is provided; or
receive such information for the or may otherwise be at risk of
purpose of preventing or controlling contracting or spreading a disease or (2) If the health care is provided on
disease, injury, or disability, condition, if the covered entity or the work site of the employer, by
including, but not limited to, the public health authority is authorized posting the notice in a prominent
reporting of disease, injury, vital by law to notify such person as place at the location where the health
events such as birth or death, and the necessary in the conduct of a public care is provided.
conduct of public health surveillance, health intervention or investigation;
public health investigations, and or (vi) A school, about an individual
public health interventions; or, at the who is a student or prospective
direction of a public health authority, (v) An employer, about an individual student of the school, if:
to an official of a foreign government who is a member of the workforce of
agency that is acting in collaboration the employer, if: (A) The protected health information
with a public health authority; that is disclosed is limited to proof of
(A) The covered entity is a covered immunization;
(ii) A public health authority or other health care provider who provides
appropriate government authority health care to the individual at the (B) The school is required by State or
authorized by law to receive reports request of the employer:
other law to have such proof of
of child abuse or neglect; immunization prior to admitting the
(1) To conduct an evaluation relating individual; and
(iii) A person subject to the to medical surveillance of the
jurisdiction of the Food and Drug workplace; or (C) The covered entity obtains and
Administration (FDA) with respect to documents the agreement to the
an FDA-regulated product or activity disclosure from either:
89
March 2013
(1) A parent, guardian, or other individual or other potential victims; proceedings or actions; or other
person acting in loco parentis of the or activities necessary for appropriate
individual, if the individual is an oversight of:
unemancipated minor; or (B) If the individual is unable to
agree because of incapacity, a law (i) The health care system;
(2) The individual, if the individual is enforcement or other public official
an adult or emancipated minor. authorized to receive the report (ii) Government benefit programs for
represents that the protected health which health information is relevant
(2) Permitted uses. If the covered information for which disclosure is to beneficiary eligibility;
entity also is a public health sought is not intended to be used
authority, the covered entity is against the individual and that an
(iii) Entities subject to government
permitted to use protected health immediate enforcement activity that
regulatory programs for which health
information in all cases in which it is depends upon the disclosure would information is necessary for
permitted to disclose such be materially and adversely affected determining compliance with
information for public health by waiting until the individual is able
program standards; or
activities under paragraph (b)(1) of to agree to the disclosure.
this section.
(iv) Entities subject to civil rights
(2) Informing the individual. A laws for which health information is
(c) Standard: Disclosures about covered entity that makes a necessary for determining
victims of abuse, neglect or domestic disclosure permitted by paragraph compliance.
violence (c)(1) of this section must promptly
inform the individual that such a
report has been or will be made, (2) Exception to health oversight
(1) Permitted disclosures. Except for activities. For the purpose of the
reports of child abuse or neglect except if:
disclosures permitted by paragraph
permitted by paragraph (b)(1)(ii) of (d)(1) of this section, a health
this section, a covered entity may (i) The covered entity, in the exercise
oversight activity does not include an
disclose protected health information of professional judgment, believes
investigation or other activity in
about an individual whom the informing the individual would place which the individual is the subject of
covered entity reasonably believes to the individual at risk of serious harm; the investigation or activity and such
be a victim of abuse, neglect, or or
investigation or other activity does
domestic violence to a government not arise out of and is not directly
authority, including a social service (ii) The covered entity would be related to:
or protective services agency, informing a personal representative,
authorized by law to receive reports and the covered entity reasonably (i) The receipt of health care;
of such abuse, neglect, or domestic believes the personal representative
violence: is responsible for the abuse, neglect,
or other injury, and that informing (ii) A claim for public benefits
(i) To the extent the disclosure is such person would not be in the best related to health; or
required by law and the disclosure interests of the individual as
complies with and is limited to the determined by the covered entity, in (iii) Qualification for, or receipt of,
relevant requirements of such law; the exercise of professional public benefits or services when a
judgment. patient's health is integral to the
claim for public benefits or services.
(ii) If the individual agrees to the
disclosure; or (d) Standard: Uses and disclosures
for health oversight activities (3) Joint activities or investigations.
Nothwithstanding paragraph (d)(2) of
(iii) To the extent the disclosure is
(1) Permitted disclosures. A covered this section, if a health oversight
expressly authorized by statute or
entity may disclose protected health activity or investigation is conducted
regulation and: in conjunction with an oversight
information to a health oversight
agency for oversight activities activity or investigation relating to a
(A) The covered entity, in the claim for public benefits not related
authorized by law, including audits;
exercise of professional judgment, to health, the joint activity or
civil, administrative, or criminal
believes the disclosure is necessary investigation is considered a health
investigations; inspections; licensure
to prevent serious harm to the oversight activity for purposes of
or disciplinary actions; civil,
administrative, or criminal paragraph (d) of this section.
90
March 2013
(4) Permitted uses. If a covered assurances from a party seeking (B) The party seeking the protected
entity also is a health oversight protected health information if the health information has requested a
agency, the covered entity may use covered entity receives from such qualified protective order from such
protected health information for party a written statement and court or administrative tribunal.
health oversight activities as accompanying documentation
permitted by paragraph (d) of this demonstrating that: (v) For purposes of paragraph (e)(1)
section. of this section, a qualified protective
(A) The party requesting such order means, with respect to
(e) Standard: Disclosures for judicial information has made a good faith protected health information
and administrative proceedings attempt to provide written notice to requested under paragraph (e)(1)(ii)
the individual (or, if the individual's of this section, an order of a court or
(1) Permitted disclosures. A covered location is unknown, to mail a notice of an administrative tribunal or a
entity may disclose protected health to the individual's last known stipulation by the parties to the
information in the course of any address); litigation or administrative
judicial or administrative proceeding: proceeding that:
(B) The notice included sufficient
(i) In response to an order of a court information about the litigation or (A) Prohibits the parties from using
or administrative tribunal, provided proceeding in which the protected or disclosing the protected health
that the covered entity discloses only health information is requested to information for any purpose other
the protected health information permit the individual to raise an than the litigation or proceeding for
expressly authorized by such order; objection to the court or which such information was
or administrative tribunal; and requested; and
(ii) In response to a subpoena, (C) The time for the individual to (B) Requires the return to the
discovery request, or other lawful raise objections to the court or covered entity or destruction of the
process, that is not accompanied by administrative tribunal has elapsed, protected health information
an order of a court or administrative and: (including all copies made) at the end
tribunal, if: of the litigation or proceeding.
(1) No objections were filed; or
(A) The covered entity receives (vi) Nothwithstanding paragraph
satisfactory assurance, as described (2) All objections filed by the (e)(1)(ii) of this section, a covered
in paragraph (e)(1)(iii) of this individual have been resolved by the entity may disclose protected health
section, from the party seeking the court or the administrative tribunal information in response to lawful
information that reasonable efforts and the disclosures being sought are process described in paragraph
have been made by such party to consistent with such resolution. (e)(1)(ii) of this section without
ensure that the individual who is the receiving satisfactory assurance
subject of the protected health under paragraph (e)(1)(ii)(A) or (B)
(iv) For the purposes of paragraph
information that has been requested of this section, if the covered entity
(e)(1)(ii)(B) of this section, a covered
has been given notice of the request; entity receives satisfactory makes reasonable efforts to provide
or assurances from a party seeking notice to the individual sufficient to
meet the requirements of paragraph
protected health information , if the
(e)(1)(iii) of this section or to seek a
(B) The covered entity receives covered entity receives from such
qualified protective order sufficient
satisfactory assurance, as described party a written statement and
to meet the requirements of
in paragraph (e)(1)(iv) of this section, accompanying documentation
from the party seeking the demonstrating that: paragraph (e)(1)(iv) of this section.
information that reasonable efforts
have been made by such party to (2) Other uses and disclosures under
(A) The parties to the dispute giving
secure a qualified protective order this section. The provisions of this
rise to the request for information
that meets the requirements of have agreed to a qualified protective paragraph do not supersede other
paragraph (e)(1)(v) of this section. order and have presented it to the provisions of this section that
otherwise permit or restrict uses or
court or administrative tribunal with
(iii) For the purposes of paragraph jurisdiction over the dispute; or
information.
(e)(1)(ii)(A) of this section, a covered
entity receives satisfactory
91
March 2013
(f) Standard: Disclosures for law disclosures required by law as law enforcement official's request for
enforcement purposes. A covered permitted by paragraph (f)(1) of this such information about an individual
entity may disclose protected health section, a covered entity may who is or is suspected to be a victim
information for a law enforcement disclose protected health information of a crime, other than disclosures that
purpose to a law enforcement official in response to a law enforcement are subject to paragraph (b) or (c) of
if the conditions in paragraphs (f)(1) official's request for such information this section, if:
through (f)(6) of this section are met, for the purpose of identifying or
as applicable. locating a suspect, fugitive, material (i) The individual agrees to the
witness, or missing person, provided disclosure; or
(1) Permitted disclosures: Pursuant that:
to process and as otherwise required (ii) The covered entity is unable to
by law. A covered entity may (i) The covered entity may disclose obtain the individual's agreement
disclose protected health only the following information: because of incapacity or other
information: emergency circumstance, provided
(A) Name and address; that:
(i) As required by law including laws
that require the reporting of certain (B) Date and place of birth; (A) The law enforcement official
types of wounds or other physical represents that such information is
injuries, except for laws subject to (C) Social security number; needed to determine whether a
paragraph (b)(1)(ii) or (c)(1)(i) of violation of law by a person other
this section; or than the victim has occurred, and
(D) ABO blood type and rh factor;
such information is not intended to
(ii) In compliance with and as limited be used against the victim;
by the relevant requirements of: (E) Type of injury;
(B) The law enforcement official
(A) A court order or court-ordered (F) Date and time of treatment; represents that immediate law
warrant, or a subpoena or summons enforcement activity that depends
issued by a judicial officer; (G) Date and time of death, if upon the disclosure would be
applicable; and materially and adversely affected by
(B) A grand jury subpoena; or waiting until the individual is able to
(H) A description of distinguishing agree to the disclosure; and
(C) An administrative request, physical characteristics, including
including an administrative subpoena height, weight, gender, race, hair and (C) The disclosure is in the best
or summons, a civil or an authorized eye color, presence or absence of interests of the individual as
investigative demand, or similar facial hair (beard or moustache), determined by the covered entity, in
process authorized under law, scars, and tattoos. the exercise of professional
provided that: judgment.
(ii) Except as permitted by paragraph
(1) The information sought is (f)(2)(i) of this section, the covered (4) Permitted disclosure: Decedents.
relevant and material to a legitimate entity may not disclose for the A covered entity may disclose
law enforcement inquiry; purposes of identification or location protected health information about an
under paragraph (f)(2) of this section individual who has died to a law
any protected health information enforcement official for the purpose
(2) The request is specific and
related to the individual's DNA or of alerting law enforcement of the
limited in scope to the extent
DNA analysis, dental records, or death of the individual if the covered
reasonably practicable in light of the
typing, samples or analysis of body entity has a suspicion that such death
purpose for which the information is
fluids or tissue. may have resulted from criminal
sought; and
conduct.
(3) Permitted disclosure: Victims of a
(3) De-identified information could
crime. Except for disclosures (5) Permitted disclosure: Crime on
not reasonably be used.
required by law as permitted by premises. A covered entity may
paragraph (f)(1) of this section, a disclose to a law enforcement official
(2) Permitted disclosures: Limited covered entity may disclose protected protected health information that the
information for identification and health information in response to a covered entity believes in good faith
location purposes. Except for
92
March 2013
constitutes evidence of criminal information for the purposes CFR 97.107, 38 CFR 16.107, 40
conduct that occurred on the described in this paragraph. CFR 26.107, 45 CFR 46.107, 45
premises of the covered entity. CFR 690.107, or 49 CFR 11.107; or
(2) Funeral directors. A covered
(6) Permitted disclosure: Reporting entity may disclose protected health (B) A privacy board that:
crime in emergencies. information to funeral directors,
consistent with applicable law, as (1) Has members with varying
(i) A covered health care provider necessary to carry out their duties backgrounds and appropriate
providing emergency health care in with respect to the decedent. If professional competency as
response to a medical emergency, necessary for funeral directors to necessary to review the effect of the
other than such emergency on the carry out their duties, the covered research protocol on the individual's
premises of the covered health care entity may disclose the protected privacy rights and related interests;
provider, may disclose protected health information prior to, and in
health information to a law reasonable anticipation of, the (2) Includes at least one member who
enforcement official if such individual's death.
is not affiliated with the covered
disclosure appears necessary to alert entity, not affiliated with any entity
law enforcement to: (h) Standard: Uses and disclosures conducting or sponsoring the
for cadaveric organ, eye or tissue research, and not related to any
(A) The commission and nature of a donation purposes. A covered entity person who is affiliated with any of
crime; may use or disclose protected health such entities; and
information to organ procurement
organizations or other entities
(B) The location of such crime or of (3) Does not have any member
engaged in the procurement, banking,
the victim(s) of such crime; and participating in a review of any
or transplantation of cadaveric project in which the member has a
organs, eyes, or tissue for the purpose
(C) The identity, description, and conflict of interest.
of facilitating organ, eye or tissue
location of the perpetrator of such donation and transplantation.
crime. (ii) Reviews preparatory to research.
The covered entity obtains from the
(i) Standard: Uses and disclosures researcher representations that:
(ii) If a covered health care provider for research purposes
believes that the medical emergency
described in paragraph (f)(6)(i) of (A) Use or disclosure is sought solely
(1) Permitted uses and disclosures. A
this section is the result of abuse, to review protected health
neglect, or domestic violence of the covered entity may use or disclose information as necessary to prepare a
individual in need of emergency protected health information for research protocol or for similar
research, regardless of the source of
health care, paragraph (f)(6)(i) of this purposes preparatory to research;
funding of the research, provided
section does not apply and any
that:
disclosure to a law enforcement (B) No protected health information
official for law enforcement purposes is to be removed from the covered
is subject to paragraph (c) of this (i) Board approval of a waiver of entity by the researcher in the course
section. authorization. The covered entity
of the review; and
obtains documentation that an
alteration to or waiver, in whole or in
(g) Standard: Uses and disclosures (C) The protected health information
part, of the individual authorization
about decedents. for which use or access is sought is
required by § 164.508 for use or
disclosure of protected health necessary for the research purposes.
(1) Coroners and medical examiners. information has been approved by
A covered entity may disclose either: (iii) Research on decedent's
protected health information to a information. The covered entity
coroner or medical examiner for the obtains from the researcher:
purpose of identifying a deceased (A) An Institutional Review Board
(IRB), established in accordance with
person, determining a cause of death,
7 CFR lc.107, 10 CFR 745.107, 14 (A) Representation that the use or
or other duties as authorized by law.
CFR 1230.107, 15 CFR 27.107, 16 disclosure sought is solely for
A covered entity that also performs research on the protected health
CFR 1028.107, 21 CFR 56.107, 22
the duties of a coroner or medical information of decedents;
examiner may use protected health CFR 225.107, 24 CFR 60.107, 28
CFR 46.107, 32 CFR 219.107, 34
93
March 2013
(B) Documentation, at the request of oversight of the research study, or for (B) A privacy board must review the
the covered entity, of the death of other research for which the use or proposed research at convened
such individuals; and disclosure of protected health meetings at which a majority of the
information would be permitted by privacy board members are present,
(C) Representation that the protected this subpart; including at least one member who
health information for which use or satisfies the criterion stated in
disclosure is sought is necessary for (B) The research could not paragraph (i)(1)(i)(B)(2) of this
the research purposes. practicably be conducted without the section, and the alteration or waiver
waiver or alteration; and of authorization must be approved by
the majority of the privacy board
(2) Documentation of waiver
members present at the meeting,
approval. For a use or disclosure to (C) The research could not
unless the privacy board elects to use
be permitted based on documentation practicably be conducted without
an expedited review procedure in
of approval of an alteration or access to and use of the protected
waiver, under paragraph (i)(1)(i) of health information. accordance with paragraph
this section, the documentation must (i)(2)(iv)(C) of this section;
include all of the following: (iii) Protected health information
(C) A privacy board may use an
needed. A brief description of the
expedited review procedure if the
(i) Identification and date of action. protected health information for
A statement identifying the IRB or which use or access has been research involves no more than
privacy board and the date on which determined to be necessary by the minimal risk to the privacy of the
individuals who are the subject of the
the alteration or waiver of institutional review board or privacy
protected health information for
authorization was approved; board, pursuant to paragraph
which use or disclosure is being
(i)(2)(ii)(C) of this section;
sought. If the privacy board elects to
(ii) Waiver criteria. A statement that use an expedited review procedure,
the IRB or privacy board has (iv) Review and approval the review and approval of the
determined that the alteration or procedures. A statement that the alteration or waiver of authorization
waiver, in whole or in part, of alteration or waiver of authorization may be carried out by the chair of the
authorization satisfies the following has been reviewed and approved privacy board, or by one or more
criteria: under either normal or expedited members of the privacy board as
review procedures, as follows: designated by the chair; and
(A) The use or disclosure of
protected health information involves (A) An IRB must follow the (v) Required signature. The
no more than a minimal risk to the requirements of the Common Rule, documentation of the alteration or
privacy of individuals, based on, at including the normal review waiver of authorization must be
least, the presence of the following procedures (7 CFR 1c.108(b), 10 signed by the chair or other member,
elements; CFR 745.108(b), 14 CFR as designated by the chair, of the IRB
1230.108(b), 15 CFR 27.108(b), 16 or the privacy board, as applicable.
(1) An adequate plan to protect the CFR 1028.108(b), 21 CFR 56.108(b),
identifiers from improper use and 22 CFR 225.108(b), 24 CFR
60.108(b), 28 CFR 46.108(b), 32 (j) Standard: Uses and disclosures to
disclosure; avert a serious threat to health or
CFR 219.108(b), 34 CFR 97.108(b),
safety
38 CFR 16.108(b), 40 CFR
(2) An adequate plan to destroy the
26.108(b), 45 CFR 46.108(b), 45
identifiers at the earliest opportunity (1) Permitted disclosures. A covered
consistent with conduct of the CFR 690.108(b), or 49 CFR
11.108(b)) or the expedited review entity may, consistent with
research, unless there is a health or applicable law and standards of
procedures (7 CFR 1c.110, 10 CFR
research justification for retaining the ethical conduct, use or disclose
745.110, 14 CFR 1230.110, 15 CFR
identifiers or such retention is protected health information, if the
27.110, 16 CFR 1028.110, 21 CFR
otherwise required by law; and covered entity, in good faith, believes
56.110, 22 CFR 225.110, 24 CFR
60.110, 28 CFR 46.110, 32 CFR the use or disclosure:
(3) Adequate written assurances that 219.110, 34 CFR 97.110, 38 CFR
the protected health information will 16.110, 40 CFR 26.110, 45 CFR (i)(A) Is necessary to prevent or
not be reused or disclosed to any 46.110, 45 CFR 690.110, or 49 CFR lessen a serious and imminent threat
other person or entity, except as 11.110); to the health or safety of a person or
required by law, for authorized the public; and
94
March 2013
(B) Is to a person or persons (4) Presumption of good faith belief. (iii) Veterans. A covered entity that
reasonably able to prevent or lessen A covered entity that uses or is a component of the Department of
the threat, including the target of the discloses protected health Veterans Affairs may use and
threat; or information pursuant to paragraph disclose protected health information
(j)(1) of this section is presumed to to components of the Department
(ii) Is necessary for law enforcement have acted in good faith with regard that determine eligibility for or
authorities to identify or apprehend to a belief described in paragraph entitlement to, or that provide,
an individual: (j)(1)(i) or (ii) of this section, if the benefits under the laws administered
belief is based upon the covered by the Secretary of Veterans Affairs.
entity's actual knowledge or in
(A) Because of a statement by an
reliance on a credible representation (iv) Foreign military personnel. A
individual admitting participation in
by a person with apparent knowledge covered entity may use and disclose
a violent crime that the covered
or authority. the protected health information of
entity reasonably believes may have
caused serious physical harm to the individuals who are foreign military
victim; or (k) Standard: Uses and disclosures personnel to their appropriate foreign
for specialized government functions. military authority for the same
purposes for which uses and
(B) Where it appears from all the
disclosures are permitted for Armed
circumstances that the individual has (1) Military and veterans activities
escaped from a correctional Forces personnel under the notice
institution or from lawful custody, as (i) Armed Forces personnel. A published in the FEDERAL REGISTER
pursuant to paragraph (k)(1)(i) of this
those terms are defined in § 164.501. covered entity may use and disclose
section.
the protected health information of
(2) Use or disclosure not permitted. individuals who are Armed Forces
A use or disclosure pursuant to personnel for activities deemed (2) National security and intelligence
activities. A covered entity may
paragraph (j)(1)(ii)(A) of this section necessary by appropriate military
command authorities to assure the disclose protected health information
may not be made if the information
proper execution of the military to authorized federal officials for the
described in paragraph (j)(1)(ii)(A)
mission, if the appropriate military conduct of lawful intelligence,
of this section is learned by the
covered entity: authority has published by notice in counter-intelligence, and other
the FEDERAL REGISTER the following national security activities authorized
information: by the National Security Act (50
(i) In the course of treatment to affect U.S.C. 401, et seq.) and
the propensity to commit the criminal implementing authority (e.g.,
conduct that is the basis for the (A) Appropriate military command
Executive Order 12333).
disclosure under paragraph authorities; and
(j)(1)(ii)(A) of this section, or
(3) Protective services for the
counseling or therapy; or (B) The purposes for which the
President and others. A covered
protected health information may be
entity may disclose protected health
(ii) Through a request by the used or disclosed.
information to authorized Federal
individual to initiate or to be referred officials for the provision of
for the treatment, counseling, or (ii) Separation or discharge from protective services to the President or
therapy described in paragraph military service. A covered entity other persons authorized by 18
(j)(2)(i) of this section. that is a component of the U.S.C. 3056 or to foreign heads of
Departments of Defense or state or other persons authorized by
(3) Limit on information that may be Homeland Security may disclose to 22 U.S.C. 2709(a)(3), or for the
disclosed. A disclosure made the Department of Veterans Affairs conduct of investigations authorized
pursuant to paragraph (j)(1)(ii)(A) of (DVA) the protected health by 18 U.S.C. 871 and 879.
this section shall contain only the information of an individual who is a
statement described in paragraph member of the Armed Forces upon
(4) Medical suitability
(j)(1)(ii)(A) of this section and the the separation or discharge of the
individual from military service for determinations. A covered entity that
protected health information is a component of the Department of
described in paragraph (f)(2)(i) of the purpose of a determination by
State may use protected health
this section. DVA of the individual's eligibility
information to make medical
for or entitlement to benefits under
suitability determinations and may
laws administered by the Secretary of
disclose whether or not the individual
Veterans Affairs.
95
March 2013
was determined to be medically (E) Law enforcement on the premises functions of such programs or to
suitable to the officials in the of the correctional institution; or improve administration and
Department of State who need access management relating to the covered
to such information for the following (F) The administration and functions of such programs.
purposes: maintenance of the safety, security,
and good order of the correctional (l) Standard: Disclosures for
(i) For the purpose of a required institution. workers' compensation. A covered
security clearance conducted entity may disclose protected health
pursuant to Executive Orders 10450 (ii) Permitted uses. A covered entity information as authorized by and to
and 12968; that is a correctional institution may the extent necessary to comply with
use protected health information of laws relating to workers'
(ii) As necessary to determine individuals who are inmates for any compensation or other similar
worldwide availability or availability purpose for which such protected programs, established by law, that
for mandatory service abroad under health information may be disclosed. provide benefits for work-related
sections 101(a)(4) and 504 of the injuries or illness without regard to
Foreign Service Act; or fault.
(iii) No application after release. For
the purposes of this provision, an
(iii) For a family to accompany a individual is no longer an inmate [65 FR 82802, Dec. 28, 2000, as
Foreign Service member abroad, when released on parole, probation, amended at 67 FR 53270, Aug. 14,
consistent with section 101(b)(5) and supervised release, or otherwise is no 2002; 78 FR 5700, Jan. 25, 2013]
904 of the Foreign Service Act. longer in lawful custody.
§ 164.514 Other requirements
(5) Correctional institutions and (6) Covered entities that are relating to uses and disclosures of
other law enforcement custodial government programs providing protected health information.
situations. public benefits.
(a) Standard: De-identification of
(i) Permitted disclosures. A covered (i) A health plan that is a government protected health information. Health
entity may disclose to a correctional program providing public benefits information that does not identify an
institution or a law enforcement may disclose protected health individual and with respect to which
official having lawful custody of an information relating to eligibility for there is no reasonable basis to believe
inmate or other individual protected or enrollment in the health plan to that the information can be used to
health information about such inmate another agency administering a identify an individual is not
or individual, if the correctional government program providing individually identifiable health
institution or such law enforcement public benefits if the sharing of information.
official represents that such protected eligibility or enrollment information
health information is necessary for: among such government agencies or (b) Implementation specifications:
the maintenance of such information Requirements for de-identification of
(A) The provision of health care to in a single or combined data system protected health information. A
such individuals; accessible to all such government covered entity may determine that
agencies is required or expressly health information is not individually
authorized by statute or regulation. identifiable health information only
(B) The health and safety of such
if:
individual or other inmates;
(ii) A covered entity that is a
(C) The health and safety of the government agency administering a (1) A person with appropriate
government program providing knowledge of and experience with
officers or employees of or others at
public benefits may disclose generally accepted statistical and
the correctional institution;
protected health information relating scientific principles and methods for
to the program to another covered rendering information not
(D) The health and safety of such entity that is a government agency individually identifiable:
individuals and officers or other administering a government program
persons responsible for the providing public benefits if the (i) Applying such principles and
transporting of inmates or their programs serve the same or similar methods, determines that the risk is
transfer from one institution, facility, populations and the disclosure of
or setting to another; very small that the information could
protected health information is be used, alone or in combination with
necessary to coordinate the covered
96
March 2013
other reasonably available (G) Social security numbers; is not otherwise capable of being
information, by an anticipated translated so as to identify the
recipient to identify an individual (H) Medical record numbers; individual; and
who is a subject of the information;
and (2) Security. The covered entity does
(I) Health plan beneficiary numbers;
not use or disclose the code or other
(ii) Documents the methods and (J) Account numbers; means of record identification for
results of the analysis that justify any other purpose, and does not
such determination; or disclose the mechanism for re-
(K) Certificate/license numbers; identification.
(2)(i) The following identifiers of the
individual or of relatives, employers, (L) Vehicle identifiers and serial (d)(1) Standard: Minimum necessary
or household members of the numbers, including license plate requirements. In order to comply
individual, are removed: numbers; with § 164.502(b) and this section, a
covered entity must meet the
(A) Names; (M) Device identifiers and serial requirements of paragraphs (d)(2)
numbers; through (d)(5) of this section with
(B) All geographic subdivisions respect to a request for, or the use
smaller than a State, including street (N) Web Universal Resource and disclosure of, protected health
Locators (URLs); information.
address, city, county, precinct, zip
code, and their equivalent geocodes,
except for the initial three digits of a (O) Internet Protocol (IP) address (2) Implementation specifications:
zip code if, according to the current numbers; Minimum necessary uses of protected
publicly available data from the health information.
Bureau of the Census: (P) Biometric identifiers, including
finger and voice prints; (i) A covered entity must identify:
(1) The geographic unit formed by
combining all zip codes with the (Q) Full face photographic images (A) Those persons or classes of
same three initial digits contains and any comparable images; and persons, as appropriate, in its
more than 20,000 people; and workforce who need access to
(R) Any other unique identifying protected health information to carry
(2) The initial three digits of a zip number, characteristic, or code, out their duties; and
code for all such geographic units except as permitted by paragraph (c)
containing 20,000 or fewer people is of this section; and (B) For each such person or class of
changed to 000. persons, the category or categories of
(ii) The covered entity does not have protected health information to which
(C) All elements of dates (except actual knowledge that the access is needed and any conditions
year) for dates directly related to an information could be used alone or in appropriate to such access.
individual, including birth date, combination with other information
admission date, discharge date, date to identify an individual who is a (ii) A covered entity must make
of death; and all ages over 89 and all subject of the information. reasonable efforts to limit the access
elements of dates (including year) of such persons or classes identified
indicative of such age, except that (c) Implementation specifications: in paragraph (d)(2)(i)(A) of this
such ages and elements may be Re-identification. A covered entity section to protected health
aggregated into a single category of may assign a code or other means of information consistent with
age 90 or older; record identification to allow paragraph (d)(2)(i)(B) of this section.
information de-identified under this
(D) Telephone numbers; section to be re-identified by the (3) Implementation specification:
covered entity, provided that: Minimum necessary disclosures of
(E) Fax numbers; protected health information.
(1) Derivation. The code or other
(F) Electronic mail addresses; means of record identification is not (i) For any type of disclosure that it
derived from or related to makes on a routine and recurring
information about the individual and basis, a covered entity must
97
March 2013
implement policies and procedures (4) Implementation specifications: and (e)(3) of this section, if the
(which may be standard protocols) Minimum necessary requests for covered entity enters into a data use
that limit the protected health protected health information. agreement with the limited data set
information disclosed to the amount recipient, in accordance with
reasonably necessary to achieve the (i) A covered entity must limit any paragraph (e)(4) of this section.
purpose of the disclosure. request for protected health
information to that which is (2) Implementation specification:
(ii) For all other disclosures, a reasonably necessary to accomplish Limited data set: A limited data set is
covered entity must: the purpose for which the request is protected health information that
made, when requesting such excludes the following direct
(A) Develop criteria designed to limit information from other covered identifiers of the individual or of
the protected health information entities. relatives, employers, or household
disclosed to the information members of the individual:
reasonably necessary to accomplish (ii) For a request that is made on a
the purpose for which disclosure is routine and recurring basis, a covered (i) Names;
sought; and entity must implement policies and
procedures (which may be standard (ii) Postal address information, other
(B) Review requests for disclosure protocols) that limit the protected than town or city, State, and zip
on an individual basis in accordance health information requested to the code;
with such criteria. amount reasonably necessary to
accomplish the purpose for which the
(iii) Telephone numbers;
request is made.
(iii) A covered entity may rely, if
such reliance is reasonable under the (iv) Fax numbers;
circumstances, on a requested (iii) For all other requests, a covered
disclosure as the minimum necessary entity must:
(v) Electronic mail addresses;
for the stated purpose when:
(A) Develop criteria designed to limit
the request for protected health (vi) Social security numbers;
(A) Making disclosures to public
officials that are permitted under information to the information
§ 164.512, if the public official reasonably necessary to accomplish (vii) Medical record numbers;
represents that the information the purpose for which the request is
requested is the minimum necessary made; and (viii) Health plan beneficiary
for the stated purpose(s); numbers;
(B) Review requests for disclosure
(B) The information is requested by on an individual basis in accordance (ix) Account numbers;
another covered entity; with such criteria.
(x) Certificate/license numbers;
(C) The information is requested by a (5) Implementation specification:
professional who is a member of its Other content requirement. For all (xi) Vehicle identifiers and serial
workforce or is a business associate uses, disclosures, or requests to numbers, including license plate
of the covered entity for the purpose which the requirements in paragraph numbers;
of providing professional services to (d) of this section apply, a covered
the covered entity, if the professional entity may not use, disclose or
(xii) Device identifiers and serial
represents that the information request an entire medical record,
numbers;
requested is the minimum necessary except when the entire medical
for the stated purpose(s); or record is specifically justified as the
amount that is reasonably necessary (xiii) Web Universal Resource
to accomplish the purpose of the use, Locators (URLs);
(D) Documentation or
representations that comply with the disclosure, or request.
(xiv) Internet Protocol (IP) address
applicable requirements of
numbers;
§ 164.512(i) have been provided by a (e)(1) Standard: Limited data set. A
person requesting the information for covered entity may use or disclose a
research purposes. limited data set that meets the (xv) Biometric identifiers, including
requirements of paragraphs (e)(2) finger and voice prints; and
98
March 2013
(xvi) Full face photographic images (B) Establish who is permitted to use (B) A covered entity that is a limited
and any comparable images. or receive the limited data set; and data set recipient and violates a data
use agreement will be in
(3) Implementation specification: (C) Provide that the limited data set noncompliance with the standards,
Permitted purposes for uses and recipient will: implementation specifications, and
disclosures. requirements of paragraph (e) of this
section.
(1) Not use or further disclose the
(i) A covered entity may use or information other than as permitted
disclose a limited data set under by the data use agreement or as (f) Fundraising communications.
paragraph (e)(1) of this section only otherwise required by law;
for the purposes of research, public (1) Standard: Uses and disclosures
health, or health care operations. (2) Use appropriate safeguards to for fundraising. Subject to the
prevent use or disclosure of the conditions of paragraph (f)(2) of this
(ii) A covered entity may use information other than as provided section, a covered entity may use, or
protected health information to create for by the data use agreement; disclose to a business associate or to
a limited data set that meets the an institutionally related foundation,
requirements of paragraph (e)(2) of the following protected health
(3) Report to the covered entity any
this section, or disclose protected use or disclosure of the information information for the purpose of raising
health information only to a business not provided for by its data use funds for its own benefit, without an
associate for such purpose, whether authorization meeting the
agreement of which it becomes
or not the limited data set is to be requirements of § 164.508:
aware;
used by the covered entity.
(4) Ensure that any agents to whom it (i) Demographic information relating
(4) Implementation specifications: provides the limited data set agree to to an individual, including name,
Data use agreement address, other contact information,
the same restrictions and conditions
age, gender, and date of birth;
that apply to the limited data set
(i) Agreement required. A covered recipient with respect to such
entity may use or disclose a limited information; and (ii) Dates of health care provided to
data set under paragraph (e)(1) of this an individual;
section only if the covered entity (5) Not identify the information or
obtains satisfactory assurance, in the contact the individuals. (iii) Department of service
form of a data use agreement that information;
meets the requirements of this (iii) Compliance.
section, that the limited data set (iv) Treating physician;
recipient will only use or disclose the
protected health information for (A) A covered entity is not in
compliance with the standards in (v) Outcome information; and
limited purposes.
paragraph (e) of this section if the
covered entity knew of a pattern of (vi) Health insurance status.
(ii) Contents. A data use agreement
activity or practice of the limited data
between the covered entity and the
set recipient that constituted a (2) Implementation specifications:
limited data set recipient must:
material breach or violation of the Fundraising requirements. (i) A
data use agreement, unless the covered entity may not use or
(A) Establish the permitted uses and covered entity took reasonable steps disclose protected health information
disclosures of such information by to cure the breach or end the for fundraising purposes as otherwise
the limited data set recipient, violation, as applicable, and, if such permitted by paragraph (f)(1) of this
consistent with paragraph (e)(3) of steps were unsuccessful: section unless a statement required
this section. The data use agreement
by § 164.520(b)(1)(iii)(A) is included
may not authorize the limited data set (1) Discontinued disclosure of in the covered entity's notice of
recipient to use or further disclose the
protected health information to the privacy practices.
information in a manner that would
recipient; and
violate the requirements of this
subpart, if done by the covered (ii) With each fundraising
entity; (2) Reported the problem to the communication made to an
Secretary. individual under this paragraph, a
covered entity must provide the
99
March 2013
individual with a clear and (i) Except with respect to disclosures information is to a public official or a
conspicuous opportunity to elect not under § 164.510, verify the identity person acting on behalf of the public
to receive any further fundraising of a person requesting protected official:
communications. The method for an health information and the authority
individual to elect not to receive of any such person to have access to (A) If the request is made in person,
further fundraising communications protected health information under presentation of an agency
may not cause the individual to incur this subpart, if the identity or any identification badge, other official
an undue burden or more than a such authority of such person is not credentials, or other proof of
nominal cost. known to the covered entity; and government status;
(iii) A covered entity may not (ii) Obtain any documentation, (B) If the request is in writing, the
condition treatment or payment on statements, or representations, request is on the appropriate
the individual's choice with respect to whether oral or written, from the government letterhead; or
the receipt of fundraising person requesting the protected
communications. health information when such
(C) If the disclosure is to a person
documentation, statement, or
acting on behalf of a public official, a
(iv) A covered entity may not make representation is a condition of the
written statement on appropriate
fundraising communications to an disclosure under this subpart.
government letterhead that the person
individual under this paragraph is acting under the government's
where the individual has elected not (2) Implementation specifications: authority or other evidence or
to receive such communications Verification. documentation of agency, such as a
under paragraph (f)(2)(ii) of this contract for services, memorandum
section. (i) Conditions on disclosures. If a of understanding, or purchase order,
disclosure is conditioned by this that establishes that the person is
(v) A covered entity may provide an subpart on particular documentation, acting on behalf of the public
individual who has elected not to statements, or representations from official.
receive further fundraising the person requesting the protected
communications with a method to health information, a covered entity (iii) Authority of public officials. A
opt back in to receive such may rely, if such reliance is covered entity may rely, if such
communications. reasonable under the circumstances, reliance is reasonable under the
on documentation, statements, or circumstances, on any of the
(g) Standard: Uses and disclosures representations that, on their face, following to verify authority when
for underwriting and related meet the applicable requirements. the disclosure of protected health
purposes. If a health plan receives information is to a public official or a
protected health information for the (A) The conditions in person acting on behalf of the public
purpose of underwriting, premium § 164.512(f)(1)(ii)(C) may be official:
rating, or other activities relating to satisfied by the administrative
the creation, renewal, or replacement subpoena or similar process or by a (A) A written statement of the legal
of a contract of health insurance or separate written statement that, on its authority under which the
health benefits, and if such health face, demonstrates that the applicable information is requested, or, if a
insurance or health benefits are not requirements have been met. written statement would be
placed with the health plan, such impracticable, an oral statement of
health plan may only use or disclose (B) The documentation required by such legal authority;
such protected health information for § 164.512(i)(2) may be satisfied by
such purpose or as may be required one or more written statements, (B) If a request is made pursuant to
by law, subject to the prohibition at provided that each is appropriately legal process, warrant, subpoena,
§ 164.502(a)(5)(i) with respect to dated and signed in accordance with order, or other legal process issued
genetic information included in the § 164.512(i)(2)(i) and (v). by a grand jury or a judicial or
protected health information.
administrative tribunal is presumed
(ii) Identity of public officials. A to constitute legal authority.
(h)(1) Standard: Verification covered entity may rely, if such
requirements. Prior to any disclosure reliance is reasonable under the (iv) Exercise of professional
permitted by this subpart, a covered circumstances, on any of the judgment. The verification
entity must: following to verify identity when the requirements of this paragraph are
100
March 2013
met if the covered entity relies on the health information as defined in AND DISCLOSED AND HOW
exercise of professional judgment in § 164.504(a) or information on YOU CAN GET ACCESS TO THIS
making a use or disclosure in whether the individual is INFORMATION. PLEASE
accordance with § 164.510 or acts on participating in the group health plan, REVIEW IT CAREFULLY.”
a good faith belief in making a or is enrolled in or has disenrolled
disclosure in accordance with from a health insurance issuer or (ii) Uses and disclosures. The notice
§ 164.512(j). HMO offered by the plan, must: must contain:
[65 FR 82802, Dec. 28, 2000, as (A) Maintain a notice under this (A) A description, including at least
amended at 67 FR 53270, Aug. 14, section; and one example, of the types of uses and
2002; 78 FR 5700, Jan. 25, 2013] disclosures that the covered entity is
(B) Provide such notice upon request permitted by this subpart to make for
§ 164.520 Notice of privacy to any person. The provisions of each of the following purposes:
practices for protected health paragraph (c)(1) of this section do treatment, payment, and health care
information. not apply to such group health plan. operations.
(a) Standard: notice of privacy (iii) A group health plan that (B) A description of each of the other
practices, provides health benefits solely purposes for which the covered entity
through an insurance contract with a is permitted or required by this
(1) Right to notice. Except as health insurance issuer or HMO, and subpart to use or disclose protected
provided by paragraph (a)(2) or (3) does not create or receive protected health information without the
of this section, an individual has a health information other than individual's written authorization.
right to adequate notice of the uses summary health information as
and disclosures of protected health defined in § 164.504(a) or (C) If a use or disclosure for any
information that may be made by the information on whether an individual purpose described in paragraphs
covered entity, and of the individual's is participating in the group health (b)(1)(ii)(A) or (B) of this section is
rights and the covered entity's legal plan, or is enrolled in or has prohibited or materially limited by
duties with respect to protected disenrolled from a health insurance other applicable law, the description
health information. issuer or HMO offered by the plan, is of such use or disclosure must reflect
not required to maintain or provide a the more stringent law as defined in
notice under this section. § 160.202 of this subchapter.
(2) Exception for group health plans.
(i) An individual enrolled in a group (3) Exception for inmates. An inmate (D) For each purpose described in
health plan has a right to notice: does not have a right to notice under paragraph (b)(1)(ii)(A) or (B) of this
this section, and the requirements of section, the description must include
this section do not apply to a sufficient detail to place the
(A) From the group health plan, if, correctional institution that is a individual on notice of the uses and
and to the extent that, such an covered entity.
individual does not receive health disclosures that are permitted or
benefits under the group health plan required by this subpart and other
(b) Implementation specifications: applicable law.
through an insurance contract with a
Content of notice.
health insurance issuer or HMO; or
(E) A description of the types of uses
(B) From the health insurance issuer (1) Required elements. The covered and disclosures that require an
or HMO with respect to the group entity must provide a notice that is authorization under § 164.508(a)(2)-
written in plain language and that (a)(4), a statement that other uses and
health plan through which such
contains the elements required by disclosures not described in the
individuals receive their health
this paragraph. notice will be made only with the
benefits under the group health plan.
individual's written authorization,
(i) Header. The notice must contain and a statement that the individual
(ii) A group health plan that provides may revoke an authorization as
the following statement as a header
health benefits solely through an provided by § 164.508(b)(5).
or otherwise prominently displayed:
insurance contract with a health
“THIS NOTICE DESCRIBES HOW
insurance issuer or HMO, and that
creates or receives protected health MEDICAL INFORMATION
information in addition to summary ABOUT YOU MAY BE USED
101
March 2013
(iii) Separate statements for certain (B) The right to receive confidential make the new notice provisions
uses or disclosures. If the covered communications of protected health effective for all protected health
entity intends to engage in any of the information as provided by information that it maintains. The
following activities, the description § 164.522(b), as applicable; statement must also describe how it
required by paragraph (b)(1)(ii)(A) of will provide individuals with a
this section must include a separate (C) The right to inspect and copy revised notice.
statement informing the individual of protected health information as
such activities, as applicable: provided by § 164.524; (vi) Complaints. The notice must
contain a statement that individuals
(A) In accordance with (D) The right to amend protected may complain to the covered entity
§ 164.514(f)(1), the covered entity health information as provided by and to the Secretary if they believe
may contact the individual to raise § 164.526; their privacy rights have been
funds for the covered entity and the violated, a brief description of how
individual has a right to opt out of (E) The right to receive an the individual may file a complaint
receiving such communications; with the covered entity, and a
accounting of disclosures of
statement that the individual will not
protected health information as
(B) In accordance with § 164.504(f), be retaliated against for filing a
provided by § 164.528; and
the group health plan, or a health complaint.
insurance issuer or HMO with (F) The right of an individual,
respect to a group health plan, may (vii) Contact. The notice must
including an individual who has
disclose protected health information contain the name, or title, and
agreed to receive the notice
to the sponsor of the plan; or telephone number of a person or
electronically in accordance with
office to contact for further
paragraph (c)(3) of this section, to
(C) If a covered entity that is a health obtain a paper copy of the notice information as required by
plan, excluding an issuer of a long- § 164.530(a)(1)(ii).
from the covered entity upon request.
term care policy falling within
paragraph (1)(viii) of the definition (viii) Effective date. The notice must
(v) Covered entity's duties. The
of health plan, intends to use or notice must contain: contain the date on which the notice
disclose protected health information is first in effect, which may not be
for underwriting purposes, a earlier than the date on which the
statement that the covered entity is (A) A statement that the covered notice is printed or otherwise
prohibited from using or disclosing entity is required by law to maintain published.
protected health information that is the privacy of protected health
genetic information of an individual information, to provide individuals (2) Optional elements.
for such purposes. with notice of its legal duties and
privacy practices with respect to
protected health information, and to (i) In addition to the information
(iv) Individual rights. The notice required by paragraph (b)(1) of this
notify affected individuals following
must contain a statement of the section, if a covered entity elects to
a breach of unsecured protected
individual's rights with respect to health information; limit the uses or disclosures that it is
protected health information and a permitted to make under this subpart,
brief description of how the the covered entity may describe its
individual may exercise these rights, (B) A statement that the covered more limited uses or disclosures in its
as follows: entity is required to abide by the
notice, provided that the covered
terms of the notice currently in
effect; and entity may not include in its notice a
(A) The right to request restrictions limitation affecting its right to make
on certain uses and disclosures of a use or disclosure that is required by
protected health information as (C) For the covered entity to apply a law or permitted by
provided by § 164.522(a), including change in a privacy practice that is § 164.512(j)(1)(i).
a statement that the covered entity is described in the notice to protected
not required to agree to a requested health information that the covered
(ii) For the covered entity to apply a
restriction, except in case of a entity created or received prior to
change in its more limited uses and
disclosure restricted under issuing a revised notice, in
disclosures to protected health
§ 164.522(a)(1)(vi); accordance with § 164.530(i)(2)(ii), a
information created or received prior
statement that it reserves the right to
change the terms of its notice and to to issuing a revised notice, in
accordance with § 164.530(i)(2)(ii),
102
March 2013
the notice must include the (iv) If a health plan has more than (ii) Except in an emergency
statements required by paragraph one notice, it satisfies the treatment situation, make a good
(b)(1)(v)(C) of this section. requirements of paragraph (c)(1) of faith effort to obtain a written
this section by providing the notice acknowledgment of receipt of the
(3) Revisions to the notice. The that is relevant to the individual or notice provided in accordance with
covered entity must promptly revise other person requesting the notice. paragraph (c)(2)(i) of this section,
and distribute its notice whenever and if not obtained, document its
there is a material change to the uses (v) If there is a material change to the good faith efforts to obtain such
or disclosures, the individual's rights, notice: acknowledgment and the reason why
the covered entity's legal duties, or the acknowledgment was not
other privacy practices stated in the obtained;
(A) A health plan that posts its notice
notice. Except when required by law, on its web site in accordance with
a material change to any term of the paragraph (c)(3)(i) of this section (iii) If the covered health care
notice may not be implemented prior must prominently post the change or provider maintains a physical service
to the effective date of the notice in its revised notice on its web site by delivery site:
which such material change is the effective date of the material
reflected. change to the notice, and provide the (A) Have the notice available at the
revised notice, or information about service delivery site for individuals
(c) Implementation specifications: the material change and how to to request to take with them; and
Provision of notice. A covered entity obtain the revised notice, in its next
must make the notice required by this annual mailing to individuals then (B) Post the notice in a clear and
section available on request to any covered by the plan. prominent location where it is
person and to individuals as specified reasonable to expect individuals
in paragraphs (c)(1) through (c)(3) of (B) A health plan that does not post seeking service from the covered
this section, as applicable. its notice on a web site pursuant to health care provider to be able to
paragraph (c)(3)(i) of this section read the notice; and
(1) Specific requirements for health must provide the revised notice, or
plans. information about the material (iv) Whenever the notice is revised,
change and how to obtain the revised make the notice available upon
(i) A health plan must provide the notice, to individuals then covered by request on or after the effective date
notice: the plan within 60 days of the of the revision and promptly comply
material revision to the notice. with the requirements of paragraph
(A) No later than the compliance date (c)(2)(iii) of this section, if
for the health plan, to individuals (2) Specific requirements for certain applicable.
then covered by the plan; covered health care providers. A
covered health care provider that has (3) Specific requirements for
a direct treatment relationship with electronic notice.
(B) Thereafter, at the time of
an individual must:
enrollment, to individuals who are
new enrollees. (i) A covered entity that maintains a
(i) Provide the notice: web site that provides information
(ii) No less frequently than once about the covered entity's customer
every three years, the health plan (A) No later than the date of the first services or benefits must prominently
must notify individuals then covered service delivery, including service post its notice on the web site and
by the plan of the availability of the delivered electronically, to such make the notice available
notice and how to obtain the notice. individual after the compliance date electronically through the web site.
for the covered health care provider;
or (ii) A covered entity may provide the
(iii) The health plan satisfies the
requirements of paragraph (c)(1) of notice required by this section to an
this section if notice is provided to (B) In an emergency treatment individual by e-mail, if the individual
the named insured of a policy under situation, as soon as reasonably agrees to electronic notice and such
which coverage is provided to the practicable after the emergency agreement has not been withdrawn. If
named insured and one or more treatment situation. the covered entity knows that the e-
dependents. mail transmission has failed, a paper
copy of the notice must be provided
103
March 2013
to the individual. Provision of (ii) Describes with reasonable (i) A covered entity must permit an
electronic notice by the covered specificity the service delivery sites, individual to request that the covered
entity will satisfy the provision or classes of service delivery sites, to entity restrict:
requirements of paragraph (c) of this which the joint notice applies; and
section when timely made in (A) Uses or disclosures of protected
accordance with paragraph (c)(1) or (iii) If applicable, states that the health information about the
(2) of this section. covered entities participating in the individual to carry out treatment,
organized health care arrangement payment, or health care operations;
(iii) For purposes of paragraph will share protected health and
(c)(2)(i) of this section, if the first information with each other, as
service delivery to an individual is necessary to carry out treatment, (B) Disclosures permitted under
delivered electronically, the covered payment, or health care operations § 164.510(b).
health care provider must provide relating to the organized health care
electronic notice automatically and arrangement. (ii) Except as provided in paragraph
contemporaneously in response to the
(a)(1)(vi) of this section, a covered
individual's first request for service. (3) The covered entities included in entity is not required to agree to a
The requirements in paragraph the joint notice must provide the restriction.
(c)(2)(ii) of this section apply to notice to individuals in accordance
electronic notice. with the applicable implementation (iii) A covered entity that agrees to a
specifications of paragraph (c) of this
restriction under paragraph (a)(1)(i)
(iv) The individual who is the section. Provision of the joint notice
of this section may not use or
recipient of electronic notice retains to an individual by any one of the
disclose protected health information
the right to obtain a paper copy of the covered entities included in the joint
in violation of such restriction,
notice from a covered entity upon notice will satisfy the provision except that, if the individual who
request. requirement of paragraph (c) of this
requested the restriction is in need of
section with respect to all others
emergency treatment and the
(d) Implementation specifications: covered by the joint notice.
restricted protected health
Joint notice by separate covered information is needed to provide the
entities. Covered entities that (e) Implementation specifications: emergency treatment, the covered
participate in organized health care Documentation. A covered entity entity may use the restricted
arrangements may comply with this must document compliance with the protected health information, or may
section by a joint notice, provided notice requirements, as required by disclose such information to a health
that: § 164.530(j), by retaining copies of care provider, to provide such
the notices issued by the covered treatment to the individual.
(1) The covered entities participating entity and, if applicable, any written
in the organized health care acknowledgments of receipt of the
(iv) If restricted protected health
arrangement agree to abide by the notice or documentation of good
information is disclosed to a health
terms of the notice with respect to faith efforts to obtain such written
care provider for emergency
protected health information created acknowledgment, in accordance with treatment under paragraph (a)(1)(iii)
or received by the covered entity as paragraph (c)(2)(ii) of this section. of this section, the covered entity
part of its participation in the must request that such health care
organized health care arrangement; [65 FR 82802, Dec. 28, 2000, as provider not further use or disclose
amended at 67 FR 53271, Aug. 14, the information.
(2) The joint notice meets the 2002; 78 FR 5701, Jan. 25, 2013]
implementation specifications in (v) A restriction agreed to by a
paragraph (b) of this section, except § 164.522 Rights to request covered entity under paragraph (a) of
that the statements required by this privacy protection for protected this section, is not effective under
section may be altered to reflect the health information. this subpart to prevent uses or
fact that the notice covers more than disclosures permitted or required
one covered entity; and (a)(1) Standard: Right of an under §§ 164.502(a)(2)(ii),
individual to request restriction of 164.510(a) or 164.512.
(i) Describes with reasonable uses and disclosures.
specificity the covered entities, or (vi) A covered entity must agree to
class of entities, to which the joint the request of an individual to restrict
notice applies;
104
March 2013
disclosure of protected health and must accommodate reasonable [65 FR 82802, Dec. 28, 2000, as
information about the individual to a requests by individuals to receive amended at 67 FR 53271, Aug. 14,
health plan if: communications of protected health 2002; 78 FR 5701, Jan. 25, 2013]
information from the covered health
(A) The disclosure is for the purpose care provider by alternative means or § 164.524 Access of individuals to
of carrying out payment or health at alternative locations. protected health information.
care operations and is not otherwise
required by law; and (ii) A health plan must permit (a) Standard: Access to protected
individuals to request and must health information.
(B) The protected health information accommodate reasonable requests by
pertains solely to a health care item individuals to receive
(1) Right of access. Except as
or service for which the individual, communications of protected health
otherwise provided in paragraph
or person other than the health plan information from the health plan by (a)(2) or (a)(3) of this section, an
on behalf of the individual, has paid alternative means or at alternative individual has a right of access to
the covered entity in full. locations, if the individual clearly
inspect and obtain a copy of
states that the disclosure of all or part
protected health information about
of that information could endanger
(2) Implementation specifications: the individual in a designated record
the individual.
Terminating a restriction. A covered set, for as long as the protected health
entity may terminate a restriction, if: information is maintained in the
(2) Implementation specifications: designated record set, except for:
Conditions on providing confidential
(i) The individual agrees to or
communications.
requests the termination in writing; (i) Psychotherapy notes;
(ii) The individual orally agrees to (i) A covered entity may require the (ii) Information compiled in
individual to make a request for a
the termination and the oral reasonable anticipation of, or for use
confidential communication
agreement is documented; or in, a civil, criminal, or administrative
described in paragraph (b)(1) of this
action or proceeding; and
section in writing.
(iii) The covered entity informs the
individual that it is terminating its (iii) Protected health information
(ii) A covered entity may condition
agreement to a restriction, except that maintained by a covered entity that
the provision of a reasonable
such termination is: is:
accommodation on:
(A) Not effective for protected health (A) Subject to the Clinical
(A) When appropriate, information
information restricted under Laboratory Improvements
as to how payment, if any, will be
paragraph (a)(1)(vi) of this section; Amendments of 1988, 42 U.S.C.
handled; and
and 263a, to the extent the provision of
access to the individual would be
(B) Only effective with respect to (B) Specification of an alternative prohibited by law; or
address or other method of contact.
protected health information created
or received after it has so informed (B) Exempt from the Clinical
the individual. (iii) A covered health care provider Laboratory Improvements
may not require an explanation from Amendments of 1988, pursuant to 42
(3) Implementation specification: the individual as to the basis for the CFR 493.3(a)(2).
request as a condition of providing
Documentation. A covered entity
communications on a confidential
must document a restriction in (2) Unreviewable grounds for denial.
basis.
accordance with § 160.530(j) of this A covered entity may deny an
subchapter. individual access without providing
(iv) A health plan may require that a the individual an opportunity for
request contain a statement that review, in the following
(b)(1) Standard: Confidential
disclosure of all or part of the circumstances.
communications requirements.
information to which the request
pertains could endanger the (i) The protected health information
(i) A covered health care provider individual.
must permit individuals to request is excepted from the right of access
by paragraph (a)(1) of this section.
105
March 2013
(ii) A covered entity that is a paragraph (a)(4) of this section, in protected health information about
correctional institution or a covered the following circumstances: the individual that is maintained in a
health care provider acting under the designated record set. The covered
direction of the correctional (i) A licensed health care entity may require individuals to
institution may deny, in whole or in professional has determined, in the make requests for access in writing,
part, an inmate's request to obtain a exercise of professional judgment, provided that it informs individuals
copy of protected health information, that the access requested is of such a requirement.
if obtaining such copy would reasonably likely to endanger the life
jeopardize the health, safety, or physical safety of the individual or (2) Timely action by the covered
security, custody, or rehabilitation of another person; entity. (i) Except as provided in
the individual or of other inmates, or paragraph (b)(2)(ii) of this section,
the safety of any officer, employee,
(ii) The protected health information the covered entity must act on a
or other person at the correctional request for access no later than 30
makes reference to another person
institution or responsible for the (unless such other person is a health days after receipt of the request as
transporting of the inmate. care provider) and a licensed health follows.
care professional has determined, in
(iii) An individual's access to the exercise of professional (A) If the covered entity grants the
protected health information created judgment, that the access requested is request, in whole or in part, it must
or obtained by a covered health care reasonably likely to cause substantial inform the individual of the
provider in the course of research harm to such other person; or acceptance of the request and provide
that includes treatment may be the access requested, in accordance
temporarily suspended for as long as with paragraph (c) of this section.
(iii) The request for access is made
the research is in progress, provided
by the individual's personal
that the individual has agreed to the
representative and a licensed health (B) If the covered entity denies the
denial of access when consenting to care professional has determined, in request, in whole or in part, it must
participate in the research that
the exercise of professional provide the individual with a written
includes treatment, and the covered
judgment, that the provision of denial, in accordance with paragraph
health care provider has informed the
access to such personal (d) of this section.
individual that the right of access will
representative is reasonably likely to
be reinstated upon completion of the cause substantial harm to the
research. (ii) If the covered entity is unable to
individual or another person. take an action required by paragraph
(b)(2)(i)(A) or (B) of this section
(iv) An individual's access to
(4) Review of a denial of access. If within the time required by
protected health information that is
access is denied on a ground paragraph (b)(2)(i) of this section, as
contained in records that are subject permitted under paragraph (a)(3) of applicable, the covered entity may
to the Privacy Act, 5 U.S.C. 552a, this section, the individual has the extend the time for such actions by
may be denied, if the denial of access
right to have the denial reviewed by a no more than 30 days, provided that:
under the Privacy Act would meet
licensed health care professional who
the requirements of that law.
is designated by the covered entity to (A) The covered entity, within the
act as a reviewing official and who time limit set by paragraph (b)(2)(i)
(v) An individual's access may be did not participate in the original of this section, as applicable,
denied if the protected health decision to deny. The covered entity provides the individual with a written
information was obtained from must provide or deny access in statement of the reasons for the delay
someone other than a health care accordance with the determination of and the date by which the covered
provider under a promise of the reviewing official under entity will complete its action on the
confidentiality and the access paragraph (d)(4) of this section. request; and
requested would be reasonably likely
to reveal the source of the
(b) Implementation specifications: (B) The covered entity may have
information.
Requests for access and timely only one such extension of time for
action. action on a request for access.
(3) Reviewable grounds for denial. A
covered entity may deny an
(1) Individual's request for access. (c) Implementation specifications:
individual access, provided that the
The covered entity must permit an Provision of access. If the covered
individual is given a right to have
individual to request access to entity provides an individual with
such denials reviewed, as required by
inspect or to obtain a copy of the
106
March 2013
access, in whole or in part, to to the protected health information or (i) Labor for copying the protected
protected health information, the may provide an explanation of the health information requested by the
covered entity must comply with the protected health information to which individual, whether in paper or
following requirements. access has been provided, if: electronic form;
(1) Providing the access requested. (A) The individual agrees in advance (ii) Supplies for creating the paper
The covered entity must provide the to such a summary or explanation; copy or electronic media if the
access requested by individuals, and individual requests that the electronic
including inspection or obtaining a copy be provided on portable media;
copy, or both, of the protected health (B) The individual agrees in advance
information about them in designated to the fees imposed, if any, by the (iii) Postage, when the individual has
record sets. If the same protected covered entity for such summary or requested the copy, or the summary
health information that is the subject explanation. or explanation, be mailed; and
of a request for access is maintained
in more than one designated record
(3) Time and manner of access. (i) (iv) Preparing an explanation or
set or at more than one location, the
The covered entity must provide the summary of the protected health
covered entity need only produce the
access as requested by the individual information, if agreed to by the
protected health information once in
in a timely manner as required by individual as required by paragraph
response to a request for access. paragraph (b)(2) of this section, (c)(2)(iii) of this section.
including arranging with the
(2) Form of access requested. individual for a convenient time and (d) Implementation specifications:
place to inspect or obtain a copy of Denial of access. If the covered
(i) The covered entity must provide the protected health information, or entity denies access, in whole or in
the individual with access to the mailing the copy of the protected part, to protected health information,
protected health information in the health information at the individual's the covered entity must comply with
form and format requested by the request. The covered entity may the following requirements.
individual, if it is readily producible discuss the scope, format, and other
in such form and format; or, if not, in aspects of the request for access with (1) Making other information
a readable hard copy form or such the individual as necessary to accessible. The covered entity must,
other form and format as agreed to facilitate the timely provision of
to the extent possible, give the
by the covered entity and the access.
individual access to any other
individual.
(ii) If an individual's request for requested, after excluding the
(ii) Notwithstanding paragraph access directs the covered entity to protected health information as to
(c)(2)(i) of this section, if the transmit the copy of protected health which the covered entity has a
protected health information that is information directly to another ground to deny access.
the subject of a request for access is person designated by the individual,
maintained in one or more designated the covered entity must provide the
(2) Denial. The covered entity must
record sets electronically and if the copy to the person designated by the provide a timely, written denial to the
individual requests an electronic individual. The individual's request individual, in accordance with
copy of such information, the must be in writing, signed by the
paragraph (b)(2) of this section. The
covered entity must provide the individual, and clearly identify the
denial must be in plain language and
individual with access to the designated person and where to send
contain:
protected health information in the the copy of protected health
electronic form and format requested information.
by the individual, if it is readily (i) The basis for the denial;
producible in such form and format; (4) Fees. If the individual requests a
or, if not, in a readable electronic copy of the protected health (ii) If applicable, a statement of the
form and format as agreed to by the information or agrees to a summary individual's review rights under
covered entity and the individual. or explanation of such information, paragraph (a)(4) of this section,
the covered entity may impose a including a description of how the
(iii) The covered entity may provide reasonable, cost-based fee, provided individual may exercise such review
the individual with a summary of the that the fee includes only the cost of: rights; and
requested, in lieu of providing access
107
March 2013
(iii) A description of how the (2) The titles of the persons or offices set. The covered entity may require
individual may complain to the responsible for receiving and individuals to make requests for
covered entity pursuant to the processing requests for access by amendment in writing and to provide
complaint procedures in § 164.530(d) individuals. a reason to support a requested
or to the Secretary pursuant to the amendment, provided that it informs
procedures in § 160.306. The [65 FR 82823, Dec. 28, 2000, as individuals in advance of such
description must include the name, or amended at 78 FR 5701, Jan. 25, requirements.
title, and telephone number of the 2013]
contact person or office designated in (2) Timely action by the covered
§ 164.530(a)(1)(ii). entity.
§ 164.526 Amendment of
protected health information.
(3) Other responsibility. If the (i) The covered entity must act on the
covered entity does not maintain the (a) Standard: Right to amend. (1) individual's request for an
protected health information that is Right to amend. An individual has amendment no later than 60 days
the subject of the individual's request after receipt of such a request, as
the right to have a covered entity
for access, and the covered entity follows.
amend protected health information
knows where the requested
or a record about the individual in a
information is maintained, the
designated record set for as long as (A) If the covered entity grants the
covered entity must inform the the protected health information is requested amendment, in whole or in
individual where to direct the request maintained in the designated record part, it must take the actions required
for access.
set. by paragraphs (c)(1) and (2) of this
section.
(4) Review of denial requested. If the
(2) Denial of amendment. A covered
individual has requested a review of entity may deny an individual's (B) If the covered entity denies the
a denial under paragraph (a)(4) of
request for amendment, if it requested amendment, in whole or in
this section, the covered entity must
determines that the protected health part, it must provide the individual
designate a licensed health care
information or record that is the with a written denial, in accordance
professional, who was not directly
subject of the request: with paragraph (d)(1) of this section.
involved in the denial to review the
decision to deny access. The covered
entity must promptly refer a request (i) Was not created by the covered (ii) If the covered entity is unable to
for review to such designated entity, unless the individual provides act on the amendment within the time
reviewing official. The designated a reasonable basis to believe that the required by paragraph (b)(2)(i) of
reviewing official must determine, originator of protected health this section, the covered entity may
within a reasonable period of time, information is no longer available to extend the time for such action by no
whether or not to deny the access act on the requested amendment; more than 30 days, provided that:
requested based on the standards in
paragraph (a)(3) of this section. The (ii) Is not part of the designated (A) The covered entity, within the
covered entity must promptly provide record set; time limit set by paragraph (b)(2)(i)
written notice to the individual of the of this section, provides the
determination of the designated (iii) Would not be available for individual with a written statement of
reviewing official and take other inspection under § 164.524; or the reasons for the delay and the date
action as required by this section to by which the covered entity will
carry out the designated reviewing (iv) Is accurate and complete. complete its action on the request;
official's determination. and
(b) Implementation specifications:
(e) Implementation specification: (B) The covered entity may have
Requests for amendment and timely
Documentation. A covered entity only one such extension of time for
action.
must document the following and action on a request for an
retain the documentation as required amendment.
(1) Individual's request for
by § 164.530(j):
amendment. The covered entity must
(c) Implementation specifications:
permit an individual to request that
(1) The designated record sets that the covered entity amend the Accepting the amendment. If the
are subject to access by individuals; protected health information covered entity accepts the requested
and amendment, in whole or in part, the
maintained in the designated record
108
March 2013
covered entity must comply with the (1) Denial. The covered entity must entity must provide a copy to the
following requirements. provide the individual with a timely, individual who submitted the
written denial, in accordance with statement of disagreement.
(1) Making the amendment. The paragraph (b)(2) of this section. The
covered entity must make the denial must use plain language and (4) Recordkeeping. The covered
appropriate amendment to the contain: entity must, as appropriate, identify
protected health information or the record or protected health
record that is the subject of the (i) The basis for the denial, in information in the designated record
request for amendment by, at a accordance with paragraph (a)(2) of set that is the subject of the disputed
minimum, identifying the records in this section; amendment and append or otherwise
the designated record set that are link the individual's request for an
affected by the amendment and (ii) The individual's right to submit a amendment, the covered entity's
appending or otherwise providing a written statement disagreeing with denial of the request, the individual's
link to the location of the the denial and how the individual statement of disagreement, if any,
amendment. may file such a statement; and the covered entity's rebuttal, if
any, to the designated record set.
(2) Informing the individual. In (iii) A statement that, if the
accordance with paragraph (b) of this individual does not submit a (5) Future disclosures. (i) If a
section, the covered entity must statement of disagreement, the statement of disagreement has been
timely inform the individual that the individual may request that the submitted by the individual, the
amendment is accepted and obtain covered entity provide the covered entity must include the
the individual's identification of and individual's request for amendment material appended in accordance
agreement to have the covered entity and the denial with any future with paragraph (d)(4) of this section,
notify the relevant persons with disclosures of the protected health or, at the election of the covered
which the amendment needs to be information that is the subject of the entity, an accurate summary of any
shared in accordance with paragraph amendment; and such information, with any
(c)(3) of this section. subsequent disclosure of the
protected health information to which
(iv) A description of how the
(3) Informing others. The covered individual may complain to the the disagreement relates.
entity must make reasonable efforts covered entity pursuant to the
to inform and provide the complaint procedures established in (ii) If the individual has not
amendment within a reasonable time § 164.530(d) or to the Secretary submitted a written statement of
to: pursuant to the procedures disagreement, the covered entity
established in § 160.306. The must include the individual's request
(i) Persons identified by the description must include the name, or for amendment and its denial, or an
individual as having received title, and telephone number of the accurate summary of such
protected health information about contact person or office designated in information, with any subsequent
the individual and needing the § 164.530(a)(1)(ii). disclosure of the protected health
amendment; and information only if the individual has
(2) Statement of disagreement. The requested such action in accordance
(ii) Persons, including business covered entity must permit the with paragraph (d)(1)(iii) of this
section.
associates, that the covered entity individual to submit to the covered
knows have the protected health entity a written statement disagreeing
information that is the subject of the with the denial of all or part of a (iii) When a subsequent disclosure
amendment and that may have relied, requested amendment and the basis described in paragraph (d)(5)(i) or
or could foreseeably rely, on such of such disagreement. The covered (ii) of this section is made using a
information to the detriment of the entity may reasonably limit the standard transaction under part 162
individual. length of a statement of of this subchapter that does not
disagreement. permit the additional material to be
(d) Implementation specifications: included with the disclosure, the
Denying the amendment. If the (3) Rebuttal statement. The covered covered entity may separately
transmit the material required by
covered entity denies the requested entity may prepare a written rebuttal
paragraph (d)(5)(i) or (ii) of this
amendment, in whole or in part, the to the individual's statement of
section, as applicable, to the recipient
covered entity must comply with the disagreement. Whenever such a
of the standard transaction.
following requirements. rebuttal is prepared, the covered
109
March 2013
(e) Implementation specification: care or other notification purposes as (3) An individual may request an
Actions on notices of amendment. A provided in § 164.510; accounting of disclosures for a period
covered entity that is informed by of time less than six years from the
another covered entity of an (vi) For national security or date of the request.
amendment to an individual's intelligence purposes as provided in
protected health information, in § 164.512(k)(2); (b) Implementation specifications:
accordance with paragraph (c)(3) of Content of the accounting. The
this section, must amend the (vii) To correctional institutions or covered entity must provide the
protected health information in law enforcement officials as provided individual with a written accounting
designated record sets as provided by that meets the following
in § 164.512(k)(5);
paragraph (c)(1) of this section. requirements.
(viii) As part of a limited data set in
(f) Implementation specification: accordance with § 164.514(e); or (1) Except as otherwise provided by
Documentation. A covered entity paragraph (a) of this section, the
must document the titles of the accounting must include disclosures
persons or offices responsible for (ix) That occurred prior to the
of protected health information that
receiving and processing requests for compliance date for the covered
occurred during the six years (or such
amendments by individuals and entity.
shorter time period at the request of
retain the documentation as required the individual as provided in
by § 164.530(j). (2)(i) The covered entity must paragraph (a)(3) of this section) prior
temporarily suspend an individual's to the date of the request for an
§ 164.528 Accounting of right to receive an accounting of accounting, including disclosures to
disclosures of protected health disclosures to a health oversight or by business associates of the
information. agency or law enforcement official, covered entity.
as provided in § 164.512(d) or (f),
respectively, for the time specified by
(a) Standard: Right to an accounting (2) Except as otherwise provided by
such agency or official, if such
of disclosures of protected health paragraphs (b)(3) or (b)(4) of this
agency or official provides the
information. (1) An individual has a covered entity with a written section, the accounting must include
right to receive an accounting of statement that such an accounting to for each disclosure:
the individual would be reasonably
information made by a covered entity (i) The date of the disclosure;
likely to impede the agency's
in the six years prior to the date on
activities and specifying the time for
which the accounting is requested,
which such a suspension is required. (ii) The name of the entity or person
except for disclosures: who received the protected health
(ii) If the agency or official statement information and, if known, the
(i) To carry out treatment, payment address of such entity or person;
in paragraph (a)(2)(i) of this section
and health care operations as
is made orally, the covered entity
provided in § 164.506;
must: (iii) A brief description of the
(ii) To individuals of protected health disclosed; and
(A) Document the statement,
information about them as provided
including the identity of the agency
in § 164.502;
or official making the statement; (iv) A brief statement of the purpose
of the disclosure that reasonably
(iii) Incident to a use or disclosure (B) Temporarily suspend the informs the individual of the basis for
otherwise permitted or required by
individual's right to an accounting of the disclosure or, in lieu of such
this subpart, as provided in
disclosures subject to the statement; statement, a copy of a written request
§ 164.502; for a disclosure under
and
§§ 164.502(a)(2)(ii) or 164.512, if
(iv)Pursuant to an authorization as any.
(C) Limit the temporary suspension
provided in § 164.508;
to no longer than 30 days from the
date of the oral statement, unless a (3) If, during the period covered by
(v) For the facility's directory or to written statement pursuant to the accounting, the covered entity has
persons involved in the individual's paragraph (a)(2)(i) of this section is made multiple disclosures of
submitted during that time. protected health information to the
110
March 2013
same person or entity for a single whom the information was disclosed; (2) The covered entity must provide
purpose under §§ 164.502(a)(2)(ii) or and the first accounting to an individual
164.512, the accounting may, with in any 12 month period without
respect to such multiple disclosures, (F) A statement that the protected charge. The covered entity may
provide: health information of the individual impose a reasonable, cost-based fee
may or may not have been disclosed for each subsequent request for an
(i) The information required by for a particular protocol or other accounting by the same individual
paragraph (b)(2) of this section for research activity. within the 12 month period, provided
the first disclosure during the that the covered entity informs the
accounting period; individual in advance of the fee and
(ii) If the covered entity provides an
provides the individual with an
accounting for research disclosures,
opportunity to withdraw or modify
(ii) The frequency, periodicity, or in accordance with paragraph (b)(4)
the request for a subsequent
number of the disclosures made of this section, and if it is reasonably
during the accounting period; and likely that the protected health accounting in order to avoid or
information of the individual was reduce the fee.
(iii) The date of the last such disclosed for such research protocol
or activity, the covered entity shall, at (d) Implementation specification:
disclosure during the accounting
the request of the individual, assist in Documentation. A covered entity
period.
contacting the entity that sponsored must document the following and
the research and the researcher. retain the documentation as required
(4)(i) If, during the period covered by by § 164.530(j):
the accounting, the covered entity has
made disclosures of protected health (c) Implementation specifications:
Provision of the accounting. (1) The (1) The information required to be
information for a particular research
purpose in accordance with covered entity must act on the included in an accounting under
individual's request for an paragraph (b) of this section for
§ 164.512(i) for 50 or more
accounting, no later than 60 days disclosures of protected health
individuals, the accounting may, with
after receipt of such a request, as information that are subject to an
respect to such disclosures for which
follows. accounting under paragraph (a) of
the protected health information
about the individual may have been this section;
included, provide: (i) The covered entity must provide
the individual with the accounting (2) The written accounting that is
requested; or provided to the individual under this
(A) The name of the protocol or
section; and
other research activity;
(ii) If the covered entity is unable to
provide the accounting within the (3) The titles of the persons or offices
(B) A description, in plain language,
time required by paragraph (c)(1) of responsible for receiving and
of the research protocol or other
this section, the covered entity may processing requests for an accounting
research activity, including the
extend the time to provide the by individuals.
purpose of the research and the
criteria for selecting particular accounting by no more than 30 days,
records; provided that: [65 FR 82802, Dec. 28, 2000, as
amended at 67 FR 53271, Aug. 14,
2002]
(C) A brief description of the type of (A) The covered entity, within the
protected health information that was time limit set by paragraph (c)(1) of
disclosed; this section, provides the individual § 164.530 Administrative
with a written statement of the requirements.
reasons for the delay and the date by
(D) The date or period of time during
which the covered entity will provide (a)(1) Standard: Personnel
which such disclosures occurred, or
the accounting; and designations. (i) A covered entity
may have occurred, including the
date of the last such disclosure during must designate a privacy official who
the accounting period; (B) The covered entity may have is responsible for the development
only one such extension of time for and implementation of the policies
action on a request for an accounting. and procedures of the entity.
(E) The name, address, and telephone
number of the entity that sponsored
the research and of the researcher to
111
March 2013
(ii) A covered entity must designate a paragraph (b)(2)(i) of this section has covered entity's workforce with
contact person or office who is been provided, as required by respect to actions that are covered by
responsible for receiving complaints paragraph (j) of this section. and that meet the conditions of
under this section and who is able to § 164.502(j) or paragraph (g)(2) of
provide further information about (c)(1) Standard: Safeguards. A this section.
matters covered by the notice covered entity must have in place
required by § 164.520. appropriate administrative, technical, (2) Implementation specification:
and physical safeguards to protect the Documentation. As required by
(2) Implementation specification: privacy of protected health paragraph (j) of this section, a
Personnel designations. A covered information. covered entity must document the
entity must document the personnel sanctions that are applied, if any.
designations in paragraph (a)(1) of (2)(i) Implementation specification:
this section as required by paragraph Safeguards. A covered entity must (f) Standard: Mitigation. A covered
(j) of this section. reasonably safeguard protected entity must mitigate, to the extent
health information from any practicable, any harmful effect that is
(b)(1) Standard: Training. A covered intentional or unintentional use or known to the covered entity of a use
entity must train all members of its disclosure that is in violation of the or disclosure of protected health
workforce on the policies and standards, implementation information in violation of its
procedures with respect to protected specifications or other requirements policies and procedures or the
health information required by this of this subpart. requirements of this subpart by the
subpart and subpart D of this part, as covered entity or its business
necessary and appropriate for the (ii) A covered entity must reasonably associate.
members of the workforce to carry safeguard protected health
out their functions within the covered information to limit incidental uses (g) Standard: Refraining from
entity. or disclosures made pursuant to an intimidating or retaliatory acts. A
otherwise permitted or required use covered entity—
(2) Implementation specifications: or disclosure.
Training. (i) A covered entity must (1) May not intimidate, threaten,
provide training that meets the (d)(1) Standard: Complaints to the coerce, discriminate against, or take
requirements of paragraph (b)(1) of covered entity. A covered entity must other retaliatory action against any
this section, as follows: provide a process for individuals to individual for the exercise by the
make complaints concerning the individual of any right established, or
(A) To each member of the covered covered entity's policies and for participation in any process
entity's workforce by no later than procedures required by this subpart provided for, by this subpart or
the compliance date for the covered and subpart D of this part or its subpart D of this part, including the
entity; compliance with such policies and filing of a complaint under this
procedures or the requirements of section; and
(B) Thereafter, to each new member this subpart or subpart D of this part.
of the workforce within a reasonable (2) Must refrain from intimidation
period of time after the person joins (2) Implementation specification: and retaliation as provided in
the covered entity's workforce; and Documentation of complaints. As § 160.316 of this subchapter.
required by paragraph (j) of this
(C) To each member of the covered section, a covered entity must (h) Standard: Waiver of rights. A
entity's workforce whose functions document all complaints received, covered entity may not require
are affected by a material change in and their disposition, if any. individuals to waive their rights
the policies or procedures required under § 160.306 of this subchapter,
by this subpart or subpart D of this (e)(1) Standard: Sanctions. A this subpart, or subpart D of this part,
part, within a reasonable period of covered entity must have and apply as a condition of the provision of
time after the material change appropriate sanctions against treatment, payment, enrollment in a
becomes effective in accordance with members of its workforce who fail to health plan, or eligibility for benefits.
paragraph (i) of this section. comply with the privacy policies and
procedures of the covered entity or (i)(1) Standard: Policies and
(ii) A covered entity must document the requirements of this subpart or procedures. A covered entity must
that the training as described in subpart D of this part. This standard implement policies and procedures
does not apply to a member of the
112
March 2013
with respect to protected health policies or procedures, the covered (A) Such change meets the
information that are designed to entity must promptly document and implementation specifications in
comply with the standards, implement the revised policy or paragraphs (i)(4)(i)(A)-(C) of this
implementation specifications, or procedure. If the change in law section; and
other requirements of this subpart materially affects the content of the
and subpart D of this part. The notice required by § 164.520, the (B) Such change is effective only
policies and procedures must be covered entity must promptly make with respect to protected health
reasonably designed, taking into the appropriate revisions to the notice information created or received after
account the size and the type of in accordance with § 164.520(b)(3). the effective date of the notice.
activities that relate to protected Nothing in this paragraph may be
health information undertaken by a used by a covered entity to excuse a
(5) Implementation specification:
covered entity, to ensure such failure to comply with the law.
Changes to other policies or
compliance. This standard is not to
procedures. A covered entity may
be construed to permit or excuse an (4) Implementation specifications: change, at any time, a policy or
action that violates any other Changes to privacy practices stated procedure that does not materially
standard, implementation in the notice. (i) To implement a affect the content of the notice
specification, or other requirement of change as provided by paragraph required by § 164.520, provided that:
this subpart. (i)(2)(ii) of this section, a covered
entity must: (i) The policy or procedure, as
(2) Standard: Changes to policies revised, complies with the standards,
and procedures. (i) A covered entity (A) Ensure that the policy or requirements, and implementation
must change its policies and procedure, as revised to reflect a specifications of this subpart; and
procedures as necessary and change in the covered entity's privacy
appropriate to comply with changes practice as stated in its notice,
in the law, including the standards, (ii) Prior to the effective date of the
complies with the standards,
requirements, and implementation change, the policy or procedure, as
requirements, and implementation
specifications of this subpart or revised, is documented as required by
specifications of this subpart;
subpart D of this part. paragraph (j) of this section.
(B) Document the policy or (j)(1) Standard: Documentation. A

(ii) When a covered entity changes a procedure, as revised, as required by
privacy practice that is stated in the covered entity must:
paragraph (j) of this section; and
notice described in § 164.520, and
makes corresponding changes to its (i) Maintain the policies and
(C) Revise the notice as required by procedures provided for in paragraph
policies and procedures, it may make
§ 164.520(b)(3) to state the changed (i) of this section in written or
the changes effective for protected practice and make the revised notice
health information that it created or electronic form;
available as required by
received prior to the effective date of
§ 164.520(c). The covered entity may
the notice revision, if the covered (ii) If a communication is required by
not implement a change to a policy
entity has, in accordance with this subpart to be in writing, maintain
or procedure prior to the effective
§ 164.520(b)(1)(v)(C), included in such writing, or an electronic copy,
date of the revised notice.
the notice a statement reserving its as documentation; and
right to make such a change in its
privacy practices; or (ii) If a covered entity has not
reserved its right under (iii) If an action, activity, or
§ 164.520(b)(1)(v)(C) to change a designation is required by this
(iii) A covered entity may make any subpart to be documented, maintain a
privacy practice that is stated in the
other changes to policies and notice, the covered entity is bound by written or electronic record of such
procedures at any time, provided that action, activity, or designation.
the privacy practices as stated in the
the changes are documented and
notice with respect to protected
implemented in accordance with (iv) Maintain documentation
health information created or
paragraph (i)(5) of this section. sufficient to meet its burden of proof
received while such notice is in
effect. A covered entity may change under § 164.414(b).
(3) Implementation specification: a privacy practice that is stated in the
Changes in law. Whenever there is a notice, and the related policies and (2) Implementation specification:
change in law that necessitates a procedures, without having reserved Retention period. A covered entity
change to the covered entity's the right to do so, provided that: must retain the documentation
113
March 2013
required by paragraph (j)(1) of this from an individual permitting the use (3) A waiver, by an IRB, of informed
section for six years from the date of or disclosure of protected health consent for the research, in
its creation or the date when it last information, informed consent of the accordance with 7 CFR 1c.116(d), 10
was in effect, whichever is later. individual to participate in research, a CFR 745.116(d), 14 CFR
waiver of informed consent by an 1230.116(d), 15 CFR 27.116(d), 16
(k) Standard: Group health plans. (1) IRB, or a waiver of authorization in CFR 1028.116(d), 21 CFR 50.24, 22
A group health plan is not subject to accordance with § 164.512(i)(1)(i). CFR 225.116(d), 24 CFR 60.116(d),
the standards or implementation 28 CFR 46.116(d), 32 CFR
specifications in paragraphs (a) (b) Implementation specification: 219.116(d), 34 CFR 97.116(d), 38
through (f) and (i) of this section, to Effect of prior authorization for CFR 16.116(d), 40 CFR 26.116(d),
the extent that: purposes other than research. 45 CFR 46.116(d), 45 CFR
Notwithstanding any provisions in 690.116(d), or 49 CFR 11.116(d),
§ 164.508, a covered entity may use provided that a covered entity must
(i) The group health plan provides
health benefits solely through an or disclose protected health obtain authorization in accordance
insurance contract with a health information that it created or with § 164.508 if, after the
received prior to the applicable compliance date, informed consent is
insurance issuer or an HMO; and
compliance date of this subpart sought from an individual
pursuant to an authorization or other participating in the research; or
(ii) The group health plan does not
create or receive protected health express legal permission obtained
information, except for: from an individual prior to the (4) A waiver of authorization in
applicable compliance date of this accordance with § 164.512(i)(1)(i).
subpart, provided that the
(A) Summary health information as authorization or other express legal (d) Standard: Effect of prior
defined in § 164.504(a); or permission specifically permits such contracts or other arrangements with
use or disclosure and there is no business associates. Notwithstanding
(B) Information on whether the agreed-to restriction in accordance any other provisions of this part, a
individual is participating in the with § 164.522(a). covered entity, or business associate
group health plan, or is enrolled in or with respect to a subcontractor, may
has disenrolled from a health (c) Implementation specification: disclose protected health information
insurance issuer or HMO offered by Effect of prior permission for to a business associate and may allow
the plan. research. Notwithstanding any a business associate to create,
provisions in §§ 164.508 and receive, maintain, or transmit
(2) A group health plan described in 164.512(i), a covered entity may, to protected health information on its
paragraph (k)(1) of this section is the extent allowed by one of the behalf pursuant to a written contract
subject to the standard and following permissions, use or or other written arrangement with
implementation specification in disclose, for research, protected such business associate that does not
paragraph (j) of this section only with health information that it created or comply with §§ 164.308(b),
respect to plan documents amended received either before or after the 164.314(a), 164.502(e), and
in accordance with § 164.504(f). applicable compliance date of this 164.504(e), only in accordance with
subpart, provided that there is no paragraph (e) of this section.
[65 FR 82802, Dec. 28, 2000, as agreed-to restriction in accordance
amended at 67 FR 53272, Aug. 14, with § 164.522(a), and the covered (e) Implementation specification:
2002; 71 FR 8433, Feb. 16, 2006; 74 entity has obtained, prior to the Deemed compliance. (1)
FR 42769, Aug. 24, 2009] applicable compliance date, either: Qualification. Notwithstanding other
sections of this part, a covered entity,
§ 164.532 Transition provisions. (1) An authorization or other express or business associate with respect to
legal permission from an individual a subcontractor, is deemed to be in
(a) Standard: Effect of prior to use or disclose protected health compliance with the documentation
authorizations. Notwithstanding information for the research; and contract requirements of
§§ 164.508 and 164.512(i), a covered §§ 164.308(b), 164.314(a),
entity may use or disclose protected (2) The informed consent of the 164.502(e), and 164.504(e), with
health information, consistent with individual to participate in the respect to a particular business
paragraphs (b) and (c) of this section, research; associate relationship, for the time
pursuant to an authorization or other period set forth in paragraph (e)(2) of
express legal permission obtained this section, if:
114
March 2013
(i) Prior to January 25, 2013, such (1) The date such agreement is
covered entity, or business associate renewed or modified on or after
with respect to a subcontractor, has September 23, 2013; or
entered into and is operating pursuant
to a written contract or other written (2) September 22, 2014.
arrangement with the business
associate that complies with the
[65 FR 82802, Dec. 28, 2000, as
applicable provisions of amended at 67 FR 53272, Aug. 14,
§§ 164.314(a) or 164.504(e) that 2002; 78 FR 5702, Jan. 25, 2013]
were in effect on such date; and
§ 164.534 Compliance dates for
(ii) The contract or other
initial implementation of the
arrangement is not renewed or
privacy standards.
modified from March 26, 2013, until
September 23, 2013.
(a) Health care providers. A covered
health care provider must comply
(2) Limited deemed compliance
with the applicable requirements of
period. A prior contract or other this subpart no later than April 14,
arrangement that meets the 2003.
qualification requirements in
paragraph (e) of this section shall be
deemed compliant until the earlier of: (b) Health plans. A health plan must
comply with the applicable
requirements of this subpart no later
(i) The date such contract or other than the following as applicable:
arrangement is renewed or modified
on or after September 23, 2013; or
(1) Health plans other han small
health plans. April 14, 2003.
(ii) September 22, 2014.
(2) Small health plans. April 14,
(3) Covered entity responsibilities.
2004.
Nothing in this section shall alter the
requirements of a covered entity to
comply with part 160, subpart C of (c) Health clearinghouses. A health
this subchapter and §§ 164.524, care clearinghouse must comply with
164.526, 164.528, and 164.530(f) the applicable requirements of this
with respect to protected health subpart no later than April 14, 2003.
information held by a business
associate. [66 FR 12434, Feb. 26, 2001]
(f) Effect of prior data use

agreements. If, prior to January 25,
2013, a covered entity has entered
into and is operating pursuant to a
data use agreement with a recipient
of a limited data set that complies
with § 164.514(e), notwithstanding
§ 164.502(a)(5)(ii), the covered
entity may continue to disclose a
limited data set pursuant to such
agreement in exchange for
remuneration from or on behalf of
the recipient of the protected health
information until the earlier of:
115

Hipaa Simplification 201303

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hipaa Simplification 201303

Uploaded by

Copyright:

Available Formats

U.S.

Department of Health and Human Services

HIPAA Administrative Simplification

45 CFR Parts 160, 162, and 164

HIPAA Administrative Simplification

PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS.................10

SUBPART A—GENERAL PROVISIONS .............................................................................. 10

§ 160.101 Statutory basis and purpose. .................................................................................................................. 10

§ 160.102 Applicability. ........................................................................................................................................... 11

§ 160.104 Modifications. .......................................................................................................................................... 17

SUBPART B—PREEMPTION OF STATE LAW .................................................................. 17

§ 160.201 Statutory basis. ........................................................................................................................................ 17

§ 160.203 General rule and exceptions. .................................................................................................................. 18

§ 160.204 Process for requesting exception determinations. ................................................................................ 19

§ 160.205 Duration of effectiveness of exception determinations. ....................................................................... 19

SUBPART C—COMPLIANCE AND INVESTIGATIONS................................................... 19

§ 160.300 Applicability. ........................................................................................................................................... 19

§ 160.302 [Reserved] ................................................................................................................................................ 20

§ 160.304 Principles for achieving compliance. ..................................................................................................... 20

§ 160.306 Complaints to the Secretary................................................................................................................... 20

§ 160.308 Compliance reviews. ............................................................................................................................... 20

§ 160.310 Responsibilities of covered entities and business associates. ............................................................... 20

§ 160.312 Secretarial action regarding complaints and compliance reviews. ..................................................... 21

§ 160.314 Investigational subpoenas and inquiries. .............................................................................................. 21

§ 160.316 Refraining from intimidation or retaliation. ........................................................................................ 23

SUBPART D—IMPOSITION OF CIVIL MONEY PENALTIES ........................................ 23

§ 160.400 Applicability. ........................................................................................................................................... 23

§ 160.402 Basis for a civil money penalty. ............................................................................................................. 23

§ 160.404 Amount of a civil money penalty. .......................................................................................................... 24

§ 160.406 Violations of an identical requirement or prohibition. ........................................................................ 24

§ 160.410 Affirmative defenses. .............................................................................................................................. 25

§ 160.414 Limitations. ............................................................................................................................................. 26

§ 160.416 Authority to settle. .................................................................................................................................. 26

§ 160.418 Penalty not exclusive. .............................................................................................................................. 26

§ 160.420 Notice of proposed determination. ........................................................................................................ 26

§ 160.422 Failure to request a hearing. .................................................................................................................. 26

§ 160.424 Collection of penalty. .............................................................................................................................. 27

§ 160.426 Notification of the public and other agencies. ...................................................................................... 27

SUBPART E—PROCEDURES FOR HEARINGS ................................................................. 27

§ 160.500 Applicability. ........................................................................................................................................... 27

§ 160.504 Hearing before an ALJ. .......................................................................................................................... 27

§ 160.506 Rights of the parties. ............................................................................................................................... 28

§ 160.508 Authority of the ALJ. ............................................................................................................................. 28

§ 160.510 Ex parte contacts..................................................................................................................................... 29

§ 160.512 Prehearing conferences. ......................................................................................................................... 29

§ 160.514 Authority to settle. .................................................................................................................................. 29

§ 160.516 Discovery. ................................................................................................................................................ 29

§ 160.518 Exchange of witness lists, witness statements, and exhibits. ............................................................... 30

§ 160.520 Subpoenas for attendance at hearing. ................................................................................................... 30

§ 160.524 Form, filing, and service of papers. ....................................................................................................... 31

§ 160.526 Computation of time. .............................................................................................................................. 31

§ 160.528 Motions. ................................................................................................................................................... 31

§ 160.530 Sanctions. ................................................................................................................................................. 32

§ 160.532 Collateral estoppel. ................................................................................................................................. 32

§ 160.534 The hearing. ............................................................................................................................................ 32

§ 160.536 Statistical sampling. ................................................................................................................................ 33

§ 160.538 Witnesses. ................................................................................................................................................ 33

§ 160.540 Evidence. .................................................................................................................................................. 33

§ 160.542 The record. .............................................................................................................................................. 34

§ 160.544 Post hearing briefs. ................................................................................................................................. 34

§ 160.546 ALJ's decision. ........................................................................................................................................ 34

§ 160.548 Appeal of the ALJ's decision. ................................................................................................................. 34

§ 160.550 Stay of the Secretary's decision. ............................................................................................................ 35

PART 162—ADMINISTRATIVE REQUIREMENTS .....................................37