HIPAA Compliance Plan
« Previous PageHIPAA Survival Guide Table of ContentsNext Page »

Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.

HIPAA Privacy Rule

When providers think of HIPAA what they almost always have in mind is the Privacy Rule (PR). The HIPAA Privacy Rule is contained in Subpart E (Privacy of Indvidually Identifiable Information) of CFR §164. Subpart E extends from §164.500 through §164.534. These sections span approximately 40 pages of regulatory text. The effective compliance date of the Privacy Rule was April 14, 2003. Therefore, providers have been "living" with the Privacy Rule for about 6 years.

As you might imagine, summarizing the 40 pages of regulatory text that encompasses the Privacy Rule is a daunting task. It is difficult to achieve the appropriate balance. Therefore, consistent with our methodology throughout this guide, we have a more modest set of objectives, namely: 1) provide a map of the territory by highlighting critical sections; and 2) indicate important entry points into the HIPAA Privacy Rule where further research by providers may be required as specific questions arise.

Carlos Leyva explains Attacking the HIPAA Privacy Rule!

Get our FREE HIPAA Breach Notification Training!

In short, while we do not, and cannot, provide you the "answers," we hopefully can raise your awareness enough to begin asking the "right questions." Some sections below span several pages in the CFR. Given that, we have decided that "Introductory Comments" are often necessary as well as "Notes." It is virtually impossible, within the scope of this document, to cover both the substance of what a particular section addresses, and the myriad of exceptions that may apply.

The following abbreviations and markup are used in this section:

§ 164.500 Applicability

In general, the HIPAA Privacy Rule applies to covered entities and their usage and disclosure of protected health information (PHI).

HIPAA Survival Guide Note

The term PHI is defined in §160 and is quite broad. The HIPAA Security Rule is more constrained in that it pertains to electronic PHI.

§ 164.501 Definitions

Introductory Comment: Most of the baseline definitions are in §160. The definitions below are a subset of those introduced in the Privacy Rule pertinent to our discussion. Please be advised that the definitions have been succinctly paraphrased for readability. As such, each definition should be read with "In general" as an introductory phrase.

Designated Record Set (DRS)

DRS means a group of medical, billing, enrollment, or claims records maintained by or for a covered entity (CE).


Marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made for treatment, case management or care coordination.

HIPAA Survival Guide Note

The HIPAA Privacy Rule prohibits certain forms of marketing without authorization. If you are receiving remuneration from a third party to disclose PHI then you are almost certain to be engaged in marketing. Any such remuneration must be explicitly captured in the required authorization.


Payment means activities related to billing, claims management, and collections related activities.


Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

HIPAA Survival Guide Note

This is the definition in its entirety.

Download a FREE copy of the HIPAA Survival Guide 4th Edition.

« Previous PageHIPAA Survival Guide Table of ContentsNext Page »