Index to Section-by-Section Documentation of the HIPAA Regulations
Included here is a section-by-section compilation of the documentation for the HIPAA privacy and security regulations as it appeared in the Federal Register, including the actual regulation, the HHS description and the HHS response to comments received regarding that particular section of the regulations.
The regulations included in the section-by-section compilation include:
- January 6, 2016: HIPAA Privacy rule and the National Instant Criminal Background Check System (NCIS) Final Rule
- February 2014: CLIA and Patients' Access to Test Reports
- January 2013: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules
- August 2009: Breach Notification for Unsecured Protected Health Information Regulations
- February 2003: Security Regulations
- August 2002: Complete Text of the Original HIPAA Privacy Regulations
A Listing of and Links to the Guidance Documents on HIPAA Privacy From HHS
The Section-by-Section Compilation
Introductory Material
Relationship to Other Federal Laws
- General Discussion
- Implied Repeal Analysis
- The Privacy Act
- The Freedom of Information Act
- Federal Substance Abuse Confidentiality Requirements
- Employee Retirement Income Security Act of 1974
- The Family Educational Rights and Privacy Act
- Gramm-Leach-Bliley
- Federally Funded Health Programs
- Food, Drug, and Cosmetic Act
- Clinical Laboratory Improvement Amendments
- Other Mandatory Federal or State Laws
- Federal Disability Nondiscrimination Laws
- U.S. Safe Harbor Privacy Principles
- The National Instant criminal Background Check System
Part 160 General Administrative Requirements
General Provisions
Subpart A
Definitions - Section 160.103
- Act
- Administrative Simplification
- ANSI
- Business Associate
- Compliance Date
- Covered Entity
- Disclosure
- Electronic Media
- Electronic Protected Health Information
- Family Member
- Genetic Information
- Genetic Services
- Genetic Test
- Group Health Plan
- HCFA
- HHS
- Health Care
- Health Care Clearinghouse
- Health Care Provider
- Health Information
- Health Insurance Issuer
- Health Maintenance Organization
- Health Plan
- Implementation Specification
- Individual
- Individually Identifiable Health Information
- Manifestation or Manifested
- Modification
- Organized Health Care Arrangement
- Protected Health Information
- Secretary
- Small Health Plan
- Standard
- Standard Setting Organization
- State
- Subcontractor
- Trading Partner Agreement
- Transaction
- Use
- Workforce
- Modifications - Section 160.104
Preemption of State Law
Subpart B
Statutory Basis - Section 160.201
Definitions - Section 160.202
- Contrary
- More Stringent
- Relates to the Privacy of Individually Identifiable Health Information
- State Law
- General Rule and Exceptions - Section 160.203
- Process for Requesting Exception Determinations - Section 160.204
- Duration of Effectiveness of Exception Determinations - Section 160.205
Compliance and Enforcement
Subpart C
- Applicability - Section 160.300
- Section 160.302- Removed
- Principles for Achieving Compliance - Section 160.304
- Complaints to the Secretary - Section 160.306
- Compliance Reviews - Section 160.308
- Responsibilities of Covered Entities and Business Associates- Section 160.310
- Secretarial Action Regarding Complaints and Compliance Reviews - Section 160.312
- Investigational Subpoenas and Inquiries - Section 160.314
- Refraining from Intimidation or Retaliation - Section 160.316
Imposition of Civil Money Penalties
Subpart D
Not included in the section-by-section. The text is available here. The January 2013 HIPAA rules include some revisions to this subpart.
Part 164 Security and Privacy
General Provisions
Subpart A
- Statutory Basis - Section 164.102
- Definitions- Section 164.103
- Applicability - Section 164.104
- Organizational Requirements - Section 164.105
- Relationship to Other Parts - Section 164.106
Security Standards for the Protection of Electronic Protected Health Information
Subpart C
- Applicability - Section 164.302
- Definitions - Section 164.304
- General Rules - Section 164.306
- Administrative Safeguards - Section 164.308
- Physical Safeguards - Section 164.310
- Technical Safeguards - Section 164.312
- Organizational Requirements - Section 164.314
- Policies and Procedures and Documentation Requirements - Section 164.316
- Compliance Dates for the Initial Implementation of the Security Standards - Section 164.318
- Appendix: Matrix
Notification in the Case of Breach of Unsecured Protected Health Information
Subpart D
- Applicability - Section 164.400
- Definitions - Section 164.402
- Notification to Individuals: General Rule - Section 164.404(a)
- Notification to Individuals: Timeliness of Notification - Section 164.404(b)
- Notification to Individuals: Content of Notification - Section 164.404(c)
- Notification to Individuals: Methods of Individual Notification - Section 164.404(d)
- Notification to the Media - Section 164.406
- Notification to the Secretary of HHS - Section 164.408
- Notification By Business Associates- Section 164.410
- Law Enforcement Delay - Section 164.412
- Administrative Requirements and Burden of Proof - Section 164.414
Privacy of Individually Identifiable Health Information
Subpart E
Privacy of Individually Identifiable Health Information
Subpart E
Definitions
Section 164.501
- Correctional Institution
- Data Aggregation
- Designated Record Set
- Direct Treatment Relationship
- Health Care Operations
- Health Oversight Agency
- Indirect Treatment Relationship
- Inmate
- Marketing
- Payment
- Psychotherapy Notes
- Public Health Authority
- Research
- Treatment
General Rules for Uses and Disclosures of Protected Health Information
Section 164.502
- Use and Disclosure for Treatment, Payment and Health Care Operations - (a)
- Minimum Necessary - (b)
- Uses and Disclosures of Protected Health Information Subject to an Agreed Upon Restriction - (c)
- Creation of De-Identified Information - (d)
- Disclosures to Business Associates - (e)
- Deceased Individuals - (f)
- Personal Representatives - (g)
- Confidential Communications - (h)
- Uses and Disclosures Consistent With Notice (i)
- Disclosures by Whistleblowers and Workforce Member Crime Victims - (j)
Uses and Disclosures - Organizational Requirements - Component Entities, Affiliated Entities, Business Associates and Group Health Plans
Section 164.504
- Definitions - (a)
- Subparagraphs (b)-(d) -- Repealed
- Business Associate Contracts - (e)
- Requirements for Group Health Plans - (f)
- Requirements for a Covered Entity With Multiple Covered Functions - (g)
Uses and Disclosures to Carry Out Treatment, Payment or Health Care Operations
Section 164.506
- Permitted Uses and Disclosures - (a)
- Consent for Uses and Disclosures Permitted - (b)
- Treatment, Payment, or Health Care Operations - (c)
Uses and Disclosures For Which an Authorization is Required
Section 164.508
- Authorizations for Uses and Disclosures - (a)
- General Requirements - (b)
- Core Elements and Requirements - (c)
Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object
Section 164.510
- General Rule
- Use and Disclosure for Facility Directories - (a)
- Uses and Disclosures for Involvement in the Individual's Care and Notification Purposes - (b)
Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object is Not Required
Section 164.512
- General Rule
- Uses and Disclosures Required By Law - (a)
- Uses and Disclosures for Public Health Activities - (b)
- Disclosures About Victims of Abuse, Neglect or Domestic Violence - (c)
- Uses and Disclosures for Health Oversight Activities - (d)
- Disclosures for Judicial and Administrative Proceedings - (e)
- Disclosures for Law Enforcement Purposes - (f)
- Uses and Disclosures about Decedents - (g)
- Uses and Disclosures for Cadaveric Organ, Eye, Tissue Donation - (h)
- Uses and Disclosures for Research Purposes - (i)
- Uses and Disclosures to Avert a Serious Threat to Health or Safety - (j)
- Uses and Disclosures For Specialized Government Functions - (k)
- Disclosures for Workers' Compensation - (l)
Other Requirements Relating to Uses and Disclosures of Protected Health Information
Section 164.514
- De-Identification of Protected Health Information - (a)
- Requirements for De-Identification of Protected Health Information - (b)
- Re-Identification - (c)
- Minimum Necessary Requirements - (d)
- Limited Data Set - (e)
- Fundraising - (f)
- Underwriting - (g)
- Verification Requirements - (h)
Notice of Privacy Practices for Protected Health Information
Section 164.520
- Right to Notice of Privacy Practices - (a)
- Content of Notice of Privacy Practices - (b)
- Provision of Notice of Privacy Practices - (c)
- Joint Notice by Separate Covered Entities - (d)
- Documentation of Notice - (e)
Rights to Request Privacy Protection for Protected Health Information
Section 164.522
- Right of an Individual to Request Restriction of Uses and Disclosures - (a)
- Confidential Communications Requirements - (b)
Access of Individuals to Protected Health Information
Section 164.524
- Access to Protected Health Information - (a)
- Requests for Access and Timely Action - (b)
- Provision of Access - (c)
- Denial of Access - (d)
- Documentation - (e)
Amendment of Protected Health Information
Section 164.526
- Right to Amend - (a)
- Requests for Amendment and Timely Action - (b)
- Accepting the Amendment - (c)
- Denying the Amendment - (d)
- Actions on Notices of Amendment - (e)
- Documentation - (f)
Accounting of Disclosures of Protected Health Information
Section 164.528
- Right to an Accounting - (a)
- Content of the Accounting - (b)
- Provision of the Accounting - (c)
- Documentation - (d)
The Administrative Requirements
Section 164.530
- Personnel Designations - (a)
- Training - (b)
- Safeguards - (c)
- Complaints to the Covered Entity - (d)
- Sanctions - (e)
- Mitigation - (f)
- Refraining from Intimidating or Retaliatory Acts -(g)
- Waiver of Rights - (h)
- Policies and Procedures (i)
- Documentation - (j)
- Group Health Plans - (k)