PART 164 — SECURITY AND PRIVACY
Subpart A — General Provisions
§ 164.102 Statutory basis
§ 164.103 Definitions
Common Control Common Ownership Covered Functions Health Care Component Hybrid Entity Plan Sponsor Law Enforcement Official Required by Law
§ 164.104 Applicability
§ 164.105 Organizational Requirements
§ 164.106 Relationship to other parts
Subpart B — [Reserved]
Subpart C — Security Standards for the Protection of Electronic Protected Health Information
§ 164.302 Applicability
§ 164.304 Definitions
Access Administrative Safeguards Authentication Availability Confidentiality Encryption Facility Information System Integrity Malicious Software Password Physical Safeguards Security or Security Measures Security Incident Technical Safeguards User Workstation
§ 164.306 Security standards: General rules
§ 164.308 Administrative safeguards
(a)(1)(i) Standard: Security management process
(ii) Implementation specifications
(A) Risk analysis
(B) Risk management
(C) Sanction policy
(D) Information system activity review
(2) Standard: Assigned security responsibility
(3) (i) Standard: Workforce security
(ii) Implementation specifications
(A) Authorization and/or supervision
(B) Workforce clearance procedure
(4) (i) Standard: Information access management
(ii) Implementation specifications
(A) Isolating health care clearinghouse functions
(C) Access establishment and modification
(5) (i) Standard: Security awareness and training
(ii) Implementation specifications
(B) Protection from malicious software
(6) (i) Standard: Security incident procedures
(ii) Implementation specification: Response and reporting
(7) (i) Standard: Contingency plan
(ii) Implementation specifications
(A) Data backup plan
(C) Emergency mode operation plan
(D) Testing and revision procedures
(E) Applications and data criticality analysis
(8) Standard: Evaluation
(b) (1) Business associate contracts and other arrangements
(3) Implementation specifications: Written contract or other arrangement
§ 164.310 Physical safeguards
(a) (1) Standard: Facility access controls
(2) Implementation specifications:
(iii) Access control and validation procedures
(iv) Maintenance records
(b) Standard: Workstation use
(c) Standard: Workstation security
(d) (1) Standard: Device and media controls
(2) Implementation specifications
(i) Disposal
(ii) Media re-use
(iii) Accountability
§ 164.312 Technical safeguards
(a) (1) Standard: Access control
(2) Implementation specifications
(i) Unique user identification
(ii) Emergency access procedure
(iii) Automatic logoff
(iv) Encryption and decryption
(b) Standard: Audit controls
(c) (1) Standard: Integrity
(2) Implementation specification: Mechanism to authenticate electronic protected health information
(d) Standard: Person or entity authentication
(e) (1) Standard: Transmission security
(2) Implementation specifications
(ii) Encryption
§ 164.314 Organizational requirements
§ 164.316 Policies and procedures and documentation requirements
§ 164.318 Compliance dates for initial implementation of security standards
Subpart D — Notification in the Case of Breach of Unsecured Protected Health Information
§ 164.400 Applicability.
§ 164.402 Definitions.
Breach Unsecured Protected Health Information
§ 164.404 Notification to individuals.
§ 164.406 Notification to the media.
§ 164.408 Notification to the Secretary.
§ 164.410 Notification by a business associate.
§ 164.412 Law enforcement delay.
§ 164.414 Administrative requirements and burden of proof.
Subpart E — Privacy of Individually Identifiable Health Information
§ 164.500 Applicability
§ 164.501 Definitions
Correctional Institution Other Persons Held in Lawful Custody Data Aggregation Designated Record Set Direct Treatment Relationship Health Care Operations Health Oversight Agency Indirect Treatment Relationship Inmate Marketing Payment Psychotherapy Notes Public Health Authority Research Treatment
§ 164.502 Uses and disclosures of protected health information: general rules
(a) Standard:
(1) Permitted uses & disclosures
(2) Required disclosures
(b) Standard: minimum necessary
(1) Minimum necessary applies
(2) Minimum necessary does not apply
(c) Standard: uses and disclosures of protected health information subject to an agreed upon restriction
(d) Standard: Uses and disclosures of de-identified protected health information
(1) Uses and disclosures to create de-identified information
(2) Uses and disclosures of de-identified information
(e) (1) Standard: disclosures to business associates
(2) Implementation specification: documentation
(f) Standard: deceased individuals
(g) (1) Standard: personal representatives
(2) Implementation specification: adults and emancipated minors
(3) Implementation specification: unemancipated minors
(4) Implementation specification: deceased individuals
(5) Implementation specification: abuse, neglect, endangerment situations
(h) Standard: confidential communications
(i) Standard: uses and disclosures consistent with notice
(j) Standard: disclosures by whistleblowers and workforce member crime victims
(1) Disclosures by whistleblowers
(2) Disclosures by workforce members who are victims of a crime
§ 164.504 Uses and disclosures: organizational requirements
(a) Definitions
Plan administration functions Summary health information
(b)-(d) — [Removed and Reserved]
(e) (1) Standard: business associate contracts
(2) Implementation specifications: business associate contracts
(3) Implementation specifications: other arrangements
(4) Implementation specifications: other requirements for contracts and other arrangements
(f) (1) Standard: requirements for group health plans
(2) Implementation specifications: requirements for plan documents
(3) Implementation specifications: uses and disclosures
(g) Standard: requirements for a covered entity with multiple covered functions
§ 164.506 Uses and disclosures to carry out treatment, payment, or health care operations
(a) Standard: permitted uses and disclosures
(b) Standard: consent for uses and disclosures permitted
(c) Implementation specifications: treatment, payment, or health care operations
§ 164.508 Uses and disclosures for which an authorization is required
(a) Standard: authorizations for uses and disclosures
(1) Authorization required: general rule
(2) Authorization required: psychotherapy notes
(3) Authorization required: marketing
(b) Implementation specifications: general requirements
(1) Valid authorizations
(2) Defective authorizations
(3) Compound authorizations
(4) Prohibition on conditioning of authorizations
(5) Revocation of authorizations
(6) Documentation
(c) Implementation specifications: core elements and requirements
(1) Core elements
(2) Required statements
(3) Plain language requirement
(4) Copy to the individual
§ 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object
(a) Standard: use and disclosure for facility directories
(1) Permitted uses and disclosure
(2) Opportunity to object
(3) Emergency circumstances
(b) Standard: uses and disclosures for involvement in the individual's care and notification purposes
(1) Permitted uses and disclosures
(2) Uses and disclosures with the individual present
(3) Limited uses and disclosures when the individual is not present
(4) Use and disclosures for disaster relief purposes
§ 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required 58
(a) Standard: uses and disclosures required by law
(b) Standard: uses and disclosures for public health activities
(1) Permitted disclosures
(2) Permitted uses
(c) Standard: disclosures about victims of abuse, neglect, or domestic violence
(1) Permitted disclosures
(2) Informing the individual
(d) Standard: uses and disclosures for health oversight activities
(1) Permitted disclosures
(2) Exception to health oversight activities
(3) Joint activities or investigations
(4) Permitted uses
(e) Standard: disclosures for judicial and administrative proceedings
(1) Permitted disclosures
(2) Other uses and disclosures under this section
(f) Standard: disclosures for law enforcement purposes
(1) Permitted disclosures: pursuant to process and as otherwise required by law
(2) Permitted disclosures: limited information for identification and location purposes
(3) Permitted disclosure: victims of a crime
(4) Permitted disclosure: decedents
(5) Permitted disclosure: crime on premises
(6) Permitted disclosure: reporting crime in emergencies
(g) Standard: uses and disclosures about decedents
(1) Coroners and medical examiners
(2) Funeral directors
(h) Standard: uses and disclosures for cadaveric organ, eye, or tissue donation purposes
(i) Standard: uses and disclosures for research purposes
(1) Permitted uses and disclosures
(2) Documentation of waiver approval
(j) Standard: uses and disclosures to avert a serious threat to health or safety
(1) Permitted disclosures
(2) Use or disclosure not permitted
(3) Limit on information that may be disclosed
(4) Presumption of good faith belief
(k) Standard: uses and disclosures for specialized government functions
(1) Military and veterans activities
(2) National security and intelligence activities
(3) Protective services for the President and others
(4) Medical suitability determinations
(5) Correctional institutions and other law enforcement custodial situations
(6) Covered entities that are government programs providing public benefits
(l) Standard: disclosures for workers' compensation
§ 164.514 Other requirements relating to uses & disclosures of protected health information
(a) Standard: de-identification of protected health information
(b) Implementation specifications: requirements for de-identification of protected health information
(c) Implementation specifications: re-identification
(1) Derivation
(2) Security
(d) (1) Standard: minimum necessary requirements
(2) Implementation specifications: minimum necessary uses of protected health information
(3) Implementation specification: minimum necessary disclosures of protected health information
(4) Implementation specifications: minimum necessary requests for protected health information
(5) Implementation specification: other content requirement
(e) (1) Standard: limited data set
(2) Implementation specification: limited data set
(3) Implementation specification: permitted purposes for uses and disclosures
(4) Implementation specifications: data use agreement
(f) (1) Standard: uses and disclosures for fundraising
(2) Implementation specifications: fundraising requirements
(g) Standard: uses and disclosures for underwriting and related purposes
(h) (1) Standard: verification requirements
(2) Implementation specifications: verification
§ 164.520 Notice of privacy practices for protected health information
(a) Standard: notice of privacy practices
(1) Right to notice
(2) Exception for group health plans
(3) Exception for inmates
(b) Implementation specifications: content of notice
(1) Required elements
(2) Optional elements
(3) Revisions to the notice
(c) Implementation specifications: provision of notice
(1) Specific requirements for health plans
(2) Specific requirements for certain covered health care providers
(3) Specific requirements for electronic notice
(d) Implementation specifications: joint notice by separate covered entities
(e) Implementation specifications: documentation
§ 164.522 Rights to request privacy protection for protected health information
(a) (1) Standard: right of an individual to request restriction of uses and disclosures
(2) Implementation specifications: terminating a restriction
(3) Implementation specification: documentation
(b) (1) Standard: confidential communications requirements
(2) Implementation specifications: conditions on providing confidential communications
§ 164.524 Access of individuals to protected health information
(a) Standard: access to protected health information
(1) Right of access
(2) Unreviewable grounds for denial
(3) Reviewable grounds for denial
(4) Review of a denial of access
(b) Implementation specifications: requests for access and timely action
(1) Individual's request for access
(2) Timely action by the covered entity
(c) Implementation specifications: provision of access
(1) Providing the access requested
(2) Form of access requested
(3) Time and manner of access
(4) Fees
(d) Implementation specifications: denial of access
(1) Making other information accessible
(2) Denial
(3) Other responsibility
(4) Review of denial requested
(e) Implementation specification: documentation
§ 164.526 Amendment of protected health information
(a) Standard: right to amend
(1) Right to amend
(2) Denial of amendment
(b) Implementation specifications: requests for amendment and timely action
(1) Individual's request for amendment
(2) Timely action by the covered entity
(c) Implementation specifications: accepting the amendment
(1) Making the amendment
(2) Informing the individual
(3) Informing others
(d) Implementation specifications: denying the amendment
(1) Denial
(2) Statement of disagreement
(3) Rebuttal statement
(4) Recordkeeping
(5) Future disclosures
(e) Implementation specification: actions on notices of amendment
(f) Implementation specification: documentation
§ 164.528 Accounting of disclosures of protected health information
(a) Standard: right to an accounting of disclosures of protected health information
(b) Implementation specifications: content of the accounting
(c) Implementation specifications: provision of the accounting
(d) Implementation specification: documentation
§ 164.530 Administrative requirements
(a) (1) Standard: personnel designations
(2) Implementation specification: personnel designations
(b) (1) Standard: training
(2) Implementation specifications: training
(c) (1) Standard: safeguards
(2) Implementation specification: safeguards
(d) (1) Standard: complaints to the covered entity
(2) Implementation specification: documentation of complaints
(e) (1) Standard: sanctions
(2) Implementation specification: documentation
(f) Standard: mitigation
(g) Standard: refraining from intimidating or retaliatory acts
(1) Individuals
(2) Individuals and others
(h) Standard: waiver of rights
(i) (1) Standard: policies and procedures
(2) Standard: changes to policies or procedures
(3) Implementation specification: changes in law
(4) Implementation specifications: changes to privacy practices stated in the notice
(5) Implementation specification: changes to other policies or procedures
(j) (1) Standard: documentation
(2) Implementation specification: retention period
(k) Standard: group health plans
§ 164.532 Transition provisions
(a) Standard: effect of prior authorizations
(b) Implementation specification: effect of prior authorization for purposes other than research
(c) Implementation specification: effect of prior permission for research
(d) Standard: effect of prior contracts or other arrangements with business associates
(e) Implementation specification: deemed compliance
(1) Qualification
(2) Limited deemed compliance period
(3) Covered entity responsibilities
§ 164.534 Compliance dates for initial implementation of the privacy standards
(a) Health care providers
(b) Health plans
(1) Health plans other than small health plans
(2) Small health plans
(c) Health care clearinghouses
Download our Free HIPAA Project Plan.