Standards for Privacy of Individually Identifiable Health ... Privacy...OCR/HIPAA Privacy Regulation Text October 2002-i-Standards for Privacy of Individually Identifiable Health Information

U.S. Department of Health and Human ServicesOffice for Civil Rights

Standards for Privacy ofIndividually Identifiable

Health Information(Unofficial Version)

(45 CFR Parts 160 and 164)

Regulation Text(December 28, 2000)

as amended:Part 160

(May 31, 2002)Parts 160, 164

(August 14, 2002)

OCR/HIPAA Privacy Regulation Text

October 2002

-i-

Standards for Privacy of Individually Identifiable Health InformationRegulation Text, as amended

Table of ContentsSection Page

PART 160 – GENERAL ADMINISTRATIVE REQUIREMENTS

SUBPART A – GENERAL PROVISIONS

§ 160.101 Statutory B asis and Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

§ 160.102 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

§ 160.103 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

ANSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Business associate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Compliance date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

EIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Employer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Group health plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

HCFA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

HHS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Health care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Health care clearinghouse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Health care provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Health insurance issuer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Health maintenance organization (HMO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Health plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Implementation specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Individually identifiable health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Modify or modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Secretary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Small health plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Standard setting organization (SSO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Trading partner agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Workforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

§ 160.104 Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3


October 2002

-ii-

SUBPART B – PREEMPTION OF STATE LAW

§ 160.201 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

§ 160.202 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Contrary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

More stringent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Relates to the privacy of individually identifiable health information . . . . . . . . . . . . . . . . . . . . . . 3

State law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

§ 160.203 General rule and exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

§ 160.204 Process for requesting exception determinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

§ 160.205 Duration of effectiveness of exception determinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

SUBPART C – COMPLIANCE AND ENFORCEMENT

§ 160.300 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

§ 160.302 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

§ 160.304 Principles for achieving compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

(a) Cooperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

(b) Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

§ 160.306 Complaints to the Secretary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

(a) Right to file a complaint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

(b) Requirements for filing complaints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

(c) Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

§ 160.308 Compliance reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

§ 160.310 Responsibilities of covered entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

(a) Provide records and compliance reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

(b) Cooperate with complaint investigations and compliance reviews . . . . . . . . . . . . . . . . . . . . . 5

(c) Permit access to information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

§ 160.312 Secretarial action regarding complaints and compliance reviews . . . . . . . . . . . . . . . . . . . . . . 5

(a) Resolution where noncompliance is indicated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

(b) Resolution when no violation is found . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5


October 2002

-iii-

PART 164 – SECURITY AND PRIVACY

SUBPART A – GENERAL PROVISIONS

§ 164.102 Statutory basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

§ 164.104 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

§ 164.106 Relationship to other parts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

SUBPARTS B-D – [RESERVED]

SUBPART E – PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION

§ 164.500 Applicability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

§ 164.501 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Correctional institution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Covered functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Data aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Designated record set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Direct treatment relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Health care operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Health oversight agency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Indirect treatment relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Inmate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Law enforcement official . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Organized health care arrangements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Payment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Plan sponsor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Psychotherapy notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Public health authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Required by law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8


October 2002

-iv-

§ 164.502 Uses and disclosures of protected health information: general rules . . . . . . . . . . . . . . . . . . . 8

(a) Standard: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(1) Permitted uses & disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(2) Required disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(b) Standard: minimum necessary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(1) Minimum necessary applies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(2) M inimum necessary does not apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(c) Standard: uses and disclosures of protected health information subject to

an agreed upon restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(d) Standard: Uses and disclosures of de-identified protected health information . . . . . . . . . . . . 8

(1) Uses and disclosures to create de-identified information . . . . . . . . . . . . . . . . . . . . . 8

(2) Uses and disclosures of de-identified information . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(e)(1) Standard: disclosures to business associates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

(2) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

(f) Standard: deceased ind ividuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

(g)(1) Standard: personal representatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

(2) Implementation specification: adults and emancipated minors . . . . . . . . . . . . . . . . 9

(3) Implementation specification: unemancipated minors . . . . . . . . . . . . . . . . . . . . . . . 9

(4) Implementation specification: deceased individuals . . . . . . . . . . . . . . . . . . . . . . . . 9

(5) Implementation specification: abuse, neglect, endangerment situations . . . . . . . . . 9

(h) Standard: confidential communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

(i) Standard: uses and disclosures consistent with notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

(j) Standard: disclosures by whistleblowers and workforce member crime victims . . . . . . . . . . . 9

(1) Disclosures by whistleblowers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

(2) Disclosures by workforce members who are victims of a crime . . . . . . . . . . . . . . . 10

§ 164.504 Uses and disclosures: organizational requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

(a) Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Common control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Common ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Health care component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Hybrid entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Plan administration functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Summary health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

(b) Standard: health care component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

(c)(1) Implementation specification: application of other provisions . . . . . . . . . . . . . . . . . . . . 10

(2) Implementation specifications: safeguard requirements . . . . . . . . . . . . . . . . . . . . 10

(3) Implementation specifications: responsibilities of the covered entity . . . . . . . . . . 10

(d)(1) Standard: affiliated covered entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

(2) Implementation specifications: requirements for designation of an

affiliated covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

(3) Implementation specifications: safeguard requirements . . . . . . . . . . . . . . . . . . . . 11

(e)(1) Standard: business associate contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

(2) Implementation specifications: business associate contracts . . . . . . . . . . . . . . . . . 11

(3) Implementation specifications: other arrangements . . . . . . . . . . . . . . . . . . . . . . . . 11

(4) Implementation specifications: other requirements for contracts

and other arrangements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11


October 2002

-v-

(f)(1) Standard : requirements for group health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

(2) Implementation specifications: requirements for plan documents . . . . . . . . . . . . . 12

(3) Implementation specifications: uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . 12

(g) Standard: requirements for a covered entity with multiple covered functions . . . . . . . . . . . 12

§ 164.506 Uses and disclosures to carry out treatment, payment, or health care operations . . . . . . . . 12

(a) Standard: permitted uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

(b) Standard: consent for uses and disclosures permitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

(c) Implementation specifications: treatment, payment, or health care operations . . . . . . . . . . . 13

§ 164.508 Uses and disclosures for which an authorization is required . . . . . . . . . . . . . . . . . . . . . . . . . 13

(a) Standard: authorizations for uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

(1) Authorization required: general rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

(2) Authorization required: psychotherapy notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

(3) Authorization required: marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

(b) Implementation specifications: general requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

(1) Valid authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

(2) Defective authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

(3) Compound authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

(4) Prohibition on conditioning of authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

(5) Revocation of authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

(6) Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

(c) Implementation specifications: core elements and requirements . . . . . . . . . . . . . . . . . . . . . 14

(1) Core elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

(2) Required statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

(3) Plain language requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

(4) Copy to the individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

§ 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object . . . 14

(a) Standard: use and disclosure for facility directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

(1) Permitted uses and disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

(2) Opportunity to object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

(3) Emergency circumstances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

(b) Standard: uses and disclosures for involvement in the individual’s care and

notification purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

(1) Permitted uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

(2) Uses and disclosures with the individual present . . . . . . . . . . . . . . . . . . . . . . . . . . 15

(3) Limited uses and disclosures when the individual is not present . . . . . . . . . . . . . . 15

(4) Use and disclosures for disaster relief purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . 15


October 2002

-vi-

§ 164.512 Uses and disclosures for which an authorization or opportunity to

agree or object is not required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

(a) Standard: uses and disclosures required by law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

(b) Standard: uses and disclosures for public health activities . . . . . . . . . . . . . . . . . . . . . . . . . . 15

(1) Permitted disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

(2) Permitted uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

(c) Standard: disclosures about victims of abuse, neglect, or domestic violence . . . . . . . . . . . . 16


(2) Informing the individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

(d) Standard: uses and disclosures for health oversight activities . . . . . . . . . . . . . . . . . . . . . . . 16


(2) Exception to health oversight activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

(3) Joint activities or investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

(4) Permitted uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

(e) Standard: disclosures for judicial and administrative proceedings . . . . . . . . . . . . . . . . . . . . 16


(2) Other uses and disclosures under this section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

(f) Standard: disclosures for law enforcement purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

(1) Permitted disclosures: pursuant to process and as otherwise

required by law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

(2) Permitted disclosures: limited information for identification and

location purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

(3) Permitted disclosure: victims of a crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

(4) Permitted disclosure: decedents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

(5) Permitted disclosure: crime on premises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

(6) Permitted disclosure: reporting crime in emergencies . . . . . . . . . . . . . . . . . . . . . . 18

(g) Standard: uses and disclosures about decedents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(1) Coroners and medical examiners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(2) Funeral directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(h) Standard: uses and disclosures for cadaveric organ, eye, or tissue

donation purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(i) Standard: uses and disclosures for research purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(1) Permitted uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(i) Board approval of a waiver of authorization . . . . . . . . . . . . . . . . . . . . . . 18

(ii) Reviews preparatory to research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(iii) Research on decedent’s information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(2) Documentation of waiver approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(i) Identification and date of action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(ii) Waiver criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(iii) Protected health information needed . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(iv) Review and approval procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

(v) Required signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

(j) Standard : uses and disclosures to avert a serious threat to health or safety . . . . . . . . . . . . . . 19


(2) Use or disclosure not permitted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

(3) Limit on information that may be disclosed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

(4) Presumption of good faith belief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19


October 2002

-vii-

(k) Standard: uses and disclosures for specialized government functions . . . . . . . . . . . . . . . . . 19

(1) Military and veterans activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

(i) Armed Forces personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

(ii) Separation or discharge from military service . . . . . . . . . . . . . . . . . . . . . 19

(iii) Veterans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

(iv) Foreign military personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

(2) National security and intelligence activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

(3) Protective services for the president and others . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

(4) Medical suitability determinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

(5) Correctional institutions and other law enforcement custodial situations . . . . . . . . 20

(i) Permitted disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

(ii) Permitted uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

(iii) No application after release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

(6) Covered entities that are government programs providing public benefits . . . . . . . 20

(l) Standard: disclosures for workers’ compensation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

§ 164.514 Other requirements relating to uses & disclosures of protected

health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

(a) Standard: de-identification of protected health information . . . . . . . . . . . . . . . . . . . . . . . . . 20

(b) Implementation specifications: requirements for de-identification of

protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

(c) Implementation specifications: re-identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

(1) Derivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

(2) Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

(d)(1) Standard: minimum necessary requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

(2) Implementation specifications: minimum necessary uses of

protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

(3) Implementation specification: minimum necessary disclosures of


(4) Implementation specifications: minimum necessary requests for


(5) Implementation specification: other content requirement . . . . . . . . . . . . . . . . . . . 21

(e)(1) Standard: limited data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

(2) Implementation specification: limited data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

(3) Implementation specification: permitted purposes for uses and disclosures . . . . . 21

(4) Implementation specifications: data use agreement . . . . . . . . . . . . . . . . . . . . . . . . 21

(i) Agreement required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

(ii) Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

(iii) Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

(f)(1) Standard: uses and disclosures for fundraising . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

(2) Implementation specifications: fundraising requirements . . . . . . . . . . . . . . . . . . . 22

(g) Standard: uses and disclosures for underwriting and related purposes . . . . . . . . . . . . . . . . . 22

(h)(1) Standard: verification requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

(2) Implementation specifications: verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

(i) Conditions on disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

(ii) Identity of public officials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

(iii) Authority of public officials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

(iv) Exercise of professional judgment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22


October 2002

-viii-

§ 164.520 Notice of privacy practices for protected health information . . . . . . . . . . . . . . . . . . . . . . . . 22

(a) Standard: notice of privacy practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

(1) Right to notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

(2) Exception for group health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

(3) Exception for inmates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

(b) Implementation specifications: content of notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

(1) Required elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

(i) Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

(ii) Uses and disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

(iii) Separate statements for certain uses or disclosures . . . . . . . . . . . . . . . . 23

(iv) Individual rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

(v) Covered entity’s duties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

(vi) Complaints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

(vii) Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

(viii) Effective date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

(2) Optional elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

(3) Revisions to the notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

(c) Implementation specifications: provision of notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

(1) Specific requirements for health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

(2) Specific requirements for certain covered health care providers . . . . . . . . . . . . . . 24

(3) Specific requirements for electronic notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

(d) Implementation specifications: joint notice by separate covered entities . . . . . . . . . . . . . . . 24

(e) Implementation specifications: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

§ 164.522 Rights to request privacy protection for protected health information . . . . . . . . . . . . . . . . 25

(a)(1) Standard: right of an individual to request restriction of uses and disclosures . . . . . . . . 25

(2) Implementation specifications: terminating a restriction . . . . . . . . . . . . . . . . . . . . 25

(3) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

(b)(1) Standard: confidential communications requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

(2) Implementation specifications: conditions on providing

confidential communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

§ 164.524 Access of individuals to protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

(a) Standard: access to protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

(1) Right of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

(2) Unreviewable grounds for denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

(3) Reviewable grounds for denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(4) Review of a denial of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(b) Implementation specifications: requests for access and timely action . . . . . . . . . . . . . . . . . 26

(1) Individual’s request for access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(2) T imely action by the covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(c) Implementation specifications: provision of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(1) Providing the access requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(2) Form of access requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(3) Time and manner of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(4) Fees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26


October 2002

-ix-

(d) Implementation specifications: denial of access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(1) M aking o ther information accessible . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(2) Denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

(3) Other responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(4) Review of denial requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(e) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

§ 164.526 Amendment of protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(a) Standard: right to amend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(1) Right to amend . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(2) Denial of amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(b) Implementation specifications: requests for amendment and timely action . . . . . . . . . . . . . 27

(1) Individual’s request for amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(2) T imely action by the covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(c) Implementation specifications: accepting the amendment . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(1) Making the amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(2) Informing the individual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(3) Informing others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(d) Implementation specifications: denying the amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(1) Denial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(2) Statement of disagreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

(3) Rebuttal statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

(4) Recordkeeping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

(5) Future disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

(e) Implementation specification: actions on notices of amendment . . . . . . . . . . . . . . . . . . . . . 28

(f) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

§ 164.528 Accounting of disclosures of protected health information . . . . . . . . . . . . . . . . . . . . . . . . . . 28

(a) Standard: right to an accounting of disclosures of protected health information . . . . . . . . . 28

(b) Implementation specifications: content of the accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 28

(c) Implementation specifications: provision of the accounting . . . . . . . . . . . . . . . . . . . . . . . . 29

(d) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

§ 164.530 Administrative requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(a)(1) Standard: personnel designations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(2) Implementation specification: personnel designations . . . . . . . . . . . . . . . . . . . . . . 29

(b)(1) Standard: training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(2) Implementation specifications: training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(c)(1) Standard: safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(2) Implementation specification: safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(d)(1) Standard: complaints to the covered entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(2) Implementation specification: documentation of complaints . . . . . . . . . . . . . . . . . 29

(e)(1) Standard: sanctions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(2) Implementation specification: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

(f) Standard: mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29


October 2002

-x-

(g) Standard: refraining from intimidating or re taliatory acts . . . . . . . . . . . . . . . . . . . . . . . . . . 30

(1) Ind ividuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

(2) Individuals and others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

(h) Standard: waiver of rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

(i)(1) Standard: policies and procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

(2) Standard: changes to policies or procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

(3) Implementation specification: changes in law . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

(4) Implementation specifications: changes to privacy practices stated in the

notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

(5) Implementation specification: changes to other policies or procedures . . . . . . . . . 30

(j)(1) Standard: documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

(2) Implementation specification: retention period . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

(k) Standard: group health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

§ 164.532 Transition provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

(a) Standard: effect of prior authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

(b) Implementation specification: effect of prior authorization for purposes

other than research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

(c) Implementation specification: effect of prior permission for research . . . . . . . . . . . . . . . . . 31

(d) Standard: effect of prior contracts or other arrangements with business associates . . . . . . . 31

(e) Implementation specification: deemed compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

(1) Qualification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

(2) Limited deemed compliance period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

(3) Covered entity responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

§ 164.534 Compliance dates for initial implementation of the privacy standards . . . . . . . . . . . . . . . . 31

(a) Health care providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

(b) Health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

(1) Health plans other than small health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

(2) Small health plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

(c) Health care clearinghouses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31


October 2002

-1-

PART 160 – GENERALADMINISTRATIVE REQUIREMENTS

Subpart A – General Provisions160.101 Statutory basis and purpose.160.102 Applicability.160.103 Definitions.160.104 Modifications.Subpart B – Preemption of State Law160.201 Applicability.160.202 Definitions.160.203 General rule and exceptions.160.204 Process for requesting exception

determinations.160.205 Duration of effectiveness of

exception determinations. Subpart C – Compliance and Enforcement160.300 Applicability.160.302 Definitions.160.304 Principles for achieving

compliance.160.306 Complaints to the Secretary.160.308 Compliance reviews.160.310 Responsibilities of covered

entities.160.312 Secretarial action regarding

complaints and compliancereviews.

Authority: Sec. 1171 through 1179 of theSocial Security Act, (42 U.S.C. 1320d-1329d-8) as added by sec. 262 of Pub. L. No.104-191, 110 Stat. 2021-2031 and sec. 264 ofPub. L. No. 104-191 (42 U.S.C. 1320d-2(note)).

Subpart A - General Provisions

§ 160.101 Statutory basis and purpose.The requirements of this subchapterimplement sections 1171 through 1179 of theSocial Security Act (the Act), as added bysection 262 of Public Law 104-191, andsection 264 of Public Law 104-191.

§ 160.102 Applicability.(a) Except as otherwise provided, the

standards, requirements, and implementationspecifications adopted under this subchapterapply to the following entities:

(1) A health plan.(2) A health care clearinghouse.(3) A health care provider who transmits

any health information in electronic form inconnection with a transaction covered by thissubchapter.

(b) To the extent required under the SocialSecurity Act, 42 U.S.C. 1320a-7c(a)(5),nothing in this subchapter shall be construedto diminish the authority of any InspectorGeneral, including such authority as providedin the Inspector General Act of 1978, as

amended (5 U.S.C. App.).

§ 160.103 Definitions.Except as otherwise provided, the followingdefinitions apply to this subchapter:

Act means the Social Security Act.ANSI stands for the American National

Standards Institute.Business associate:

(1) Except as provided in paragraph (2) ofthis definition, business associate means,with respect to a covered entity, a personwho:

(i) On behalf of such covered entity orof an organized health care arrangement (asdefined in § 164.501 of this subchapter) inwhich the covered entity participates, butother than in the capacity of a member of theworkforce of such covered entity orarrangement, performs, or assists in theperformance of:

(A) A function or activity involving theuse or disclosure of individually identifiablehealth information, including claimsprocessing or administration, data analysis,processing or administration, utilizationreview, quality assurance, billing, benefitmanagement, practice management, andrepricing; or

(B) Any other function or activityregulated by this subchapter; or

(ii) Provides, other than in the capacity ofa member of the workforce of such coveredentity, legal, actuarial, accounting,consulting, data aggregation (as defined in §164.501 of this subchapter), management,administrative, accreditation, or financialservices to or for such covered entity, or to orfor an organized health care arrangement inwhich the covered entity participates, wherethe provision of the service involves thedisclosure of individually identifiable healthinformation from such covered entity orarrangement, or from another businessassociate of such covered entity orarrangement, to the person.

(2) A covered entity participating in anorganized health care arrangement thatperforms a function or activity as describedby paragraph (1)(i) of this definition for or onbehalf of such organized health carearrangement, or that provides a service asdescribed in paragraph (1)(ii) of thisdefinition to or for such organized health carearrangement, does not, simply through theperformance of such function or activity orthe provision of such service, become abusiness associate of other covered entitiesparticipating in such organized health carearrangement.

(3) A covered entity may be a business

associate of another covered entity.Compliance date means the date by which a

covered entity must comply with a standard,implementation specification, requirement, ormodification adopted under this subchapter.

Covered entity means:(1) A health plan.(2) A health care clearinghouse.(3) A health care provider who transmits

any health information in electronic form inconnection with a transaction covered by thissubchapter.

EIN stands for the employer identificationnumber assigned by the Internal RevenueService, U.S. Department of the Treasury. The EIN is the taxpayer identifying numberof an individual or other entity (whether ornot an employer) assigned under one or thefollowing:

(1) 26 U.S.C. 6011(b), which is the portionof the Internal Revenue Code dealing withidentifying the taxpayer in tax returns andstatements, or corresponding provisions ofprior law.

(2) 26 U.S.C. 6109, which is the portion ofthe Internal Revenue Code dealing withidentifying numbers in tax returns,statements, and other required documents.

Employer is defined as it is in 26 U.S.C.3401(d).

Group health plan (also see definition ofhealth plan in this section) means anemployee welfare benefit plan (as defined insection 3(1) of the Employee RetirementIncome and Security Act of 1974 (ERISA),29 U.S.C. 1002(1)), including insured andself-insured plans, to the extent that the planprovides medical care (as defined in section2791(a)(2) of the Public Health Service Act(PHS Act), 42 U.S.C. 300gg-91(a)(2)),including items and services paid for asmedical care, to employees or theirdependents directly or through insurance,reimbursement, or otherwise, that:

(1) Has 50 or more participants (as definedin section 3(7) of ERISA, 29 U.S.C.1002(7)); or

(2) Is administered by an entity other thanthe employer that established and maintainsthe plan.

HCFA stands for Health Care FinancingAdministration within the Department ofHealth and Human Services.

HHS stands for the Department of Healthand Human Services.

Health care means care, services, orsupplies related to the health of an individual. Health care includes, but is not limited to,the following:

(1) Preventive, diagnostic, therapeutic,rehabilitative, maintenance, or palliative care,


October 2002

-2-

and counseling, service, assessment, orprocedure with respect to the physical ormental condition, or functional status, of anindividual or that affects the structure orfunction of the body; and

(2) Sale or dispensing of a drug, device,equipment, or other item in accordance with aprescription.

Health care clearinghouse means a publicor private entity, including a billing service,repricing company, community healthmanagement information system orcommunity health information system, and“value-added” networks and switches, thatdoes either of the following functions:

(1) Processes or facilitates the processingof health information received from anotherentity in a nonstandard format or containingnonstandard data content into standard dataelements or a standard transaction.

(2) Receives a standard transaction fromanother entity and processes or facilitates theprocessing of health information intononstandard format or nonstandard datacontent for the receiving entity.

Health care provider means a provider ofservices (as defined in section 1861(u) of theAct, 42 U.S.C. 1395x(u)), a provider ofmedical or health services (as defined insection 1861(s) of the Act, 42 U.S.C.1395x(s)), and any other person ororganization who furnishes, bills, or is paidfor health care in the normal course ofbusiness.

Health information means any information,whether oral or recorded in any form ormedium, that:

(1) Is created or received by a health careprovider, health plan, public health authority,employer, life insurer, school or university, orhealth care clearinghouse; and

(2) Relates to the past, present, or futurephysical or mental health or condition of anindividual; the provision of health care to anindividual; or the past, present, or futurepayment for the provision of health care to anindividual.

Health insurance issuer (as defined insection 2791(b)(2) of the PHS Act, 42 U.S.C.300gg-91(b)(2) and used in the definition ofhealth plan in this section) means aninsurance company, insurance service, orinsurance organization (including an HMO)that is licensed to engage in the business ofinsurance in a State and is subject to Statelaw that regulates insurance. Such term doesnot include a group health plan.

Health maintenance organization (HMO)(as defined in section 2791(b)(3) of the PHSAct, 42 U.S.C. 300gg-91(b)(3) and used inthe definition of health plan in this section)

means a federally qualified HMO, anorganization recognized as an HMO underState law, or a similar organization regulatedfor solvency under State law in the samemanner and to the same extent as such anHMO.

Health plan means an individual or groupplan that provides, or pays the cost of,medical care (as defined in section 2791(a)(2)of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).

(1) Health plan includes the following,singly or in combination:

(i) A group health plan, as defined in thissection.

(ii) A health insurance issuer, as definedin this section.

(iii) An HMO, as defined in this section.(iv) Part A or Part B of the Medicare

program under title XVIII of the Act.(v) The Medicaid program under title

XIX of the Act, 42 U.S.C. 1396, et seq.(vi) An issuer of a Medicare

supplemental policy (as defined in section1882(g)(1) of the Act, 42 U.S.C.1395ss(g)(1)).

(vii) An issuer of a long-term care policy,excluding a nursing home fixed-indemnitypolicy.

(viii) An employee welfare benefit plan orany other arrangement that is established ormaintained for the purpose of offering orproviding health benefits to the employees oftwo or more employers.

(ix) The health care program for activemilitary personnel under title 10 of the UnitedStates Code.

(x) The veterans health care programunder 38 U.S.C. chapter 17.

(xi) The Civilian Health and MedicalProgram of the Uniformed Services(CHAMPUS)(as defined in 10 U.S.C.1072(4)).

(xii) The Indian Health Service programunder the Indian Health Care ImprovementAct, 25 U.S.C. 1601, et seq.

(xiii) The Federal Employees HealthBenefits Program under 5 U.S.C. 8902, etseq.

(xiv) An approved State child health planunder title XXI of the Act, providing benefitsfor child health assistance that meet therequirements of section 2103 of the Act, 42U.S.C. 1397, et seq.

(xv) The Medicare + Choice programunder Part C of title XVIII of the Act, 42U.S.C. 1395w-21 through 1395w-28.

(xvi) A high risk pool that is amechanism established under State law toprovide health insurance coverage orcomparable coverage to eligible individuals.

(xvii) Any other individual or group plan,

or combination of individual or group plans,that provides or pays for the cost of medicalcare (as defined in section 2791(a)(2) of thePHS Act, 42 U.S.C. 300gg-91(a)(2)).

(2) Health plan excludes:(i) Any policy, plan, or program to the

extent that it provides, or pays for the cost of,excepted benefits that are listed in section2791(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and

(ii) A government-funded program (otherthan one listed in paragraph (1)(i)-(xvi)of thisdefinition):

(A) Whose principal purpose is otherthan providing, or paying the cost of, healthcare; or

(B) Whose principal activity is:(1) The direct provision of health care

to persons; or(2) The making of grants to fund the

direct provision of health care to persons.Implementation specification means specific

requirements or instructions for implementinga standard.

Individually identifiable health informationis information that is a subset of healthinformation, including demographicinformation collected from an individual,and:

(1) Is created or received by a health careprovider, health plan, employer, or health careclearinghouse; and

(2) Relates to the past, present, or futurephysical or mental health or condition of anindividual; the provision of health care to anindividual; or the past, present, or futurepayment for the provision of health care to anindividual; and

(i) That identifies the individual; or(ii) With respect to which there is a

reasonable basis to believe the informationcan be used to identify the individual.

Modify or modification refers to a changeadopted by the Secretary, through regulation,to a standard or an implementationspecification.

Secretary means the Secretary of Health andHuman Services or any other officer oremployee of HHS to whom the authorityinvolved has been delegated.

Small health plan means a health plan withannual receipts of $5 million or less.

Standard means a rule, condition, orrequirement:

(1) Describing the following informationfor products, systems, services or practices:

(i) Classification of components.(ii) Specification of materials,

performance, or operations; or(iii) Delineation of procedures; or

(2) With respect to the privacy of


October 2002

-3-

individually identifiable health information.Standard setting organization (SSO) means

an organization accredited by the AmericanNational Standards Institute that develops andmaintains standards for informationtransactions or data elements, or any otherstandard that is necessary for, or will facilitatethe implementation of, this part.

State refers to one of the following:(1) For a health plan established or

regulated by Federal law, State has themeaning set forth in the applicable section ofthe United States Code for such health plan.

(2) For all other purposes, State means anyof the several States, the District ofColumbia, the Commonwealth of PuertoRico, the Virgin Islands, and Guam.

Trading partner agreement means anagreement related to the exchange ofinformation in electronic transactions,whether the agreement is distinct or part of alarger agreement, between each party to theagreement. (For example, a trading partneragreement may specify, among other things,the duties and responsibilities of each party tothe agreement in conducting a standardtransaction.)

Transaction means the transmission ofinformation between two parties to carry outfinancial or administrative activities related tohealth care. It includes the following types ofinformation transmissions:

(1) Health care claims or equivalentencounter information.

(2) Health care payment and remittanceadvice.

(3) Coordination of benefits.(4) Health care claim status.(5) Enrollment and disenrollment in a

health plan.(6) Eligibility for a health plan.(7) Health plan premium payments.(8) Referral certification and authorization.(9) First report of injury.(10) Health claims attachments.(11) Other transactions that the Secretary

may prescribe by regulation.Workforce means employees, volunteers,

trainees, and other persons whose conduct, inthe performance of work for a covered entity,is under the direct control of such entity,whether or not they are paid by the coveredentity.

§ 160.104 Modifications.(a) Except as provided in paragraph (b) of

this section, the Secretary may adopt amodification to a standard or implementationspecification adopted under this subchapterno more frequently than once every 12months.

(b) The Secretary may adopt a modificationat any time during the first year after thestandard or implementation specification isinitially adopted, if the Secretary determinesthat the modification is necessary to permitcompliance with the standard orimplementation specification.

(c) The Secretary will establish thecompliance date for any standard orimplementation specification modified underthis section.

(1) The compliance date for a modificationis no earlier than 180 days after the effectivedate of the final rule in which the Secretaryadopts the modification.

(2) The Secretary may consider the extentof the modification and the time needed tocomply with the modification in determiningthe compliance date for the modification.

(3) The Secretary may extend thecompliance date for small health plans, as theSecretary determines is appropriate.

Subpart B - Preemption of State Law

§ 160.201 Applicability.The provisions of this subpart implementsection 1178 of the Act, as added by section262 of Public Law 104-191.

§ 160.202 Definitions.For purposes of this subpart, the followingterms have the following meanings:

Contrary, when used to compare a provisionof State law to a standard, requirement, orimplementation specification adopted underthis subchapter, means:

(1) A covered entity would find itimpossible to comply with both the State andfederal requirements; or

(2) The provision of State law stands as anobstacle to the accomplishment and executionof the full purposes and objectives of part Cof title XI of the Act or section 264 of Pub. L.104-191, as applicable.

More stringent means, in the context of acomparison of a provision of State law and astandard, requirement, or implementationspecification adopted under subpart E of part164 of this subchapter, a State law that meetsone or more of the following criteria:

(1) With respect to a use or disclosure, thelaw prohibits or restricts a use or disclosure incircumstances under which such use ordisclosure otherwise would be permittedunder this subchapter, except if the disclosureis:

(i) Required by the Secretary inconnection with determining whether acovered entity is in compliance with thissubchapter; or

(ii) To the individual who is the subjectof the individually identifiable healthinformation.

(2) With respect to the rights of anindividual, who is the subject of theindividually identifiable health information,regarding access to or amendment ofindividually identifiable health information,permits greater rights of access oramendment, as applicable.

(3) With respect to information to beprovided to an individual who is the subjectof the individually identifiable healthinformation about a use, a disclosure, rights,and remedies, provides the greater amount ofinformation.

(4) With respect to the form, substance, orthe need for express legal permission from anindividual, who is the subject of theindividually identifiable health information,for use or disclosure of individuallyidentifiable health information, providesrequirements that narrow the scope orduration, increase the privacy protectionsafforded (such as by expanding the criteriafor), or reduce the coercive effect of thecircumstances surrounding the express legalpermission, as applicable.

(5) With respect to recordkeeping orrequirements relating to accounting ofdisclosures, provides for the retention orreporting of more detailed information or fora longer duration.

(6) With respect to any other matter,provides greater privacy protection for theindividual who is the subject of theindividually identifiable health information.

Relates to the privacy of individuallyidentifiable health information means, withrespect to a State law, that the State law hasthe specific purpose of protecting the privacyof health information or affects the privacy ofhealth information in a direct, clear, andsubstantial way.

State law means a constitution, statute,regulation, rule, common law, or other Stateaction having the force and effect of law.

§ 160.203 General rule and exceptions.A standard, requirement, or implementationspecification adopted under this subchapterthat is contrary to a provision of State lawpreempts the provision of State law. Thisgeneral rule applies, except if one or more ofthe following conditions is met:

(a) A determination is made by the Secretaryunder § 160.204 that the provision of Statelaw:

(1) Is necessary:(i) To prevent fraud and abuse related to

the provision of or payment for health care;


October 2002

-4-

(ii) To ensure appropriate State regulationof insurance and health plans to the extentexpressly authorized by statute or regulation;

(iii) For State reporting on health caredelivery or costs; or

(iv) For purposes of serving a compellingneed related to public health, safety, orwelfare, and, if a standard, requirement, orimplementation specification under part 164of this subchapter is at issue, if the Secretarydetermines that the intrusion into privacy iswarranted when balanced against the need tobe served; or

(2) Has as its principal purpose theregulation of the manufacture, registration,distribution, dispensing, or other control ofany controlled substances (as defined in 21U.S.C. 802), or that is deemed a controlledsubstance by State law.

(b) The provision of State law relates to theprivacy of individually identifiable healthinformation and is more stringent than astandard, requirement, or implementationspecification adopted under subpart E of part164 of this subchapter.

(c) The provision of State law, includingState procedures established under such law,as applicable, provides for the reporting ofdisease or injury, child abuse, birth, or death,or for the conduct of public healthsurveillance, investigation, or intervention.

(d) The provision of State law requires ahealth plan to report, or to provide access to,information for the purpose of managementaudits, financial audits, program monitoringand evaluation, or the licensure orcertification of facilities or individuals.

§ 160.204 Process for requestingexception determinations.

(a) A request to except a provision of Statelaw from preemption under § 160.203(a) maybe submitted to the Secretary. A request by aState must be submitted through its chiefelected official, or his or her designee. Therequest must be in writing and include thefollowing information:

(1) The State law for which the exceptionis requested;

(2) The particular standard, requirement,or implementation specification for which theexception is requested;

(3) The part of the standard or otherprovision that will not be implemented basedon the exception or the additional data to becollected based on the exception, asappropriate;

(4) How health care providers, healthplans, and other entities would be affected bythe exception;

(5) The reasons why the State law should

not be preempted by the federal standard,requirement, or implementation specification,including how the State law meets one ormore of the criteria at § 160.203(a); and

(6) Any other information the Secretarymay request in order to make thedetermination.

(b) Requests for exception under this sectionmust be submitted to the Secretary at anaddress that will be published in the Federal

Register. Until the Secretary's determinationis made, the standard, requirement, orimplementation specification under thissubchapter remains in effect.

(c) The Secretary's determination under thissection will be made on the basis of the extentto which the information provided and otherfactors demonstrate that one or more of thecriteria at § 160.203(a) has been met.

§ 160.205 Duration of effectiveness ofexception determinations.An exception granted under this subpartremains in effect until:

(a) Either the State law or the federalstandard, requirement, or implementationspecification that provided the basis for theexception is materially changed such that theground for the exception no longer exists; or

(b) The Secretary revokes the exception,based on a determination that the groundsupporting the need for the exception nolonger exists.

Subpart C - Compliance and Enforcement

§ 160.300 Applicability.This subpart applies to actions by theSecretary, covered entities, and others withrespect to ascertaining the compliance bycovered entities with and the enforcement ofthe applicable requirements of this part 160and the applicable standards, requirements,and implementation specifications of subpartE of part 164 of this subchapter.

§ 160.302 Definitions.As used in this subpart, terms defined in §164.501 of this subchapter have the samemeanings given to them in that section.

§ 160.304 Principles for achievingcompliance.

(a) Cooperation. The Secretary will, to theextent practicable, seek the cooperation ofcovered entities in obtaining compliance withthe applicable requirements of this part 160and the applicable standards, requirements,and implementation specifications of subpartE of part 164 of this subchapter.

(b) Assistance. The Secretary may provide

technical assistance to covered entities to helpthem comply voluntarily with the applicablerequirements of this part 160 or theapplicable standards, requirements, andimplementation specifications of subpart E ofpart 164 of this subchapter.

§ 160.306 Complaints to the Secretary.(a) Right to file a complaint. A person who

believes a covered entity is not complyingwith the applicable requirements of this part160 or the applicable standards, requirements,and implementation specifications of subpartE of part 164 of this subchapter may file acomplaint with the Secretary.

(b) Requirements for filing complaints. Complaints under this section must meet thefollowing requirements:

(1) A complaint must be filed in writing,either on paper or electronically.

(2) A complaint must name the entity thatis the subject of the complaint and describethe acts or omissions believed to be inviolation of the applicable requirements ofthis part 160 or the applicable standards,requirements, and implementationspecifications of subpart E of part 164 of thissubchapter.

(3) A complaint must be filed within 180days of when the complainant knew or shouldhave known that the act or omissioncomplained of occurred, unless this time limitis waived by the Secretary for good causeshown.

(4) The Secretary may prescribe additionalprocedures for the filing of complaints, aswell as the place and manner of filing, bynotice in the Federal Register.(c) Investigation. The Secretary may

investigate complaints filed under thissection. Such investigation may include areview of the pertinent policies, procedures,or practices of the covered entity and of thecircumstances regarding any alleged acts oromissions concerning compliance.

§ 160.308 Compliance reviews.The Secretary may conduct compliancereviews to determine whether covered entitiesare complying with the applicablerequirements of this part 160 and theapplicable standards, requirements, andimplementation specifications of subpart E ofpart 164 of this subchapter.

§ 160.310 Responsibilities of coveredentities.

(a) Provide records and compliancereports. A covered entity must keep suchrecords and submit such compliance reports,in such time and manner and containing such


October 2002

-5-

information, as the Secretary may determineto be necessary to enable the Secretary toascertain whether the covered entity hascomplied or is complying with the applicablerequirements of this part 160 and theapplicable standards, requirements, andimplementation specifications of subpart E ofpart 164 of this subchapter.

(b) Cooperate with complaint investigationsand compliance reviews. A covered entitymust cooperate with the Secretary, if theSecretary undertakes an investigation orcompliance review of the policies,procedures, or practices of a covered entity todetermine whether it is complying with theapplicable requirements of this part 160 andthe standards, requirements, andimplementation specifications of subpart E ofpart 164 of this subchapter.

(c) Permit access to information. (1) A covered entity must permit access by

the Secretary during normal business hours toits facilities, books, records, accounts, andother sources of information, includingprotected health information, that arepertinent to ascertaining compliance with theapplicable requirements of this part 160 andthe applicable standards, requirements, andimplementation specifications of subpart E ofpart 164 of this subchapter. If the Secretarydetermines that exigent circumstances exist,such as when documents may be hidden ordestroyed, a covered entity must permitaccess by the Secretary at any time andwithout notice.

(2) If any information required of acovered entity under this section is in theexclusive possession of any other agency,institution, or person and the other agency,institution, or person fails or refuses tofurnish the information, the covered entitymust so certify and set forth what efforts ithas made to obtain the information.

(3) Protected health information obtainedby the Secretary in connection with aninvestigation or compliance review under thissubpart will not be disclosed by the Secretary,except if necessary for ascertaining orenforcing compliance with the applicablerequirements of this part 160 and theapplicable standards, requirements, andimplementation specifications of subpart E ofpart 164 of this subchapter, or if otherwiserequired by law.

§ 160.312 Secretarial action regardingcomplaints and compliance reviews.

(a) Resolution where noncompliance isindicated.

(1) If an investigation pursuant to §160.306 or a compliance review pursuant to §

160.308 indicates a failure to comply, theSecretary will so inform the covered entityand, if the matter arose from a complaint, thecomplainant, in writing and attempt toresolve the matter by informal meanswhenever possible.

(2) If the Secretary finds the covered entityis not in compliance and determines that thematter cannot be resolved by informal means,the Secretary may issue to the covered entityand, if the matter arose from a complaint, tothe complainant written findingsdocumenting the non-compliance.

(b) Resolution when no violation is found. If, after an investigation or compliancereview, the Secretary determines that furtheraction is not warranted, the Secretary will soinform the covered entity and, if the matterarose from a complaint, the complainant inwriting.

PART 164 – SECURITY AND PRIVACY

Subpart A – General Provisions164.102 Statutory basis.164.104 Applicability.164.106 Relationship to other parts.

Subparts B-D – [Reserved]

Subpart E – Privacy of IndividuallyIdentifiable Health Information164.500 Applicability.164.501 Definitions.164.502 Uses and disclosures of protected

health information: general rules.164.504 Uses and disclosures: organizational

requirements.164.506 Uses and disclosures to carry out

treatment, payment, or health careoperations.

164.508 Uses and disclosures for which anauthorization is required.

164.510 Uses and disclosures requiring anopportunity for the individual toagree or to object.

164.512 Uses and disclosures for which anauthorization or opportunity toagree or object is not required.

164.514 Other requirements relating to usesand disclosures of protected healthinformation.

164.520 Notice of privacy practices forprotected health information.

164.522 Rights to request privacy protectionfor protected health information.

164.524 Access of individuals to protectedhealth information.

164.526 Amendment of protected healthinformation.

164.528 Accounting of disclosures of

protected health information.164.530 Administrative requirements.164.532 Transition requirements. 164.534 Compliance dates for initial

implementation of the privacystandards.

Authority: 42 U.S.C. 1320d-2 and 1320d-4,sec. 264 of Pub. L. No. 104-191, 110 Stat.2033-2034 (42 U.S.C. 1320d-2(note)).

Subpart A--General Provisions

§ 164.102 Statutory basis.The provisions of this part are adoptedpursuant to the Secretary's authority toprescribe standards, requirements, andimplementation specifications under part C oftitle XI of the Act and section 264 of PublicLaw 104-191.

§ 164.104 Applicability.Except as otherwise provided, the provisionsof this part apply to covered entities: healthplans, health care clearinghouses, and healthcare providers who transmit healthinformation in electronic form in connectionwith any transaction referred to in section1173(a)(1) of the Act.

§ 164.106 Relationship to other parts.In complying with the requirements of thispart, covered entities are required to complywith the applicable provisions of parts 160and 162 of this subchapter.

Subpart B-D--[Reserved]

Subpart E - Privacy of IndividuallyIdentifiable Health Information

§ 164.500 Applicability.(a) Except as otherwise provided herein, the

standards, requirements, and implementationspecifications of this subpart apply to coveredentities with respect to protected healthinformation.

(b) Health care clearinghouses must complywith the standards, requirements, andimplementation specifications as follows:

(1) When a health care clearinghousecreates or receives protected healthinformation as a business associate of anothercovered entity, the clearinghouse mustcomply with:

(i) Section 164.500 relating toapplicability;

(ii) Section 164.501 relating todefinitions;

(iii) Section 164.502 relating to uses anddisclosures of protected health information,except that a clearinghouse is prohibited from


October 2002

-6-

using or disclosing protected healthinformation other than as permitted in thebusiness associate contract under which itcreated or received the protected healthinformation;

(iv) Section 164.504 relating to theorganizational requirements for coveredentities, including the designation of healthcare components of a covered entity;

(v) Section 164.512 relating to uses anddisclosures for which individual authorizationor an opportunity to agree or object is notrequired, except that a clearinghouse isprohibited from using or disclosing protectedhealth information other than as permitted inthe business associate contract under which itcreated or received the protected healthinformation;

(vi) Section 164.532 relating to transitionrequirements; and

(vii) Section 164.534 relating tocompliance dates for initial implementationof the privacy standards.

(2) When a health care clearinghousecreates or receives protected healthinformation other than as a business associateof a covered entity, the clearinghouse mustcomply with all of the standards,requirements, and implementationspecifications of this subpart.

(c) The standards, requirements, andimplementation specifications of this subpartdo not apply to the Department of Defense orto any other federal agency, or non-governmental organization acting on itsbehalf, when providing health care tooverseas foreign national beneficiaries.

§ 164.501 Definitions.As used in this subpart, the following termshave the following meanings:

Correctional institution means any penal orcorrectional facility, jail, reformatory,detention center, work farm, halfway house,or residential community program centeroperated by, or under contract to, the UnitedStates, a State, a territory, a politicalsubdivision of a State or territory, or anIndian tribe, for the confinement orrehabilitation of persons charged with orconvicted of a criminal offense or otherpersons held in lawful custody. Otherpersons held in lawful custody includesjuvenile offenders adjudicated delinquent,aliens detained awaiting deportation, personscommitted to mental institutions through thecriminal justice system, witnesses, or othersawaiting charges or trial.

Covered functions means those functions ofa covered entity the performance of whichmakes the entity a health plan, health care

provider, or health care clearinghouse.Data aggregation means, with respect to

protected health information created orreceived by a business associate in itscapacity as the business associate of acovered entity, the combining of suchprotected health information by the businessassociate with the protected healthinformation received by the businessassociate in its capacity as a businessassociate of another covered entity, to permitdata analyses that relate to the health careoperations of the respective covered entities.

Designated record set means: (1) A group of records maintained by or

for a covered entity that is:(i) The medical records and billing

records about individuals maintained by orfor a covered health care provider;

(ii) The enrollment, payment, claimsadjudication, and case or medicalmanagement record systems maintained by orfor a health plan; or

(iii) Used, in whole or in part, by or forthe covered entity to make decisions aboutindividuals.

(2) For purposes of this paragraph, theterm record means any item, collection, orgrouping of information that includesprotected health information and ismaintained, collected, used, or disseminatedby or for a covered entity.

Direct treatment relationship means atreatment relationship between an individualand a health care provider that is not anindirect treatment relationship.

Disclosure means the release, transfer,provision of access to, or divulging in anyother manner of information outside theentity holding the information.

Health care operations means any of thefollowing activities of the covered entity tothe extent that the activities are related tocovered functions:

(1) Conducting quality assessment andimprovement activities, including outcomesevaluation and development of clinicalguidelines, provided that the obtaining ofgeneralizable knowledge is not the primarypurpose of any studies resulting from suchactivities; population-based activities relatingto improving health or reducing health carecosts, protocol development, casemanagement and care coordination,contacting of health care providers andpatients with information about treatmentalternatives; and related functions that do notinclude treatment;

(2) Reviewing the competence orqualifications of health care professionals,evaluating practitioner and provider

performance, health plan performance,conducting training programs in whichstudents, trainees, or practitioners in areas ofhealth care learn under supervision to practiceor improve their skills as health careproviders, training of non-health careprofessionals, accreditation, certification,licensing, or credentialing activities;

(3) Underwriting, premium rating, andother activities relating to the creation,renewal or replacement of a contract of healthinsurance or health benefits, and ceding,securing, or placing a contract for reinsuranceof risk relating to claims for health care(including stop-loss insurance and excess ofloss insurance), provided that therequirements of § 164.514(g) are met, ifapplicable;

(4) Conducting or arranging for medicalreview, legal services, and auditing functions,including fraud and abuse detection andcompliance programs;

(5) Business planning and development,such as conducting cost-management andplanning-related analyses related to managingand operating the entity, including formularydevelopment and administration,development or improvement of methods ofpayment or coverage policies; and

(6) Business management and generaladministrative activities of the entity,including, but not limited to:

(i) Management activities relating toimplementation of and compliance with therequirements of this subchapter;

(ii) Customer service, including theprovision of data analyses for policy holders,plan sponsors, or other customers, providedthat protected health information is notdisclosed to such policy holder, plan sponsor,or customer.

(iii) Resolution of internal grievances;(iv) The sale, transfer, merger, or

consolidation of all or part of the coveredentity with another covered entity, or anentity that following such activity willbecome a covered entity and due diligencerelated to such activity; and

(v) Consistent with the applicablerequirements of § 164.514, creating de-identified health information or a limited dataset, and fundraising for the benefit of thecovered entity.

Health oversight agency means an agencyor authority of the United States, a State, aterritory, a political subdivision of a State orterritory, or an Indian tribe, or a person orentity acting under a grant of authority fromor contract with such public agency,including the employees or agents of suchpublic agency or its contractors or persons or


October 2002

-7-

entities to whom it has granted authority, thatis authorized by law to oversee the health caresystem (whether public or private) orgovernment programs in which healthinformation is necessary to determineeligibility or compliance, or to enforce civilrights laws for which health information isrelevant.

Indirect treatment relationship means arelationship between an individual and ahealth care provider in which:

(1) The health care provider delivershealth care to the individual based on theorders of another health care provider; and

(2) The health care provider typicallyprovides services or products, or reports thediagnosis or results associated with the healthcare, directly to another health care provider,who provides the services or products orreports to the individual.

Individual means the person who is thesubject of protected health information.

Inmate means a person incarcerated in orotherwise confined to a correctionalinstitution.

Law enforcement official means an officeror employee of any agency or authority of theUnited States, a State, a territory, a politicalsubdivision of a State or territory, or anIndian tribe, who is empowered by law to:

(1) Investigate or conduct an officialinquiry into a potential violation of law; or

(2) Prosecute or otherwise conduct acriminal, civil, or administrative proceedingarising from an alleged violation of law.

Marketing means: (1) To make a communication about a

product or service that encourages recipientsof the communication to purchase or use theproduct or service, unless the communicationis made:

(i) To describe a health-related product orservice (or payment for such product orservice) that is provided by, or included in aplan of benefits of, the covered entity makingthe communication, includingcommunications about: the entitiesparticipating in a health care providernetwork or health plan network; replacementof, or enhancements to, a health plan; andhealth-related products or services availableonly to a health plan enrollee that add valueto, but are not part of, a plan of benefits.

(ii) For treatment of the individual; or(iii) For case management or care

coordination for the individual, or to direct orrecommend alternative treatments, therapies,health care providers, or settings of care tothe individual.

(2) An arrangement between a coveredentity and any other entity whereby the

covered entity discloses protected healthinformation to the other entity, in exchangefor direct or indirect remuneration, for theother entity or its affiliate to make acommunication about its own product orservice that encourages recipients of thecommunication to purchase or use thatproduct or service.

Organized health care arrangement means:(1) A clinically integrated care setting in

which individuals typically receive healthcare from more than one health care provider;

(2) An organized system of health care inwhich more than one covered entityparticipates, and in which the participatingcovered entities:

(i) Hold themselves out to the public asparticipating in a joint arrangement; and

(ii) Participate in joint activities thatinclude at least one of the following:

(A) Utilization review, in which healthcare decisions by participating coveredentities are reviewed by other participatingcovered entities or by a third party on theirbehalf;

(B) Quality assessment andimprovement activities, in which treatmentprovided by participating covered entities isassessed by other participating coveredentities or by a third party on their behalf; or

(C) Payment activities, if the financialrisk for delivering health care is shared, inpart or in whole, by participating coveredentities through the joint arrangement and ifprotected health information created orreceived by a covered entity is reviewed byother participating covered entities or by athird party on their behalf for the purpose ofadministering the sharing of financial risk.

(3) A group health plan and a healthinsurance issuer or HMO with respect to suchgroup health plan, but only with respect toprotected health information created orreceived by such health insurance issuer orHMO that relates to individuals who are orwho have been participants or beneficiaries insuch group health plan;

(4) A group health plan and one or moreother group health plans each of which aremaintained by the same plan sponsor; or

(5) The group health plans described inparagraph (4) of this definition and healthinsurance issuers or HMOs with respect tosuch group health plans, but only with respectto protected health information created orreceived by such health insurance issuers orHMOs that relates to individuals who are orhave been participants or beneficiaries in anyof such group health plans.

Payment means:(1) The activities undertaken by:

(i) A health plan to obtain premiums or todetermine or fulfill its responsibility forcoverage and provision of benefits under thehealth plan; or

(ii) A health care provider or health planto obtain or provide reimbursement for theprovision of health care; and

(2) The activities in paragraph (1) of thisdefinition relate to the individual to whomhealth care is provided and include, but arenot limited to:

(i) Determinations of eligibility orcoverage (including coordination of benefitsor the determination of cost sharingamounts), and adjudication or subrogation ofhealth benefit claims;

(ii) Risk adjusting amounts due based onenrollee health status and demographiccharacteristics;

(iii) Billing, claims management,collection activities, obtaining payment undera contract for reinsurance (including stop-lossinsurance and excess of loss insurance), andrelated health care data processing;

(iv) Review of health care services withrespect to medical necessity, coverage under ahealth plan, appropriateness of care, orjustification of charges;

(v) Utilization review activities, includingprecertification and preauthorization ofservices, concurrent and retrospective reviewof services; and

(vi) Disclosure to consumer reportingagencies of any of the following protectedhealth information relating to collection ofpremiums or reimbursement:

(A) Name and address;(B) Date of birth;(C) Social security number;(D) Payment history;(E) Account number; and(F) Name and address of the health care

provider and/or health plan.Plan sponsor is defined as defined at

section 3(16)(B) of ERISA, 29 U.S.C.1002(16)(B).

Protected health information meansindividually identifiable health information:

(1) Except as provided in paragraph (2) ofthis definition, that is:

(i) Transmitted by electronic media; (ii) Maintained in any medium described

in the definition of electronic media at §162.103 of this subchapter; or

(iii) Transmitted or maintained in anyother form or medium.

(2) Protected health information excludesindividually identifiable health informationin:

(i) Education records covered by theFamily Educational Rights and Privacy Act,


October 2002

-8-

as amended, 20 U.S.C. 1232g;(ii) Records described at 20 U.S.C.

1232g(a)(4)(B)(iv); and(iii) Employment records held by a

covered entity in its role as employer.Psychotherapy notes means notes recorded

(in any medium) by a health care providerwho is a mental health professionaldocumenting or analyzing the contents ofconversation during a private counselingsession or a group, joint, or family counselingsession and that are separated from the rest ofthe individual’s medical record. Psychotherapy notes excludes medicationprescription and monitoring, counselingsession start and stop times, the modalitiesand frequencies of treatment furnished,results of clinical tests, and any summary ofthe following items: diagnosis, functionalstatus, the treatment plan, symptoms,prognosis, and progress to date.

Public health authority means an agency orauthority of the United States, a State, aterritory, a political subdivision of a State orterritory, or an Indian tribe, or a person orentity acting under a grant of authority fromor contract with such public agency,including the employees or agents of suchpublic agency or its contractors or persons orentities to whom it has granted authority, thatis responsible for public health matters as partof its official mandate.

Required by law means a mandatecontained in law that compels an entity tomake a use or disclosure of protected healthinformation and that is enforceable in a courtof law. Required by law includes, but is notlimited to, court orders and court-orderedwarrants; subpoenas or summons issued by acourt, grand jury, a governmental or tribalinspector general, or an administrative bodyauthorized to require the production ofinformation; a civil or an authorizedinvestigative demand; Medicare conditions ofparticipation with respect to health careproviders participating in the program; andstatutes or regulations that require theproduction of information, including statutesor regulations that require such information ifpayment is sought under a governmentprogram providing public benefits.

Research means a systematic investigation,including research development, testing, andevaluation, designed to develop or contributeto generalizable knowledge.

Treatment means the provision,coordination, or management of health careand related services by one or more healthcare providers, including the coordination ormanagement of health care by a health careprovider with a third party; consultation

between health care providers relating to apatient; or the referral of a patient for healthcare from one health care provider to another.

Use means, with respect to individuallyidentifiable health information, the sharing,employment, application, utilization,examination, or analysis of such informationwithin an entity that maintains suchinformation.

§ 164.502 Uses and disclosures ofprotected health information: generalrules.

(a) Standard. A covered entity may not useor disclose protected health information,except as permitted or required by thissubpart or by subpart C of part 160 of thissubchapter.

(1) Permitted uses and disclosures. Acovered entity is permitted to use or discloseprotected health information as follows:

(i) To the individual;(ii) For treatment, payment, or health care

operations, as permitted by and in compliancewith § 164.506;

(iii) Incident to a use or disclosureotherwise permitted or required by thissubpart, provided that the covered entity hascomplied with the applicable requirements of§ 164.502(b), § 164.514(d), and § 164.530(c)with respect to such otherwise permitted orrequired use or disclosure;

(iv) Pursuant to and in compliance withan authorization that complies with §164.508;

(v) Pursuant to an agreement under, or asotherwise permitted by, § 164.510; and

(vi) As permitted by and in compliancewith this section, § 164.512, or § 164.514(e),(f), or (g).

(2) Required disclosures. A covered entityis required to disclose protected healthinformation:

(i) To an individual, when requestedunder, and as required by §§ 164.524 or164.528; and

(ii) When required by the Secretary undersubpart C of part 160 of this subchapter toinvestigate or determine the covered entity'scompliance with this subpart.

(b) Standard: minimum necessary. (1) Minimum necessary applies. When

using or disclosing protected healthinformation or when requesting protectedhealth information from another coveredentity, a covered entity must make reasonableefforts to limit protected health information tothe minimum necessary to accomplish theintended purpose of the use, disclosure, orrequest.

(2) Minimum necessary does not apply.

This requirement does not apply to:(i) Disclosures to or requests by a health

care provider for treatment;(ii) Uses or disclosures made to the

individual, as permitted under paragraph(a)(1)(i) of this section or as required byparagraph (a)(2)(i) of this section;

(iii) Uses or disclosures made pursuantto an authorization under § 164.508;

(iv) Disclosures made to the Secretary inaccordance with subpart C of part 160 of thissubchapter;

(v) Uses or disclosures that are requiredby law, as described by § 164.512(a); and

(vi) Uses or disclosures that are requiredfor compliance with applicable requirementsof this subchapter.

(c) Standard: uses and disclosures ofprotected health information subject to anagreed upon restriction. A covered entitythat has agreed to a restriction pursuant to §164.522(a)(1) may not use or disclose theprotected health information covered by therestriction in violation of such restriction,except as otherwise provided in § 164.522(a).

(d) Standard: uses and disclosures of de-identified protected health information.

(1) Uses and disclosures to create de-identified information. A covered entity mayuse protected health information to createinformation that is not individuallyidentifiable health information or discloseprotected health information only to abusiness associate for such purpose, whetheror not the de-identified information is to beused by the covered entity.

(2) Uses and disclosures of de-identifiedinformation. Health information that meetsthe standard and implementationspecifications for de-identification under §164.514(a) and (b) is considered not to beindividually identifiable health information,i.e., de-identified. The requirements of thissubpart do not apply to information that hasbeen de-identified in accordance with theapplicable requirements of § 164.514,provided that:

(i) Disclosure of a code or other means ofrecord identification designed to enable codedor otherwise de-identified information to bere-identified constitutes disclosure ofprotected health information; and

(ii) If de-identified information is re-identified, a covered entity may use ordisclose such re-identified information onlyas permitted or required by this subpart.

(e)(1) Standard: disclosures to businessassociates.

(i) A covered entity may discloseprotected health information to a businessassociate and may allow a business associate


October 2002

-9-

to create or receive protected healthinformation on its behalf, if the covered entityobtains satisfactory assurance that thebusiness associate will appropriatelysafeguard the information.

(ii) This standard does not apply:(A) With respect to disclosures by a

covered entity to a health care providerconcerning the treatment of the individual;

(B) With respect to disclosures by agroup health plan or a health insurance issueror HMO with respect to a group health planto the plan sponsor, to the extent that therequirements of § 164.504(f) apply and aremet; or

(C) With respect to uses or disclosuresby a health plan that is a government programproviding public benefits, if eligibility for, orenrollment in, the health plan is determinedby an agency other than the agencyadministering the health plan, or if theprotected health information used todetermine enrollment or eligibility in thehealth plan is collected by an agency otherthan the agency administering the health plan,and such activity is authorized by law, withrespect to the collection and sharing ofindividually identifiable health informationfor the performance of such functions by thehealth plan and the agency other than theagency administering the health plan.

(iii) A covered entity that violates thesatisfactory assurances it provided as abusiness associate of another covered entitywill be in noncompliance with the standards,implementation specifications, andrequirements of this paragraph and §164.504(e).

(2) Implementation specification:documentation. A covered entity mustdocument the satisfactory assurances requiredby paragraph (e)(1) of this section through awritten contract or other written agreement orarrangement with the business associate thatmeets the applicable requirements of §164.504(e).

(f) Standard: deceased individuals. Acovered entity must comply with therequirements of this subpart with respect tothe protected health information of adeceased individual.

(g)(1) Standard: personal representatives. As specified in this paragraph, a coveredentity must, except as provided in paragraphs(g)(3) and (g)(5) of this section, treat apersonal representative as the individual forpurposes of this subchapter.

(2) Implementation specification: adultsand emancipated minors. If under applicablelaw a person has authority to act on behalf ofan individual who is an adult or an

emancipated minor in making decisionsrelated to health care, a covered entity musttreat such person as a personal representativeunder this subchapter, with respect toprotected health information relevant to suchpersonal representation.

(3) Implementation specification:unemancipated minors.

(i) If under applicable law a parent,guardian, or other person acting in locoparentis has authority to act on behalf of anindividual who is an unemancipated minor inmaking decisions related to health care, acovered entity must treat such person as apersonal representative under this subchapter,with respect to protected health informationrelevant to such personal representation,except that such person may not be a personalrepresentative of an unemancipated minor,and the minor has the authority to act as anindividual, with respect to protected healthinformation pertaining to a health careservice, if:

(A) The minor consents to such healthcare service; no other consent to such healthcare service is required by law, regardless ofwhether the consent of another person hasalso been obtained; and the minor has notrequested that such person be treated as thepersonal representative;

(B) The minor may lawfully obtain suchhealth care service without the consent of aparent, guardian, or other person acting inloco parentis, and the minor, a court, oranother person authorized by law consents tosuch health care service; or

(C) A parent, guardian, or other personacting in loco parentis assents to anagreement of confidentiality between acovered health care provider and the minorwith respect to such health care service.

(ii) Notwithstanding the provisions ofparagraph (g)(3)(i) of this section:

(A) If, and to the extent, permitted orrequired by an applicable provision of Stateor other law, including applicable case law, acovered entity may disclose, or provideaccess in accordance with § 164.524 to,protected health information about anunemancipated minor to a parent, guardian,or other person acting in loco parentis;

(B) If, and to the extent, prohibited byan applicable provision of State or other law,including applicable case law, a coveredentity may not disclose, or provide access inaccordance with § 164.524 to, protectedhealth information about an unemancipatedminor to a parent, guardian, or other personacting in loco parentis; and

(C) Where the parent, guardian, or otherperson acting in loco parentis, is not the

personal representative under paragraph(g)(3)(i)(A), (B), or (C) of this section andwhere there is no applicable access provisionunder State or other law, including case law, acovered entity may provide or deny accessunder § 164.524 to a parent, guardian, orother person acting in loco parentis, if suchaction is consistent with State or otherapplicable law, provided that such decisionmust be made by a licensed health careprofessional, in the exercise of professionaljudgment.

(4) Implementation specification:deceased individuals. If under applicable lawan executor, administrator, or other personhas authority to act on behalf of a deceasedindividual or of the individual's estate, acovered entity must treat such person as apersonal representative under this subchapter,with respect to protected health informationrelevant to such personal representation.

(5) Implementation specification: abuse,neglect, endangerment situations.Notwithstanding a State law or anyrequirement of this paragraph to the contrary,a covered entity may elect not to treat aperson as the personal representative of anindividual if:

(i) The covered entity has a reasonablebelief that:

(A) The individual has been or may besubjected to domestic violence, abuse, orneglect by such person; or

(B) Treating such person as the personalrepresentative could endanger the individual; and

(ii) The covered entity, in the exercise ofprofessional judgment, decides that it is notin the best interest of the individual to treatthe person as the individual’s personalrepresentative.

(h) Standard: confidential communications. A covered health care provider or health planmust comply with the applicablerequirements of § 164.522(b) incommunicating protected health information.

(i) Standard: uses and disclosuresconsistent with notice. A covered entity thatis required by § 164.520 to have a notice maynot use or disclose protected healthinformation in a manner inconsistent withsuch notice. A covered entity that is requiredby § 164.520(b)(1)(iii) to include a specificstatement in its notice if it intends to engagein an activity listed in §164.520(b)(1)(iii)(A)-(C), may not use ordisclose protected health information for suchactivities, unless the required statement isincluded in the notice.

(j) Standard: disclosures by whistleblowersand workforce member crime victims.


October 2002

-10-

(1) Disclosures by whistleblowers. Acovered entity is not considered to haveviolated the requirements of this subpart if amember of its workforce or a businessassociate discloses protected healthinformation, provided that:

(i) The workforce member or businessassociate believes in good faith that thecovered entity has engaged in conduct that isunlawful or otherwise violates professional orclinical standards, or that the care, services,or conditions provided by the covered entitypotentially endangers one or more patients,workers, or the public; and

(ii) The disclosure is to:(A) A health oversight agency or public

health authority authorized by law toinvestigate or otherwise oversee the relevantconduct or conditions of the covered entity orto an appropriate health care accreditationorganization for the purpose of reporting theallegation of failure to meet professionalstandards or misconduct by the coveredentity; or

(B) An attorney retained by or on behalfof the workforce member or businessassociate for the purpose of determining thelegal options of the workforce member orbusiness associate with regard to the conductdescribed in paragraph (j)(1)(i) of thissection.

(2) Disclosures by workforce memberswho are victims of a crime. A covered entityis not considered to have violated therequirements of this subpart if a member ofits workforce who is the victim of a criminalact discloses protected health information to alaw enforcement official, provided that:

(i) The protected health informationdisclosed is about the suspected perpetrator ofthe criminal act; and

(ii) The protected health informationdisclosed is limited to the information listedin § 164.512(f)(2)(i).

§ 164.504 Uses and disclosures: organizational requirements.

(a) Definitions. As used in this section: Common control exists if an entity has the

power, directly or indirectly, significantly toinfluence or direct the actions or policies ofanother entity.

Common ownership exists if an entity orentities possess an ownership or equityinterest of 5 percent or more in another entity.

Health care component means a componentor combination of components of a hybridentity designated by the hybrid entity inaccordance with paragraph (c)(3)(iii) of thissection.

Hybrid entity means a single legal entity:

(1) That is a covered entity;(2) Whose business activities include both

covered and non-covered functions; and (3) That designates health care components

in accordance with paragraph (c)(3)(iii) ofthis section.

Plan administration functions meansadministration functions performed by theplan sponsor of a group health plan on behalfof the group health plan and excludesfunctions performed by the plan sponsor inconnection with any other benefit or benefitplan of the plan sponsor.

Summary health information meansinformation, that may be individuallyidentifiable health information, and:

(1) That summarizes the claims history,claims expenses, or type of claimsexperienced by individuals for whom a plansponsor has provided health benefits under agroup health plan; and

(2) From which the information describedat § 164.514(b)(2)(i) has been deleted, exceptthat the geographic information described in§ 164.514(b)(2)(i)(B) need only beaggregated to the level of a five digit zipcode.

(b) Standard: health care component. If acovered entity is a hybrid entity, therequirements of this subpart, other than therequirements of this section, apply only to thehealth care component(s) of the entity, asspecified in this section.

(c)(1) Implementation specification:application of other provisions. In applyinga provision of this subpart, other than thissection, to a hybrid entity:

(i) A reference in such provision to a“covered entity” refers to a health carecomponent of the covered entity;

(ii) A reference in such provision to a“health plan,” “covered health care provider,”or “health care clearinghouse” refers to ahealth care component of the covered entity ifsuch health care component performs thefunctions of a health plan, health careprovider, or health care clearinghouse, asapplicable; and

(iii) A reference in such provision to“protected health information” refers toprotected health information that is created orreceived by or on behalf of the health carecomponent of the covered entity.

(2) Implementation specifications:safeguard requirements. The covered entitythat is a hybrid entity must ensure that ahealth care component of the entity complieswith the applicable requirements of thissubpart. In particular, and without limitingthis requirement, such covered entity mustensure that:

(i) Its health care component does notdisclose protected health information toanother component of the covered entity incircumstances in which this subpart wouldprohibit such disclosure if the health carecomponent and the other component wereseparate and distinct legal entities;

(ii) A component that is described byparagraph (c)(3)(iii)(B) of this section doesnot use or disclose protected healthinformation that it creates or receives from oron behalf of the health care component in away prohibited by this subpart; and

(iii) If a person performs duties for boththe health care component in the capacity of amember of the workforce of such componentand for another component of the entity in thesame capacity with respect to thatcomponent, such workforce member must notuse or disclose protected health informationcreated or received in the course of orincident to the member’s work for the healthcare component in a way prohibited by thissubpart.

(3) Implementation specifications:responsibilities of the covered entity. Acovered entity that is a hybrid entity has thefollowing responsibilities:

(i) For purposes of subpart C of part 160of this subchapter, pertaining to complianceand enforcement, the covered entity has theresponsibility to comply with this subpart.

(ii) The covered entity has theresponsibility for complying with §164.530(i), pertaining to the implementationof policies and procedures to ensurecompliance with this subpart, including thesafeguard requirements in paragraph (c)(2) ofthis section.

(iii) The covered entity is responsible fordesignating the components that are part ofone or more health care components of thecovered entity and documenting thedesignation as required by § 164.530(j),provided that, if the covered entity designatesa health care component or components, itmust include any component that would meetthe definition of covered entity if it were aseparate legal entity. Health carecomponent(s) also may include a componentonly to the extent that it performs:

(A) Covered functions; or(B) Activities that would make such

component a business associate of acomponent that performs covered functions ifthe two components were separate legalentities.

(d)(1) Standard: affiliated covered entities. Legally separate covered entities that areaffiliated may designate themselves as asingle covered entity for purposes of this


October 2002

-11-

subpart.(2) Implementation specifications:

requirements for designation of an affiliatedcovered entity.

(i) Legally separate covered entities maydesignate themselves (including any healthcare component of such covered entity) as asingle affiliated covered entity, for purposesof this subpart, if all of the covered entitiesdesignated are under common ownership orcontrol.

(ii) The designation of an affiliatedcovered entity must be documented and thedocumentation maintained as required by §164.530(j).

(3) Implementation specifications:safeguard requirements. An affiliatedcovered entity must ensure that:

(i) The affiliated covered entity’s use anddisclosure of protected health informationcomply with the applicable requirements ofthis subpart; and

(ii) If the affiliated covered entitycombines the functions of a health plan,health care provider, or health careclearinghouse, the affiliated covered entitycomplies with paragraph (g) of this section.

(e)(1) Standard: business associatecontracts.

(i) The contract or other arrangementbetween the covered entity and the businessassociate required by § 164.502(e)(2) mustmeet the requirements of paragraph (e)(2) or(e)(3) of this section, as applicable.

(ii) A covered entity is not in compliancewith the standards in § 164.502(e) andparagraph (e) of this section, if the coveredentity knew of a pattern of activity or practiceof the business associate that constituted amaterial breach or violation of the businessassociate’s obligation under the contract orother arrangement, unless the covered entitytook reasonable steps to cure the breach orend the violation, as applicable, and, if suchsteps were unsuccessful:

(A) Terminated the contract orarrangement, if feasible; or

(B) If termination is not feasible,reported the problem to the Secretary.

(2) Implementation specifications:business associate contracts. A contractbetween the covered entity and a businessassociate must:

(i) Establish the permitted and requireduses and disclosures of such information bythe business associate. The contract may notauthorize the business associate to use orfurther disclose the information in a mannerthat would violate the requirements of thissubpart, if done by the covered entity, exceptthat:

(A) The contract may permit thebusiness associate to use and discloseprotected health information for the propermanagement and administration of thebusiness associate, as provided in paragraph(e)(4) of this section; and

(B) The contract may permit thebusiness associate to provide data aggregationservices relating to the health care operationsof the covered entity.

(ii) Provide that the business associatewill:

(A) Not use or further disclose theinformation other than as permitted orrequired by the contract or as required by law;

(B) Use appropriate safeguards toprevent use or disclosure of the informationother than as provided for by its contract;

(C) Report to the covered entity any useor disclosure of the information not providedfor by its contract of which it becomes aware;

(D) Ensure that any agents, including asubcontractor, to whom it provides protectedhealth information received from, or createdor received by the business associate onbehalf of, the covered entity agrees to thesame restrictions and conditions that apply tothe business associate with respect to suchinformation;

(E) Make available protected healthinformation in accordance with § 164.524;

(F) Make available protected healthinformation for amendment and incorporateany amendments to protected healthinformation in accordance with §164.526;

(G) Make available the informationrequired to provide an accounting ofdisclosures in accordance with § 164.528;

(H) Make its internal practices, books,and records relating to the use and disclosureof protected health information receivedfrom, or created or received by the businessassociate on behalf of, the covered entityavailable to the Secretary for purposes ofdetermining the covered entity's compliancewith this subpart; and

(I) At termination of the contract, iffeasible, return or destroy all protected healthinformation received from, or created orreceived by the business associate on behalfof, the covered entity that the businessassociate still maintains in any form andretain no copies of such information or, ifsuch return or destruction is not feasible,extend the protections of the contract to theinformation and limit further uses anddisclosures to those purposes that make thereturn or destruction of the informationinfeasible.

(iii) Authorize termination of the contractby the covered entity, if the covered entity

determines that the business associate hasviolated a material term of the contract.

(3) Implementation specifications: otherarrangements.

(i) If a covered entity and its businessassociate are both governmental entities:

(A) The covered entity may complywith paragraph (e) of this section by enteringinto a memorandum of understanding withthe business associate that contains terms thataccomplish the objectives of paragraph (e)(2)of this section.

(B) The covered entity may comply withparagraph (e) of this section, if other law(including regulations adopted by the coveredentity or its business associate) containsrequirements applicable to the businessassociate that accomplish the objectives ofparagraph (e)(2) of this section.

(ii) If a business associate is required bylaw to perform a function or activity onbehalf of a covered entity or to provide aservice described in the definition of businessassociate in § 160.103 of this subchapter to acovered entity, such covered entity maydisclose protected health information to thebusiness associate to the extent necessary tocomply with the legal mandate withoutmeeting the requirements of this paragraph(e), provided that the covered entity attemptsin good faith to obtain satisfactory assurancesas required by paragraph (e)(3)(i) of thissection, and, if such attempt fails, documentsthe attempt and the reasons that suchassurances cannot be obtained.

(iii) The covered entity may omit from itsother arrangements the terminationauthorization required by paragraph (e)(2)(iii)of this section, if such authorization isinconsistent with the statutory obligations ofthe covered entity or its business associate.

(4) Implementation specifications: otherrequirements for contracts and otherarrangements.

(i) The contract or other arrangementbetween the covered entity and the businessassociate may permit the business associate touse the information received by the businessassociate in its capacity as a businessassociate to the covered entity, if necessary:

(A) For the proper management andadministration of the business associate; or

(B) To carry out the legalresponsibilities of the business associate.

(ii) The contract or other arrangementbetween the covered entity and the businessassociate may permit the business associate todisclose the information received by thebusiness associate in its capacity as abusiness associate for the purposes describedin paragraph (e)(4)(i) of this section, if:


October 2002

-12-

(A) The disclosure is required by law; or(B)(1) The business associate obtains

reasonable assurances from the person towhom the information is disclosed that it willbe held confidentially and used or furtherdisclosed only as required by law or for thepurpose for which it was disclosed to theperson; and

(2) The person notifies the businessassociate of any instances of which it is awarein which the confidentiality of theinformation has been breached.

(f)(1) Standard: Requirements for grouphealth plans.

(i) Except as provided under paragraph(f)(1)(ii) or (iii) of this section or as otherwiseauthorized under § 164.508, a group healthplan, in order to disclose protected healthinformation to the plan sponsor or to providefor or permit the disclosure of protectedhealth information to the plan sponsor by ahealth insurance issuer or HMO with respectto the group health plan, must ensure that theplan documents restrict uses and disclosuresof such information by the plan sponsorconsistent with the requirements of thissubpart.

(ii) The group health plan, or a healthinsurance issuer or HMO with respect to thegroup health plan, may disclose summaryhealth information to the plan sponsor, if theplan sponsor requests the summary healthinformation for the purpose of :

(A) Obtaining premium bids fromhealth plans for providing health insurancecoverage under the group health plan; or

(B) Modifying, amending, orterminating the group health plan.

(iii) The group health plan, or a healthinsurance issuer or HMO with respect to thegroup health plan, may disclose to the plansponsor information on whether theindividual is participating in the group healthplan, or is enrolled in or has disenrolled froma health insurance issuer or HMO offered bythe plan.

(2) Implementation specifications:requirements for plan documents. The plandocuments of the group health plan must beamended to incorporate provisions to:

(i) Establish the permitted and requireduses and disclosures of such information bythe plan sponsor, provided that suchpermitted and required uses and disclosuresmay not be inconsistent with this subpart.

(ii) Provide that the group health planwill disclose protected health information tothe plan sponsor only upon receipt of acertification by the plan sponsor that the plandocuments have been amended to incorporatethe following provisions and that the plan

sponsor agrees to:(A) Not use or further disclose the

information other than as permitted orrequired by the plan documents or as requiredby law;

(B) Ensure that any agents, including asubcontractor, to whom it provides protectedhealth information received from the grouphealth plan agree to the same restrictions andconditions that apply to the plan sponsor withrespect to such information;

(C) Not use or disclose the informationfor employment-related actions and decisionsor in connection with any other benefit oremployee benefit plan of the plan sponsor;

(D) Report to the group health plan anyuse or disclosure of the information that isinconsistent with the uses or disclosuresprovided for of which it becomes aware;

(E) Make available protected healthinformation in accordance with § 164.524;

(F) Make available protected healthinformation for amendment and incorporateany amendments to protected healthinformation in accordance with §164.526;

(G) Make available the informationrequired to provide an accounting ofdisclosures in accordance with § 164.528;

(H) Make its internal practices, books,and records relating to the use and disclosureof protected health information received fromthe group health plan available to theSecretary for purposes of determiningcompliance by the group health plan with thissubpart;

(I) If feasible, return or destroy allprotected health information received fromthe group health plan that the sponsor stillmaintains in any form and retain no copies ofsuch information when no longer needed forthe purpose for which disclosure was made,except that, if such return or destruction is notfeasible, limit further uses and disclosures tothose purposes that make the return ordestruction of the information infeasible; and

(J) Ensure that the adequate separationrequired in paragraph (f)(2)(iii) of this sectionis established.

(iii) Provide for adequate separationbetween the group health plan and the plansponsor. The plan documents must:

(A) Describe those employees orclasses of employees or other persons underthe control of the plan sponsor to be givenaccess to the protected health information tobe disclosed, provided that any employee orperson who receives protected healthinformation relating to payment under, healthcare operations of, or other matters pertainingto the group health plan in the ordinarycourse of business must be included in such

description;(B) Restrict the access to and use by

such employees and other persons describedin paragraph (f)(2)(iii)(A) of this section tothe plan administration functions that theplan sponsor performs for the group healthplan; and

(C) Provide an effective mechanism forresolving any issues of noncompliance bypersons described in paragraph (f)(2)(iii)(A)of this section with the plan documentprovisions required by this paragraph.

(3) Implementation specifications: usesand disclosures. A group health plan may:

(i) Disclose protected health informationto a plan sponsor to carry out planadministration functions that the plan sponsorperforms only consistent with the provisionsof paragraph (f)(2) of this section;

(ii) Not permit a health insurance issueror HMO with respect to the group health planto disclose protected health information to theplan sponsor except as permitted by thisparagraph;

(iii) Not disclose and may not permit ahealth insurance issuer or HMO to discloseprotected health information to a plan sponsoras otherwise permitted by this paragraphunless a statement required by §164.520(b)(1)(iii)(C) is included in theappropriate notice; and

(iv) Not disclose protected healthinformation to the plan sponsor for thepurpose of employment-related actions ordecisions or in connection with any otherbenefit or employee benefit plan of the plansponsor.

(g) Standard: requirements for a coveredentity with multiple covered functions.

(1) A covered entity that performs multiplecovered functions that would make the entityany combination of a health plan, a coveredhealth care provider, and a health careclearinghouse, must comply with thestandards, requirements, and implementationspecifications of this subpart, as applicable tothe health plan, health care provider, or healthcare clearinghouse covered functionsperformed.

(2) A covered entity that performs multiplecovered functions may use or disclose theprotected health information of individualswho receive the covered entity’s health planor health care provider services, but not both,only for purposes related to the appropriatefunction being performed.

§ 164.506 Uses and disclosures to carryout treatment, payment, or health careoperations.

(a) Standard: Permitted uses and


October 2002

-13-

disclosures. Except with respect to uses ordisclosures that require an authorizationunder § 164.508(a)(2) and (3), a coveredentity may use or disclose protected healthinformation for treatment, payment, or healthcare operations as set forth in paragraph (c) ofthis section, provided that such use ordisclosure is consistent with other applicablerequirements of this subpart.

(b) Standard: Consent for uses anddisclosures permitted.

(1) A covered entity may obtain consentof the individual to use or disclose protectedhealth information to carry out treatment,payment, or health care operations.

(2) Consent, under paragraph (b) of thissection, shall not be effective to permit a useor disclosure of protected health informationwhen an authorization, under § 164.508, isrequired or when another condition must bemet for such use or disclosure to bepermissible under this subpart.

(c) Implementation specifications:Treatment, payment, or health careoperations.

(1) A covered entity may use or discloseprotected health information for its owntreatment, payment, or health care operations.

(2) A covered entity may discloseprotected health information for treatmentactivities of a health care provider.

(3) A covered entity may discloseprotected health information to anothercovered entity or a health care provider forthe payment activities of the entity thatreceives the information.

(4) A covered entity may discloseprotected health information to anothercovered entity for health care operationsactivities of the entity that receives theinformation, if each entity either has or had arelationship with the individual who is thesubject of the protected health informationbeing requested, the protected healthinformation pertains to such relationship, andthe disclosure is:

(i) For a purpose listed in paragraph (1)or (2) of the definition of health careoperations; or

(ii) For the purpose of health care fraudand abuse detection or compliance.

(5) A covered entity that participates in anorganized health care arrangement maydisclose protected health information aboutan individual to another covered entity thatparticipates in the organized health carearrangement for any health care operationsactivities of the organized health carearrangement.

§ 164.508 Uses and disclosures for which

an authorization is required.(a) Standard: authorizations for uses and

disclosures. (1) Authorization required: general rule.

Except as otherwise permitted or required bythis subchapter, a covered entity may not useor disclose protected health informationwithout an authorization that is valid underthis section. When a covered entity obtainsor receives a valid authorization for its use ordisclosure of protected health information,such use or disclosure must be consistentwith such authorization.

(2) Authorization required: psychotherapynotes. Notwithstanding any provision of thissubpart, other than the transition provisionsin § 164.532, a covered entity must obtain anauthorization for any use or disclosure ofpsychotherapy notes, except:

(i) To carry out the following treatment,payment, or health care operations:

(A) Use by the originator of thepsychotherapy notes for treatment;

(B) Use or disclosure by the coveredentity for its own training programs in whichstudents, trainees, or practitioners in mentalhealth learn under supervision to practice orimprove their skills in group, joint, family, orindividual counseling; or

(C) Use or disclosure by the coveredentity to defend itself in a legal action orother proceeding brought by the individual;and

(ii) A use or disclosure that is required by§ 164.502(a)(2)(ii) or permitted by §164.512(a); § 164.512(d) with respect to theoversight of the originator of thepsychotherapy notes; § 164.512(g)(1); or §164.512(j)(1)(i).

(3) Authorization required: Marketing. (i) Notwithstanding any provision of

this subpart, other than the transitionprovisions in § 164.532, a covered entitymust obtain an authorization for any use ordisclosure of protected health information formarketing, except if the communication is inthe form of:

(A) A face-to-face communicationmade by a covered entity to an individual; or

(B) A promotional gift of nominal valueprovided by the covered entity.

(ii) If the marketing involves direct orindirect remuneration to the covered entityfrom a third party, the authorization muststate that such remuneration is involved.

(b) Implementation specifications: generalrequirements.

(1) Valid authorizations. (i) A valid authorization is a document

that meets the requirements in paragraphs(a)(3)(ii), (c)(1), and (c)(2) of this section, as

applicable.(ii) A valid authorization may contain

elements or information in addition to theelements required by this section, providedthat such additional elements or informationare not inconsistent with the elementsrequired by this section.

(2) Defective authorizations. Anauthorization is not valid, if the documentsubmitted has any of the following defects:

(i) The expiration date has passed or theexpiration event is known by the coveredentity to have occurred;

(ii) The authorization has not been filledout completely, with respect to an elementdescribed by paragraph (c) of this section, ifapplicable;

(iii) The authorization is known by thecovered entity to have been revoked;

(iv) The authorization violates paragraph(b)(3) or (4) of this section, if applicable;

(v) Any material information in theauthorization is known by the covered entityto be false.

(3) Compound authorizations. Anauthorization for use or disclosure ofprotected health information may not becombined with any other document to createa compound authorization, except as follows:

(i) An authorization for the use ordisclosure of protected health information fora research study may be combined with anyother type of written permission for the sameresearch study, including anotherauthorization for the use or disclosure ofprotected health information for such researchor a consent to participate in such research;

(ii) An authorization for a use ordisclosure of psychotherapy notes may onlybe combined with another authorization for ause or disclosure of psychotherapy notes;

(iii) An authorization under this section,other than an authorization for a use ordisclosure of psychotherapy notes, may becombined with any other such authorizationunder this section, except when a coveredentity has conditioned the provision oftreatment, payment, enrollment in the healthplan, or eligibility for benefits underparagraph (b)(4) of this section on theprovision of one of the authorizations.

(4) Prohibition on conditioning ofauthorizations. A covered entity may notcondition the provision to an individual oftreatment, payment, enrollment in the healthplan, or eligibility for benefits on theprovision of an authorization, except:

(i) A covered health care provider maycondition the provision of research-relatedtreatment on provision of an authorization forthe use or disclosure of protected health


October 2002

-14-

information for such research under thissection;

(ii) A health plan may conditionenrollment in the health plan or eligibility forbenefits on provision of an authorizationrequested by the health plan prior to anindividual's enrollment in the health plan, if:

(A) The authorization sought is for thehealth plan’s eligibility or enrollmentdeterminations relating to the individual orfor its underwriting or risk ratingdeterminations; and

(B) The authorization is not for a use ordisclosure of psychotherapy notes underparagraph (a)(2) of this section; and

(iii) A covered entity may condition theprovision of health care that is solely for thepurpose of creating protected healthinformation for disclosure to a third party onprovision of an authorization for thedisclosure of the protected health informationto such third party.

(5) Revocation of authorizations. Anindividual may revoke an authorizationprovided under this section at any time,provided that the revocation is in writing,except to the extent that:

(i) The covered entity has taken action inreliance thereon; or

(ii) If the authorization was obtained as acondition of obtaining insurance coverage,other law provides the insurer with the rightto contest a claim under the policy or thepolicy itself.

(6) Documentation. A covered entity mustdocument and retain any signed authorizationunder this section as required by §164.530(j).

(c) Implementation specifications: Coreelements and requirements.

(1) Core elements. A valid authorizationunder this section must contain at least thefollowing elements:

(i) A description of the information to beused or disclosed that identifies theinformation in a specific and meaningfulfashion.

(ii) The name or other specificidentification of the person(s), or class ofpersons, authorized to make the requested useor disclosure.

(iii) The name or other specificidentification of the person(s), or class ofpersons, to whom the covered entity maymake the requested use or disclosure.

(iv) A description of each purpose of therequested use or disclosure. The statement“at the request of the individual” is asufficient description of the purpose when anindividual initiates the authorization and doesnot, or elects not to, provide a statement of

the purpose.(v) An expiration date or an expiration

event that relates to the individual or thepurpose of the use or disclosure. Thestatement “end of the research study,”“none,” or similar language is sufficient if theauthorization is for a use or disclosure ofprotected health information for research,including for the creation and maintenance ofa research database or research repository.

(vi) Signature of the individual and date. If the authorization is signed by a personalrepresentative of the individual, a descriptionof such representative’s authority to act forthe individual must also be provided.

(2) Required statements. In addition to thecore elements, the authorization must containstatements adequate to place the individualon notice of all of the following:

(i) The individual’s right to revoke theauthorization in writing, and either:

(A) The exceptions to the right torevoke and a description of how theindividual may revoke the authorization; or

(B) To the extent that the information inparagraph (c)(2)(i)(A) of this section isincluded in the notice required by § 164.520,a reference to the covered entity’s notice.

(ii) The ability or inability to conditiontreatment, payment, enrollment or eligibilityfor benefits on the authorization, by statingeither:

(A) The covered entity may notcondition treatment, payment, enrollment oreligibility for benefits on whether theindividual signs the authorization when theprohibition on conditioning of authorizationsin paragraph (b)(4) of this section applies; or

(B) The consequences to the individualof a refusal to sign the authorization when, inaccordance with paragraph (b)(4) of thissection, the covered entity can conditiontreatment, enrollment in the health plan, oreligibility for benefits on failure to obtainsuch authorization.

(iii) The potential for informationdisclosed pursuant to the authorization to besubject to redisclosure by the recipient and nolonger be protected by this subpart.

(3) Plain language requirement. Theauthorization must be written in plainlanguage.

(4) Copy to the individual. If a coveredentity seeks an authorization from anindividual for a use or disclosure of protectedhealth information, the covered entity mustprovide the individual with a copy of thesigned authorization.

§ 164.510 Uses and disclosures requiringan opportunity for the individual to agree

or to object.A covered entity may use or discloseprotected health information, provided thatthe individual is informed in advance of theuse or disclosure and has the opportunity toagree to or prohibit or restrict the use ordisclosure, in accordance with the applicablerequirements of this section. The coveredentity may orally inform the individual of andobtain the individual’s oral agreement orobjection to a use or disclosure permitted bythis section.

(a) Standard: use and disclosure for facilitydirectories.

(1) Permitted uses and disclosure. Exceptwhen an objection is expressed in accordancewith paragraphs (a)(2) or (3) of this section, acovered health care provider may:

(i) Use the following protected healthinformation to maintain a directory ofindividuals in its facility:

(A) The individual’s name;(B) The individual’s location in the

covered health care provider’s facility;(C) The individual’s condition

described in general terms that does notcommunicate specific medical informationabout the individual; and

(D) The individual’s religiousaffiliation; and

(ii) Disclose for directory purposes suchinformation:

(A) To members of the clergy; or(B) Except for religious affiliation, to

other persons who ask for the individual byname.

(2) Opportunity to object. A coveredhealth care provider must inform anindividual of the protected health informationthat it may include in a directory and thepersons to whom it may disclose suchinformation (including disclosures to clergyof information regarding religious affiliation)and provide the individual with theopportunity to restrict or prohibit some or allof the uses or disclosures permitted byparagraph (a)(1) of this section.

(3) Emergency circumstances.(i) If the opportunity to object to uses or

disclosures required by paragraph (a)(2) ofthis section cannot practicably be providedbecause of the individual’s incapacity or anemergency treatment circumstance, a coveredhealth care provider may use or disclose someor all of the protected health informationpermitted by paragraph (a)(1) of this sectionfor the facility’s directory, if such disclosureis:

(A) Consistent with a prior expressedpreference of the individual, if any, that isknown to the covered health care provider;


October 2002

-15-

and(B) In the individual’s best interest as

determined by the covered health careprovider, in the exercise of professionaljudgment.

(ii) The covered health care providermust inform the individual and provide anopportunity to object to uses or disclosuresfor directory purposes as required byparagraph (a)(2) of this section when itbecomes practicable to do so.

(b) Standard: uses and disclosures forinvolvement in the individual’s care andnotification purposes.

(1) Permitted uses and disclosures. (i) A covered entity may, in accordance

with paragraphs (b)(2) or (3) of this section,disclose to a family member, other relative, ora close personal friend of the individual, orany other person identified by the individual,the protected health information directlyrelevant to such person’s involvement withthe individual’s care or payment related to theindividual’s health care.

(ii) A covered entity may use or discloseprotected health information to notify, orassist in the notification of (includingidentifying or locating), a family member, apersonal representative of the individual, oranother person responsible for the care of theindividual of the individual’s location,general condition, or death. Any such use ordisclosure of protected health information forsuch notification purposes must be inaccordance with paragraphs (b)(2), (3), or (4)of this section, as applicable.

(2) Uses and disclosures with theindividual present. If the individual ispresent for, or otherwise available prior to, ause or disclosure permitted by paragraph(b)(1) of this section and has the capacity tomake health care decisions, the covered entitymay use or disclose the protected healthinformation if it:

(i) Obtains the individual’s agreement; (ii) Provides the individual with the

opportunity to object to the disclosure, andthe individual does not express an objection;or

(iii) Reasonably infers from thecircumstances, based the exercise ofprofessional judgment, that the individualdoes not object to the disclosure.

(3) Limited uses and disclosures when theindividual is not present. If the individual isnot present, or the opportunity to agree orobject to the use or disclosure cannotpracticably be provided because of theindividual’s incapacity or an emergencycircumstance, the covered entity may, in theexercise of professional judgment, determine

whether the disclosure is in the best interestsof the individual and, if so, disclose only theprotected health information that is directlyrelevant to the person’s involvement with theindividual’s health care. A covered entitymay use professional judgment and itsexperience with common practice to makereasonable inferences of the individual’s bestinterest in allowing a person to act on behalfof the individual to pick up filledprescriptions, medical supplies, X-rays, orother similar forms of protected healthinformation.

(4) Use and disclosures for disaster reliefpurposes. A covered entity may use ordisclose protected health information to apublic or private entity authorized by law orby its charter to assist in disaster relief efforts,for the purpose of coordinating with suchentities the uses or disclosures permitted byparagraph (b)(1)(ii) of this section. Therequirements in paragraphs (b)(2) and (3) ofthis section apply to such uses and disclosureto the extent that the covered entity, in theexercise of professional judgment, determinesthat the requirements do not interfere with theability to respond to the emergencycircumstances.

§ 164.512 Uses and disclosures for whichan authorization or opportunity to agreeor object is not required.A covered entity may use or discloseprotected health information without thewritten authorization of the individual, asdescribed in § 164.508, or the opportunity forthe individual to agree or object as describedin § 164.510, in the situations covered by thissection, subject to the applicablerequirements of this section. When thecovered entity is required by this section toinform the individual of, or when theindividual may agree to, a use or disclosurepermitted by this section, the covered entity’sinformation and the individual’s agreementmay be given orally.

(a) Standard: uses and disclosures requiredby law.

(1) A covered entity may use or discloseprotected health information to the extent thatsuch use or disclosure is required by law andthe use or disclosure complies with and islimited to the relevant requirements of suchlaw.

(2) A covered entity must meet therequirements described in paragraph (c), (e),or (f) of this section for uses or disclosuresrequired by law.

(b) Standard: uses and disclosures forpublic health activities.

(1) Permitted disclosures. A covered

entity may disclose protected healthinformation for the public health activitiesand purposes described in this paragraph to:

(i) A public health authority that isauthorized by law to collect or receive suchinformation for the purpose of preventing orcontrolling disease, injury, or disability,including, but not limited to, the reporting ofdisease, injury, vital events such as birth ordeath, and the conduct of public healthsurveillance, public health investigations, andpublic health interventions; or, at thedirection of a public health authority, to anofficial of a foreign government agency thatis acting in collaboration with a public healthauthority;

(ii) A public health authority or otherappropriate government authority authorizedby law to receive reports of child abuse orneglect;

(iii) A person subject to the jurisdictionof the Food and Drug Administration (FDA)with respect to an FDA-regulated product oractivity for which that person hasresponsibility, for the purpose of activitiesrelated to the quality, safety or effectivenessof such FDA-regulated product or activity. Such purposes include:

(A) To collect or report adverse events(or similar activities with respect to food ordietary supplements), product defects orproblems (including problems with the use orlabeling of a product), or biological productdeviations;

(B) To track FDA-regulated products;(C) To enable product recalls, repairs, or

replacement, or lookback (including locatingand notifying individuals who have receivedproducts that have been recalled, withdrawn,or are the subject of lookback); or

(D) To conduct post marketingsurveillance;

(iv) A person who may have beenexposed to a communicable disease or mayotherwise be at risk of contracting orspreading a disease or condition, if thecovered entity or public health authority isauthorized by law to notify such person asnecessary in the conduct of a public healthintervention or investigation; or

(v) An employer, about an individualwho is a member of the workforce of theemployer, if:

(A) The covered entity is a coveredhealth care provider who is a member of theworkforce of such employer or who provideshealth care to the individual at the request ofthe employer:

(1) To conduct an evaluation relatingto medical surveillance of the workplace; or

(2) To evaluate whether the individual


October 2002

-16-

has a work-related illness or injury;(B) The protected health information

that is disclosed consists of findingsconcerning a work-related illness or injury ora workplace-related medical surveillance;

(C) The employer needs such findingsin order to comply with its obligations, under29 CFR parts 1904 through 1928, 30 CFRparts 50 through 90, or under state law havinga similar purpose, to record such illness orinjury or to carry out responsibilities forworkplace medical surveillance; and

(D) The covered health care providerprovides written notice to the individual thatprotected health information relating to themedical surveillance of the workplace andwork-related illnesses and injuries isdisclosed to the employer:

(1) By giving a copy of the notice tothe individual at the time the health care isprovided; or

(2) If the health care is provided on thework site of the employer, by posting thenotice in a prominent place at the locationwhere the health care is provided.

(2) Permitted uses. If the covered entityalso is a public health authority, the coveredentity is permitted to use protected healthinformation in all cases in which it ispermitted to disclose such information forpublic health activities under paragraph (b)(1)of this section.

(c) Standard: disclosures about victims ofabuse, neglect or domestic violence.

(1) Permitted disclosures. Except forreports of child abuse or neglect permitted byparagraph (b)(1)(ii) of this section, a coveredentity may disclose protected healthinformation about an individual whom thecovered entity reasonably believes to be avictim of abuse, neglect, or domestic violenceto a government authority, including a socialservice or protective services agency,authorized by law to receive reports of suchabuse, neglect, or domestic violence:

(i) To the extent the disclosure is requiredby law and the disclosure complies with andis limited to the relevant requirements of suchlaw;

(ii) If the individual agrees to thedisclosure; or

(iii) To the extent the disclosure isexpressly authorized by statute or regulationand:

(A) The covered entity, in the exerciseof professional judgment, believes thedisclosure is necessary to prevent seriousharm to the individual or other potentialvictims; or

(B) If the individual is unable to agreebecause of incapacity, a law enforcement or

other public official authorized to receive thereport represents that the protected healthinformation for which disclosure is sought isnot intended to be used against the individualand that an immediate enforcement activitythat depends upon the disclosure would bematerially and adversely affected by waitinguntil the individual is able to agree to thedisclosure.

(2) Informing the individual. A coveredentity that makes a disclosure permitted byparagraph (c)(1) of this section mustpromptly inform the individual that such areport has been or will be made, except if:

(i) The covered entity, in the exercise ofprofessional judgment, believes informingthe individual would place the individual atrisk of serious harm; or

(ii) The covered entity would beinforming a personal representative, and thecovered entity reasonably believes thepersonal representative is responsible for theabuse, neglect, or other injury, and thatinforming such person would not be in thebest interests of the individual as determinedby the covered entity, in the exercise ofprofessional judgment.

(d) Standard: uses and disclosures forhealth oversight activities.

(1) Permitted disclosures. A coveredentity may disclose protected healthinformation to a health oversight agency foroversight activities authorized by law,including audits; civil, administrative, orcriminal investigations; inspections; licensureor disciplinary actions; civil, administrative,or criminal proceedings or actions; or otheractivities necessary for appropriate oversightof:

(i) The health care system;(ii) Government benefit programs for

which health information is relevant tobeneficiary eligibility;

(iii) Entities subject to governmentregulatory programs for which healthinformation is necessary for determiningcompliance with program standards; or

(iv) Entities subject to civil rights lawsfor which health information is necessary fordetermining compliance.

(2) Exception to health oversightactivities. For the purpose of the disclosurespermitted by paragraph (d)(1) of this section,a health oversight activity does not include aninvestigation or other activity in which theindividual is the subject of the investigationor activity and such investigation or otheractivity does not arise out of and is notdirectly related to:

(i) The receipt of health care;(ii) A claim for public benefits related to

health; or(iii) Qualification for, or receipt of,

public benefits or services when a patient’shealth is integral to the claim for publicbenefits or services.

(3) Joint activities or investigations. Nothwithstanding paragraph (d)(2) of thissection, if a health oversight activity orinvestigation is conducted in conjunctionwith an oversight activity or investigationrelating to a claim for public benefits notrelated to health, the joint activity orinvestigation is considered a health oversightactivity for purposes of paragraph (d) of thissection.

(4) Permitted uses. If a covered entity alsois a health oversight agency, the coveredentity may use protected health informationfor health oversight activities as permitted byparagraph (d) of this section.

(e) Standard: disclosures for judicial andadministrative proceedings.

(1) Permitted disclosures. A coveredentity may disclose protected healthinformation in the course of any judicial oradministrative proceeding:

(i) In response to an order of a court oradministrative tribunal, provided that thecovered entity discloses only the protectedhealth information expressly authorized bysuch order; or

(ii) In response to a subpoena, discoveryrequest, or other lawful process, that is notaccompanied by an order of a court oradministrative tribunal, if:

(A) The covered entity receivessatisfactory assurance, as described inparagraph (e)(1)(iii) of this section, from theparty seeking the information that reasonableefforts have been made by such party toensure that the individual who is the subjectof the protected health information that hasbeen requested has been given notice of therequest; or

(B) The covered entity receivessatisfactory assurance, as described inparagraph (e)(1)(iv) of this section, from theparty seeking the information that reasonableefforts have been made by such party tosecure a qualified protective order that meetsthe requirements of paragraph (e)(1)(v) of thissection.

(iii) For the purposes of paragraph(e)(1)(ii)(A) of this section, a covered entityreceives satisfactory assurances from a partyseeking protecting health information if thecovered entity receives from such party awritten statement and accompanying documentation demonstrating that:

(A) The party requesting suchinformation has made a good faith attempt to


October 2002

-17-

provide written notice to the individual (or, ifthe individual’s location is unknown, to maila notice to the individual’s last knownaddress);

(B) The notice included sufficientinformation about the litigation or proceedingin which the protected health information isrequested to permit the individual to raise anobjection to the court or administrativetribunal; and

(C) The time for the individual to raiseobjections to the court or administrativetribunal has elapsed, and:

(1) No objections were filed; or(2) All objections filed by the

individual have been resolved by the court orthe administrative tribunal and the disclosuresbeing sought are consistent with suchresolution.

(iv) For the purposes of paragraph(e)(1)(ii)(B) of this section, a covered entityreceives satisfactory assurances from a partyseeking protected health information, if thecovered entity receives from such party awritten statement and accompanyingdocumentation demonstrating that:

(A) The parties to the dispute giving riseto the request for information have agreed toa qualified protective order and havepresented it to the court or administrativetribunal with jurisdiction over the dispute; or

(B) The party seeking the protectedhealth information has requested a qualifiedprotective order from such court oradministrative tribunal.

(v) For purposes of paragraph (e)(1) ofthis section, a qualified protective ordermeans, with respect to protected healthinformation requested under paragraph(e)(1)(ii) of this section, an order of a court orof an administrative tribunal or a stipulationby the parties to the litigation oradministrative proceeding that:

(A) Prohibits the parties from using ordisclosing the protected health informationfor any purpose other than the litigation orproceeding for which such information wasrequested; and

(B) Requires the return to the coveredentity or destruction of the protected healthinformation (including all copies made) at theend of the litigation or proceeding.

(vi) Notwithstanding paragraph (e)(1)(ii)of this section, a covered entity may discloseprotected health information in response tolawful process described in paragraph(e)(1)(ii) of this section without receivingsatisfactory assurance under paragraph(e)(1)(ii)(A) or (B) of this section, if thecovered entity makes reasonable efforts toprovide notice to the individual sufficient to

meet the requirements of paragraph (e)(1)(iii)of this section or to seek a qualifiedprotective order sufficient to meet therequirements of paragraph (e)(1)(iv) of thissection.

(2) Other uses and disclosures under thissection. The provisions of this paragraph donot supersede other provisions of this sectionthat otherwise permit or restrict uses ordisclosures of protected health information.

(f) Standard: disclosures for lawenforcement purposes. A covered entity maydisclose protected health information for alaw enforcement purpose to a lawenforcement official if the conditions inparagraphs (f)(1) through (f)(6) of this sectionare met, as applicable.

(1) Permitted disclosures: pursuant toprocess and as otherwise required by law. Acovered entity may disclose protected healthinformation:

(i) As required by law including laws thatrequire the reporting of certain types ofwounds or other physical injuries, except forlaws subject to paragraph (b)(1)(ii) or(c)(1)(i) of this section; or

(ii) In compliance with and as limited bythe relevant requirements of:

(A) A court order or court-orderedwarrant, or a subpoena or summons issued bya judicial officer;

(B) A grand jury subpoena; or(C) An administrative request, including

an administrative subpoena or summons, acivil or an authorized investigative demand,or similar process authorized under law,provided that:

(1) The information sought is relevantand material to a legitimate law enforcementinquiry;

(2) The request is specific and limitedin scope to the extent reasonably practicablein light of the purpose for which theinformation is sought; and

(3) De-identified information couldnot reasonably be used.

(2) Permitted disclosures: limitedinformation for identification and locationpurposes. Except for disclosures required bylaw as permitted by paragraph (f)(1) of thissection, a covered entity may discloseprotected health information in response to alaw enforcement official’s request for suchinformation for the purpose of identifying orlocating a suspect, fugitive, material witness,or missing person, provided that:

(i) The covered entity may disclose onlythe following information:

(A) Name and address;(B) Date and place of birth;(C) Social security number;

(D) ABO blood type and rh factor;(E) Type of injury;(F) Date and time of treatment; (G) Date and time of death, if

applicable; and(H) A description of distinguishing

physical characteristics, including height,weight, gender, race, hair and eye color,presence or absence of facial hair (beard ormoustache), scars, and tattoos.

(ii) Except as permitted by paragraph(f)(2)(i) of this section, the covered entitymay not disclose for the purposes ofidentification or location under paragraph(f)(2) of this section any protected healthinformation related to the individual’s DNAor DNA analysis, dental records, or typing,samples or analysis of body fluids or tissue.

(3) Permitted disclosure: victims of acrime. Except for disclosures required by lawas permitted by paragraph (f)(1) of thissection, a covered entity may discloseprotected health information in response to alaw enforcement official’s request for suchinformation about an individual who is or issuspected to be a victim of a crime, other thandisclosures that are subject to paragraph (b)or (c) of this section, if:

(i) The individual agrees to thedisclosure; or

(ii) The covered entity is unable to obtainthe individual’s agreement because ofincapacity or other emergency circumstance,provided that:

(A) The law enforcement officialrepresents that such information is needed todetermine whether a violation of law by aperson other than the victim has occurred,and such information is not intended to beused against the victim;

(B) The law enforcement officialrepresents that immediate law enforcementactivity that depends upon the disclosurewould be materially and adversely affected bywaiting until the individual is able to agree tothe disclosure; and

(C) The disclosure is in the bestinterests of the individual as determined bythe covered entity, in the exercise ofprofessional judgment.

(4) Permitted disclosure: decedents. Acovered entity may disclose protected healthinformation about an individual who has diedto a law enforcement official for the purposeof alerting law enforcement of the death ofthe individual if the covered entity has asuspicion that such death may have resultedfrom criminal conduct.

(5) Permitted disclosure: crime onpremises. A covered entity may disclose to alaw enforcement official protected health


October 2002

-18-

information that the covered entity believes ingood faith constitutes evidence of criminalconduct that occurred on the premises of thecovered entity.

(6) Permitted disclosure: reporting crimein emergencies.

(i) A covered health care providerproviding emergency health care in responseto a medical emergency, other than suchemergency on the premises of the coveredhealth care provider, may disclose protectedhealth information to a law enforcementofficial if such disclosure appears necessaryto alert law enforcement to:

(A) The commission and nature of acrime;

(B) The location of such crime or of thevictim(s) of such crime; and

(C) The identity, description, andlocation of the perpetrator of such crime.

(ii) If a covered health care providerbelieves that the medical emergencydescribed in paragraph (f)(6)(i) of this sectionis the result of abuse, neglect, or domesticviolence of the individual in need ofemergency health care, paragraph (f)(6)(i) ofthis section does not apply and any disclosureto a law enforcement official for lawenforcement purposes is subject to paragraph(c) of this section.

(g) Standard: uses and disclosures aboutdecedents.

(1) Coroners and medical examiners. Acovered entity may disclose protected healthinformation to a coroner or medical examinerfor the purpose of identifying a deceasedperson, determining a cause of death, or otherduties as authorized by law. A covered entitythat also performs the duties of a coroner ormedical examiner may use protected healthinformation for the purposes described in thisparagraph.

(2) Funeral directors. A covered entitymay disclose protected health information tofuneral directors, consistent with applicablelaw, as necessary to carry out their duties withrespect to the decedent. If necessary forfuneral directors to carry out their duties, thecovered entity may disclose the protectedhealth information prior to, and in reasonableanticipation of, the individual’s death.

(h) Standard: uses and disclosures forcadaveric organ, eye or tissue donationpurposes. A covered entity may use ordisclose protected health information to organprocurement organizations or other entitiesengaged in the procurement, banking, ortransplantation of cadaveric organs, eyes, ortissue for the purpose of facilitating organ,eye or tissue donation and transplantation.

(i) Standard: uses and disclosures for

research purposes. (1) Permitted uses and disclosures. A

covered entity may use or disclose protectedhealth information for research, regardless ofthe source of funding of the research,provided that:

(i) Board approval of a waiver ofauthorization. The covered entity obtainsdocumentation that an alteration to or waiver,in whole or in part, of the individualauthorization required by §164.508 for use ordisclosure of protected health information hasbeen approved by either:

(A) An Institutional Review Board(IRB), established in accordance with 7 CFR1c.107, 10 CFR 745.107, 14 CFR 1230.107,15 CFR 27.107, 16 CFR 1028.107, 21 CFR56.107, 22 CFR 225.107, 24 CFR 60.107, 28CFR 46.107, 32 CFR 219.107, 34 CFR97.107, 38 CFR 16.107, 40 CFR 26.107, 45CFR 46.107, 45 CFR 690.107, or 49 CFR11.107; or

(B) A privacy board that:(1) Has members with varying

backgrounds and appropriate professionalcompetency as necessary to review the effectof the research protocol on the individual’sprivacy rights and related interests;

(2) Includes at least one member whois not affiliated with the covered entity, notaffiliated with any entity conducting orsponsoring the research, and not related toany person who is affiliated with any of suchentities; and

(3) Does not have any memberparticipating in a review of any project inwhich the member has a conflict of interest.

(ii) Reviews preparatory to research. The covered entity obtains from theresearcher representations that:

(A) Use or disclosure is sought solely toreview protected health information asnecessary to prepare a research protocol or forsimilar purposes preparatory to research;

(B) No protected health information isto be removed from the covered entity by theresearcher in the course of the review; and

(C) The protected health information forwhich use or access is sought is necessary forthe research purposes.

(iii) Research on decedent’s information. The covered entity obtains from theresearcher:

(A) Representation that the use ordisclosure sought is solely for research on theprotected health information of decedents;

(B) Documentation, at the request of thecovered entity, of the death of suchindividuals; and

(C) Representation that the protectedhealth information for which use or disclosure

is sought is necessary for the researchpurposes.

(2) Documentation of waiver approval. For a use or disclosure to be permitted basedon documentation of approval of analteration or waiver, under paragraph (i)(1)(i)of this section, the documentation mustinclude all of the following:

(i) Identification and date of action. Astatement identifying the IRB or privacyboard and the date on which the alteration orwaiver of authorization was approved;

(ii) Waiver criteria. A statement that theIRB or privacy board has determined that thealteration or waiver, in whole or in part, ofauthorization satisfies the following criteria:

(A) The use or disclosure of protectedhealth information involves no more than aminimal risk to the privacy of individuals,based on, at least, the presence of thefollowing elements;

(1) An adequate plan to protect theidentifiers from improper use and disclosure;

(2) An adequate plan to destroy theidentifiers at the earliest opportunityconsistent with conduct of the research,unless there is a health or researchjustification for retaining the identifiers orsuch retention is otherwise required by law;and

(3) Adequate written assurances thatthe protected health information will not bereused or disclosed to any other person orentity, except as required by law, forauthorized oversight of the research study, orfor other research for which the use ordisclosure of protected health informationwould be permitted by this subpart;

(B) The research could not practicablybe conducted without the waiver or alteration;and

(C) The research could not practicablybe conducted without access to and use of theprotected health information.

(iii) Protected health informationneeded. A brief description of the protectedhealth information for which use or accesshas been determined to be necessary by theIRB or privacy board has determined,pursuant to paragraph (i)(2)(ii)(C) of thissection;

(iv) Review and approval procedures. Astatement that the alteration or waiver ofauthorization has been reviewed andapproved under either normal or expeditedreview procedures, as follows:

(A) An IRB must follow therequirements of the Common Rule, includingthe normal review procedures (7 CFR1c.108(b), 10 CFR 745.108(b), 14 CFR1230.108(b), 15 CFR 27.108(b), 16 CFR


October 2002

-19-

1028.108(b), 21 CFR 56.108(b), 22 CFR225.108(b), 24 CFR 60.108(b), 28 CFR46.108(b), 32 CFR 219.108(b), 34 CFR97.108(b), 38 CFR 16.108(b), 40 CFR26.108(b), 45 CFR 46.108(b), 45 CFR690.108(b), or 49 CFR 11.108(b)) or theexpedited review procedures (7 CFR 1c.110,10 CFR 745.110, 14 CFR 1230.110, 15 CFR27.110, 16 CFR 1028.110, 21 CFR 56.110,22 CFR 225.110, 24 CFR 60.110, 28 CFR46.110, 32 CFR 219.110, 34 CFR 97.110, 38CFR 16.110, 40 CFR 26.110, 45 CFR46.110, 45 CFR 690.110, or 49 CFR 11.110);

(B) A privacy board must review theproposed research at convened meetings atwhich a majority of the privacy boardmembers are present, including at least onemember who satisfies the criterion stated inparagraph (i)(1)(i)(B)(2) of this section, andthe alteration or waiver of authorization mustbe approved by the majority of the privacyboard members present at the meeting, unlessthe privacy board elects to use an expeditedreview procedure in accordance withparagraph (i)(2)(iv)(C) of this section;

(C) A privacy board may use anexpedited review procedure if the researchinvolves no more than minimal risk to theprivacy of the individuals who are the subjectof the protected health information for whichuse or disclosure is being sought. If theprivacy board elects to use an expeditedreview procedure, the review and approval ofthe alteration or waiver of authorization maybe carried out by the chair of the privacyboard, or by one or more members of theprivacy board as designated by the chair; and

(v) Required signature. Thedocumentation of the alteration or waiver ofauthorization must be signed by the chair orother member, as designated by the chair, ofthe IRB or the privacy board, as applicable.

(j) Standard: uses and disclosures to avert aserious threat to health or safety.

(1) Permitted disclosures. A coveredentity may, consistent with applicable lawand standards of ethical conduct, use ordisclose protected health information, if thecovered entity, in good faith, believes the useor disclosure:

(i)(A) Is necessary to prevent or lessen aserious and imminent threat to the health orsafety of a person or the public; and

(B) Is to a person or persons reasonablyable to prevent or lessen the threat, includingthe target of the threat; or

(ii) Is necessary for law enforcementauthorities to identify or apprehend anindividual:

(A) Because of a statement by anindividual admitting participation in a violent

crime that the covered entity reasonablybelieves may have caused serious physicalharm to the victim; or

(B) Where it appears from all thecircumstances that the individual has escapedfrom a correctional institution or from lawfulcustody, as those terms are defined in §164.501.

(2) Use or disclosure not permitted. A useor disclosure pursuant to paragraph(j)(1)(ii)(A) of this section may not be madeif the information described in paragraph(j)(1)(ii)(A) of this section is learned by thecovered entity:

(i) In the course of treatment to affect thepropensity to commit the criminal conductthat is the basis for the disclosure underparagraph (j)(1)(ii)(A) of this section, orcounseling or therapy; or

(ii) Through a request by the individualto initiate or to be referred for the treatment,counseling, or therapy described in paragraph(j)(2)(i) of this section.

(3) Limit on information that may bedisclosed. A disclosure made pursuant toparagraph (j)(1)(ii)(A) of this section shallcontain only the statement described inparagraph (j)(1)(ii)(A) of this section and theprotected health information described inparagraph (f)(2)(i) of this section.

(4) Presumption of good faith belief. Acovered entity that uses or discloses protectedhealth information pursuant to paragraph(j)(1) of this section is presumed to haveacted in good faith with regard to a beliefdescribed in paragraph (j)(1)(i) or (ii) of thissection, if the belief is based upon thecovered entity’s actual knowledge or inreliance on a credible representation by aperson with apparent knowledge or authority.

(k) Standard: uses and disclosures forspecialized government functions.

(1) Military and veterans activities. (i) Armed Forces personnel. A covered

entity may use and disclose the protectedhealth information of individuals who areArmed Forces personnel for activities deemednecessary by appropriate military commandauthorities to assure the proper execution ofthe military mission, if the appropriatemilitary authority has published by notice inthe Federal Register the followinginformation:

(A) Appropriate military commandauthorities; and

(B) The purposes for which theprotected health information may be used ordisclosed.

(ii) Separation or discharge frommilitary service. A covered entity that is acomponent of the Departments of Defense or

Transportation may disclose to theDepartment of Veterans Affairs (DVA) theprotected health information of an individualwho is a member of the Armed Forces uponthe separation or discharge of the individualfrom military service for the purpose of adetermination by DVA of the individual’seligibility for or entitlement to benefits underlaws administered by the Secretary ofVeterans Affairs.

(iii) Veterans. A covered entity that is acomponent of the Department of VeteransAffairs may use and disclose protected healthinformation to components of the Departmentthat determine eligibility for or entitlement to,or that provide, benefits under the lawsadministered by the Secretary of VeteransAffairs.

(iv) Foreign military personnel. Acovered entity may use and disclose theprotected health information of individualswho are foreign military personnel to theirappropriate foreign military authority for thesame purposes for which uses and disclosuresare permitted for Armed Forces personnelunder the notice published in the FederalRegister pursuant to paragraph (k)(1)(i) ofthis section.

(2) National security and intelligenceactivities. A covered entity may discloseprotected health information to authorizedfederal officials for the conduct of lawfulintelligence, counter-intelligence, and othernational security activities authorized by theNational Security Act (50 U.S.C. 401, et seq.)and implementing authority (e.g., ExecutiveOrder 12333).

(3) Protective services for the Presidentand others. A covered entity may discloseprotected health information to authorizedfederal officials for the provision of protectiveservices to the President or other personsauthorized by 18 U.S.C. 3056, or to foreignheads of state or other persons authorized by22 U.S.C. 2709(a)(3), or to for the conduct ofinvestigations authorized by 18 U.S.C. 871and 879.

(4) Medical suitability determinations. Acovered entity that is a component of theDepartment of State may use protected healthinformation to make medical suitabilitydeterminations and may disclose whether ornot the individual was determined to bemedically suitable to the officials in theDepartment of State who need access to suchinformation for the following purposes:

(i) For the purpose of a required securityclearance conducted pursuant to ExecutiveOrders 10450 and 12698;

(ii) As necessary to determine worldwideavailability or availability for mandatory


October 2002

-20-

service abroad under sections 101(a)(4) and504 of the Foreign Service Act; or

(iii) For a family to accompany a ForeignService member abroad, consistent withsection 101(b)(5) and 904 of the ForeignService Act.

(5) Correctional institutions and other lawenforcement custodial situations.

(i) Permitted disclosures. A coveredentity may disclose to a correctionalinstitution or a law enforcement officialhaving lawful custody of an inmate or otherindividual protected health information aboutsuch inmate or individual, if the correctionalinstitution or such law enforcement officialrepresents that such protected healthinformation is necessary for:

(A) The provision of health care to suchindividuals;

(B) The health and safety of suchindividual or other inmates;

(C) The health and safety of the officersor employees of or others at the correctionalinstitution;

(D) The health and safety of suchindividuals and officers or other personsresponsible for the transporting of inmates ortheir transfer from one institution, facility, orsetting to another;

(E) Law enforcement on the premisesof the correctional institution; and

(F) The administration and maintenanceof the safety, security, and good order of thecorrectional institution.

(ii) Permitted uses. A covered entity thatis a correctional institution may use protectedhealth information of individuals who areinmates for any purpose for which suchprotected health information may bedisclosed.

(iii) No application after release. For thepurposes of this provision, an individual is nolonger an inmate when released on parole,probation, supervised release, or otherwise isno longer in lawful custody.

(6) Covered entities that are governmentprograms providing public benefits.

(i) A health plan that is a governmentprogram providing public benefits maydisclose protected health information relatingto eligibility for or enrollment in the healthplan to another agency administering agovernment program providing publicbenefits if the sharing of eligibility orenrollment information among suchgovernment agencies or the maintenance ofsuch information in a single or combined datasystem accessible to all such governmentagencies is required or expressly authorizedby statute or regulation.

(ii) A covered entity that is a government

agency administering a government programproviding public benefits may discloseprotected health information relating to theprogram to another covered entity that is agovernment agency administering agovernment program providing publicbenefits if the programs serve the same orsimilar populations and the disclosure ofprotected health information is necessary tocoordinate the covered functions of suchprograms or to improve administration andmanagement relating to the covered functionsof such programs.(l) Standard: disclosures for workers’compensation. A covered entity may discloseprotected health information as authorized byand to the extent necessary to comply withlaws relating to workers’ compensation orother similar programs, established by law,that provide benefits for work-related injuriesor illness without regard to fault.

§ 164.514 Other requirements relatingto uses and disclosures of protected healthinformation.

(a) Standard: de-identification of protectedhealth information. Health information thatdoes not identify an individual and withrespect to which there is no reasonable basisto believe that the information can be usedto identify an individual is not individuallyidentifiable health information.(b) Implementation specifications:

requirements for de-identification ofprotected health information. A coveredentity may determine that health informationis not individually identifiable healthinformation only if:

(1) A person with appropriate knowledgeof and experience with generally acceptedstatistical and scientific principles andmethods for rendering information notindividually identifiable:

(i) Applying such principles andmethods, determines that the risk is verysmall that the information could be used,alone or in combination with other reasonablyavailable information, by an anticipatedrecipient to identify an individual who is asubject of the information; and

(ii) Documents the methods and results ofthe analysis that justify such determination;or

(2)(i) The following identifiers of theindividual or of relatives, employers, orhousehold members of the individual, areremoved:

(A) Names;(B) All geographic subdivisions smaller

than a State, including street address, city,county, precinct, zip code, and their

equivalent geocodes, except for the initialthree digits of a zip code if, according to thecurrent publicly available data from theBureau of the Census:

(1) The geographic unit formed bycombining all zip codes with the same threeinitial digits contains more than 20,000people; and

(2) The initial three digits of a zip codefor all such geographic units containing20,000 or fewer people is changed to 000.

(C) All elements of dates (except year)for dates directly related to an individual,including birth date, admission date,discharge date, date of death; and all agesover 89 and all elements of dates (includingyear) indicative of such age, except that suchages and elements may be aggregated into asingle category of age 90 or older;

(D) Telephone numbers;(E) Fax numbers;(F) Electronic mail addresses;(G) Social security numbers;(H) Medical record numbers;(I) Health plan beneficiary numbers;(J) Account numbers;(K) Certificate/license numbers;(L) Vehicle identifiers and serial

numbers, including license plate numbers;(M) Device identifiers and serial

numbers;(N) Web Universal Resource Locators

(URLs);(O) Internet Protocol (IP) address

numbers;(P) Biometric identifiers, including

finger and voice prints;(Q) Full face photographic images and

any comparable images; and(R) Any other unique identifying

number, characteristic, or code, except aspermitted by paragraph (c) of this section;and

(ii) The covered entity does not haveactual knowledge that the information couldbe used alone or in combination with otherinformation to identify an individual who is asubject of the information.

(c) Implementation specifications: re-identification. A covered entity may assign acode or other means of record identificationto allow information de-identified under thissection to be re-identified by the coveredentity, provided that:

(1) Derivation. The code or other meansof record identification is not derived from orrelated to information about the individualand is not otherwise capable of beingtranslated so as to identify the individual; and

(2) Security. The covered entity does notuse or disclose the code or other means of


October 2002

-21-

record identification for any other purpose,and does not disclose the mechanism for re-identification.

(d)(1) Standard: minimum necessaryrequirements. In order to comply with §164.502(b) and this section, a covered entitymust meet the requirements of paragraphs(d)(2) through (d)(5) of this section withrespect to a request for, or the use anddisclosure of, protected health information.

(2) Implementation specifications:minimum necessary uses of protected healthinformation.

(i) A covered entity must identify:(A) Those persons or classes of persons,

as appropriate, in its workforce who needaccess to protected health information tocarry out their duties; and

(B) For each such person or class ofpersons, the category or categories ofprotected health information to which accessis needed and any conditions appropriate tosuch access.

(ii) A covered entity must makereasonable efforts to limit the access of suchpersons or classes identified in paragraph(d)(2)(i)(A) of this section to protected healthinformation consistent with paragraph(d)(2)(i)(B) of this section.

(3) Implementation specification:minimum necessary disclosures of protectedhealth information.

(i) For any type of disclosure that itmakes on a routine and recurring basis, acovered entity must implement policies andprocedures (which may be standardprotocols) that limit the protected healthinformation disclosed to the amountreasonably necessary to achieve the purposeof the disclosure.

(ii) For all other disclosures, a coveredentity must:

(A) Develop criteria designed to limitthe protected health information disclosed tothe information reasonably necessary toaccomplish the purpose for which disclosureis sought; and

(B) Review requests for disclosure onan individual basis in accordance with suchcriteria.

(iii) A covered entity may rely, if suchreliance is reasonable under thecircumstances, on a requested disclosure asthe minimum necessary for the stated purposewhen:

(A) Making disclosures to publicofficials that are permitted under § 164.512,if the public official represents that theinformation requested is the minimumnecessary for the stated purpose(s);

(B) The information is requested by

another covered entity;(C) The information is requested by a

professional who is a member of itsworkforce or is a business associate of thecovered entity for the purpose of providingprofessional services to the covered entity, ifthe professional represents that theinformation requested is the minimumnecessary for the stated purpose(s); or

(D) Documentation or representationsthat comply with the applicable requirementsof § 164.512(i) have been provided by aperson requesting the information forresearch purposes.

(4) Implementation specifications:minimum necessary requests for protectedhealth information.

(i) A covered entity must limit anyrequest for protected health information tothat which is reasonably necessary toaccomplish the purpose for which the requestis made, when requesting such informationfrom other covered entities.

(ii) For a request that is made on aroutine and recurring basis, a covered entitymust implement policies and procedures(which may be standard protocols) that limitthe protected health information requested tothe amount reasonably necessary toaccomplish the purpose for which the requestis made.

(iii) For all other requests, a coveredentity must:

(A) Develop criteria designed to limitthe request for protected health information tothe information reasonably necessary toaccomplish the purpose for which the requestis made; and

(B) Review requests for disclosure onan individual basis in accordance with suchcriteria.

(5) Implementation specification: othercontent requirement. For all uses,disclosures, or requests to which therequirements in paragraph (d) of this sectionapply, a covered entity may not use, discloseor request an entire medical record, exceptwhen the entire medical record is specificallyjustified as the amount that is reasonablynecessary to accomplish the purpose of theuse, disclosure, or request.

(e) (1) Standard: Limited data set. Acovered entity may use or disclose a limiteddata set that meets the requirements ofparagraphs (e)(2) and (e)(3) of this section, ifthe covered entity enters into a data useagreement with the limited data set recipient,in accordance with paragraph (e)(4) of thissection.

(2) Implementation specification: Limiteddata set: A limited data set is protected health

information that excludes the following directidentifiers of the individual or of relatives,employers, or household members of theindividual:

(i) Names;(ii) Postal address information, other than

town or city, State, and zip code;(iii) Telephone numbers;(iv) Fax numbers;(v) Electronic mail addresses;(vi) Social security numbers;(vii) Medical record numbers;(viii) Health plan beneficiary numbers;(ix) Account numbers;(x) Certificate/license numbers;(xi) Vehicle identifiers and serial

numbers, including license plate numbers;(xii) Device identifiers and serial

numbers;(xiii) Web Universal Resource Locators

(URLs);(xiv) Internet Protocol (IP) address

numbers;(xv) Biometric identifiers, including

finger and voice prints; and(xvi) Full face photographic images and

any comparable images. (3) Implementation specification:

Permitted purposes for uses and disclosures. (i) A covered entity may use or disclose

a limited data set under paragraph (e)(1) ofthis section only for the purposes of research,public health, or health care operations.

(ii) A covered entity may use protectedhealth information to create a limited data setthat meets the requirements of paragraph(e)(2) of this section, or disclose protectedhealth information only to a businessassociate for such purpose, whether or not thelimited data set is to be used by the coveredentity.

(4) Implementation specifications: Datause agreement.

(i) Agreement required. A covered entitymay use or disclose a limited data set underparagraph (e)(1) of this section only if thecovered entity obtains satisfactory assurance,in the form of a data use agreement that meetsthe requirements of this section, that thelimited data set recipient will only use ordisclose the protected health information forlimited purposes.

(ii) Contents. A data use agreementbetween the covered entity and the limiteddata set recipient must:

(A) Establish the permitted uses anddisclosures of such information by the limiteddata set recipient, consistent with paragraph(e)(3) of this section. The data use agreementmay not authorize the limited data setrecipient to use or further disclose the


October 2002

-22-

information in a manner that would violatethe requirements of this subpart, if done bythe covered entity;

(B) Establish who is permitted to use orreceive the limited data set; and

(C) Provide that the limited data setrecipient will:

(1) Not use or further disclose theinformation other than as permitted by thedata use agreement or as otherwise requiredby law;

(2) Use appropriate safeguards toprevent use or disclosure of the informationother than as provided for by the data useagreement;

(3) Report to the covered entity anyuse or disclosure of the information notprovided for by its data use agreement ofwhich it becomes aware;

(4) Ensure that any agents, including asubcontractor, to whom it provides thelimited data set agrees to the same restrictionsand conditions that apply to the limited dataset recipient with respect to such information;and

(5) Not identify the information orcontact the individuals.

(iii) Compliance. (A) A covered entity is not in

compliance with the standards in paragraph(e) of this section if the covered entity knewof a pattern of activity or practice of thelimited data set recipient that constituted amaterial breach or violation of the data useagreement, unless the covered entity tookreasonable steps to cure the breach or end theviolation, as applicable, and, if such stepswere unsuccessful:

(1) Discontinued disclosure ofprotected health information to the recipient;and

(2) Reported the problem to theSecretary.

(B) A covered entity that is a limiteddata set recipient and violates a data useagreement will be in noncompliance with thestandards, implementation specifications, andrequirements of paragraph (e) of this section.

(f)(1) Standard: uses and disclosures forfundraising. A covered entity may use, ordisclose to a business associate or to aninstitutionally related foundation, thefollowing protected health information for thepurpose of raising funds for its own benefit,without an authorization meeting therequirements of § 164.508:

(i) Demographic information relating toan individual; and

(ii) Dates of health care provided to anindividual.

(2) Implementation specifications:

fundraising requirements. (i) The covered entity may not use or

disclose protected health information forfundraising purposes as otherwise permittedby paragraph (f)(1) of this section unless astatement required by § 164.520(b)(1)(iii)(B)is included in the covered entity’s notice;

(ii) The covered entity must include inany fundraising materials it sends to anindividual under this paragraph a descriptionof how the individual may opt out ofreceiving any further fundraisingcommunications.

(iii) The covered entity must makereasonable efforts to ensure that individualswho decide to opt out of receiving futurefundraising communications are not sent suchcommunications.

(g) Standard: uses and disclosures forunderwriting and related purposes. If ahealth plan receives protected heathinformation for the purpose of underwriting,premium rating, or other activities relating tothe creation, renewal, or replacement of acontract of health insurance or healthbenefits, and if such health insurance orhealth benefits are not placed with the healthplan, such health plan may not use or disclosesuch protected health information for anyother purpose, except as may be required bylaw.

(h)(1) Standard: verification requirements. Prior to any disclosure permitted by thissubpart, a covered entity must:

(i) Except with respect to disclosuresunder § 164.510, verify the identity of aperson requesting protected healthinformation and the authority of any suchperson to have access to protected healthinformation under this subpart, if the identityor any such authority of such person is notknown to the covered entity; and

(ii) Obtain any documentation,statements, or representations, whether oral orwritten, from the person requesting theprotected health information when suchdocumentation, statement, or representation isa condition of the disclosure under thissubpart.

(2) Implementation specifications:verification.

(i) Conditions on disclosures. If adisclosure is conditioned by this subpart onparticular documentation, statements, orrepresentations from the person requestingthe protected health information, a coveredentity may rely, if such reliance is reasonableunder the circumstances, on documentation,statements, or representations that, on theirface, meet the applicable requirements.

(A) The conditions in §

164.512(f)(1)(ii)(C) may be satisfied by theadministrative subpoena or similar process orby a separate written statement that, on itsface, demonstrates that the applicablerequirements have been met.

(B) The documentation required by §164.512(i)(2) may be satisfied by one or morewritten statements, provided that each isappropriately dated and signed in accordancewith § 164.512(i)(2)(i) and (v).

(ii) Identity of public officials. A coveredentity may rely, if such reliance is reasonableunder the circumstances, on any of thefollowing to verify identity when thedisclosure of protected health information isto a public official or a person acting onbehalf of the public official:

(A) If the request is made in person,presentation of an agency identificationbadge, other official credentials, or otherproof of government status;

(B) If the request is in writing, therequest is on the appropriate governmentletterhead; or

(C) If the disclosure is to a personacting on behalf of a public official, a writtenstatement on appropriate governmentletterhead that the person is acting under thegovernment's authority or other evidence ordocumentation of agency, such as a contractfor services, memorandum of understanding,or purchase order, that establishes that theperson is acting on behalf of the publicofficial.

(iii) Authority of public officials. Acovered entity may rely, if such reliance isreasonable under the circumstances, on any ofthe following to verify authority when thedisclosure of protected health information isto a public official or a person acting onbehalf of the public official:

(A) A written statement of the legalauthority under which the information isrequested, or, if a written statement would beimpracticable, an oral statement of such legalauthority;

(B) If a request is made pursuant tolegal process, warrant, subpoena, order, orother legal process issued by a grand jury or ajudicial or administrative tribunal ispresumed to constitute legal authority.

(iv) Exercise of professional judgment. The verification requirements of thisparagraph are met if the covered entity relieson the exercise of professional judgment inmaking a use or disclosure in accordancewith § 164.510 or acts on a good faith beliefin making a disclosure in accordance with §164.512(j).

§ 164.520 Notice of privacy practices for


October 2002

-23-

protected health information.(a) Standard: notice of privacy practices.

(1) Right to notice. Except as provided byparagraph (a)(2) or (3) of this section, anindividual has a right to adequate notice ofthe uses and disclosures of protected healthinformation that may be made by the coveredentity, and of the individual’s rights and thecovered entity’s legal duties with respect toprotected health information.

(2) Exception for group health plans. (i) An individual enrolled in a group

health plan has a right to notice:(A) From the group health plan, if, and

to the extent that, such an individual does notreceive health benefits under the group healthplan through an insurance contract with ahealth insurance issuer or HMO; or

(B) From the health insurance issuer orHMO with respect to the group health planthough which such individuals receive theirhealth benefits under the group health plan.

(ii) A group health plan that provideshealth benefits solely through an insurancecontract with a health insurance issuer orHMO, and that creates or receives protectedhealth information in addition to summaryhealth information as defined in § 164.504(a)or information on whether the individual isparticipating in the group health plan, or isenrolled in or has disenrolled from a healthinsurance issuer or HMO offered by the plan,must:

(A) Maintain a notice under thissection; and

(B) Provide such notice upon request toany person. The provisions of paragraph(c)(1) of this section do not apply to suchgroup health plan.

(iii) A group health plan that provideshealth benefits solely through an insurancecontract with a health insurance issuer orHMO, and does not create or receiveprotected health information other thansummary health information as defined in §164.504(a) or information on whether anindividual is participating in the group healthplan, or is enrolled in or has disenrolled froma health insurance issuer or HMO offered bythe plan, is not required to maintain orprovide a notice under this section.

(3) Exception for inmates. An inmate doesnot have a right to notice under this section,and the requirements of this section do notapply to a correctional institution that is acovered entity.

(b) Implementation specifications: contentof notice.

(1) Required elements. The covered entitymust provide a notice that is written in plainlanguage and that contains the elements

required by this paragraph.(i) Header. The notice must contain the

following statement as a header or otherwiseprominently displayed: “THIS NOTICEDESCRIBES HOW MEDICALINFORMATION ABOUT YOU MAY BEUSED AND DISCLOSED AND HOW YOUCAN GET ACCESS TO THISINFORMATION. PLEASE REVIEW ITCAREFULLY.”

(ii) Uses and disclosures. The noticemust contain:

(A) A description, including at leastone example, of the types of uses anddisclosures that the covered entity ispermitted by this subpart to make for each ofthe following purposes: treatment, payment,and health care operations.

(B) A description of each of the otherpurposes for which the covered entity ispermitted or required by this subpart to use ordisclose protected health information withoutthe individual’s written authorization.

(C) If a use or disclosure for anypurpose described in paragraphs (b)(1)(ii)(A)or (B) of this section is prohibited ormaterially limited by other applicable law, thedescription of such use or disclosure mustreflect the more stringent law as defined in §160.202.

(D) For each purpose described inparagraph (b)(1)(ii)(A) or (B) of this section,the description must include sufficient detailto place the individual on notice of the usesand disclosures that are permitted or requiredby this subpart and other applicable law.

(E) A statement that other uses anddisclosures will be made only with theindividual's written authorization and that theindividual may revoke such authorization asprovided by § 164.508(b)(5).

(iii) Separate statements for certain usesor disclosures. If the covered entity intendsto engage in any of the following activities,the description required by paragraph(b)(1)(ii)(A) of this section must include aseparate statement, as applicable, that:

(A) The covered entity may contact theindividual to provide appointment remindersor information about treatment alternatives orother heath-related benefits and services thatmay be of interest to the individual;

(B) The covered entity may contact theindividual to raise funds for the coveredentity; or

(C) A group health plan, or a healthinsurance issuer or HMO with respect to agroup health plan, may disclose protectedhealth information to the sponsor of the plan.

(iv) Individual rights. The notice mustcontain a statement of the individual’s rights

with respect to protected health informationand a brief description of how the individualmay exercise these rights, as follows:

(A) The right to request restrictions oncertain uses and disclosures of protectedhealth information as provided by §164.522(a), including a statement that thecovered entity is not required to agree to arequested restriction;

(B) The right to receive confidentialcommunications of protected healthinformation as provided by § 164.522(b), asapplicable;

(C) The right to inspect and copyprotected health information as provided by §164.524;

(D) The right to amend protected healthinformation as provided by § 164.526;

(E) The right to receive an accountingof disclosures of protected health informationas provided by § 164.528; and

(F) The right of an individual, includingan individual who has agreed to receive thenotice electronically in accordance withparagraph (c)(3) of this section, to obtain apaper copy of the notice from the coveredentity upon request.

(v) Covered entity’s duties. The noticemust contain:

(A) A statement that the covered entityis required by law to maintain the privacy ofprotected health information and to provideindividuals with notice of its legal duties andprivacy practices with respect to protectedhealth information;

(B) A statement that the covered entityis required to abide by the terms of the noticecurrently in effect; and

(C) For the covered entity to apply achange in a privacy practice that is describedin the notice to protected health informationthat the covered entity created or receivedprior to issuing a revised notice, inaccordance with § 164.530(i)(2)(ii), astatement that it reserves the right to changethe terms of its notice and to make the newnotice provisions effective for all protectedhealth information that it maintains. Thestatement must also describe how it willprovide individuals with a revised notice.

(vi) Complaints. The notice must containa statement that individuals may complain tothe covered entity and to the Secretary if theybelieve their privacy rights have beenviolated, a brief description of how theindividual may file a complaint with thecovered entity, and a statement that theindividual will not be retaliated against forfiling a complaint.

(vii) Contact. The notice must containthe name, or title, and telephone number of a


October 2002

-24-

person or office to contact for furtherinformation as required by §164.530(a)(1)(ii).

(viii) Effective date. The notice mustcontain the date on which the notice is first ineffect, which may not be earlier than the dateon which the notice is printed or otherwisepublished.

(2) Optional elements. (i) In addition to the information

required by paragraph (b)(1) of this section, ifa covered entity elects to limit the uses ordisclosures that it is permitted to make underthis subpart, the covered entity may describeits more limited uses or disclosures in itsnotice, provided that the covered entity maynot include in its notice a limitation affectingits right to make a use or disclosure that isrequired by law or permitted by §164.512(j)(1)(i).

(ii) For the covered entity to apply achange in its more limited uses anddisclosures to protected health informationcreated or received prior to issuing a revisednotice, in accordance with § 164.530(i)(2)(ii),the notice must include the statementsrequired by paragraph (b)(1)(v)(C) of thissection.

(3) Revisions to the notice. The coveredentity must promptly revise and distribute itsnotice whenever there is a material change tothe uses or disclosures, the individual’srights, the covered entity’s legal duties, orother privacy practices stated in the notice. Except when required by law, a materialchange to any term of the notice may not beimplemented prior to the effective date of thenotice in which such material change isreflected.

(c) Implementation specifications: provisionof notice. A covered entity must make thenotice required by this section available onrequest to any person and to individuals asspecified in paragraphs (c)(1) through (c)(3)of this section, as applicable.

(1) Specific requirements for health plans. (i) A health plan must provide notice:

(A) No later than the compliance datefor the health plan, to individuals thencovered by the plan;

(B) Thereafter, at the time ofenrollment, to individuals who are newenrollees; and

(C) Within 60 days of a materialrevision to the notice, to individuals thencovered by the plan.

(ii) No less frequently than once everythree years, the health plan must notifyindividuals then covered by the plan of theavailability of the notice and how to obtainthe notice.

(iii) The health plan satisfies therequirements of paragraph (c)(1) of thissection if notice is provided to the namedinsured of a policy under which coverage isprovided to the named insured and one ormore dependents.

(iv) If a health plan has more than onenotice, it satisfies the requirements ofparagraph (c)(1) of this section by providingthe notice that is relevant to the individual orother person requesting the notice.

(2) Specific requirements for certaincovered health care providers. A coveredhealth care provider that has a directtreatment relationship with an individualmust:

(i) Provide the notice:(A) No later than the date of the first

service delivery, including service deliveredelectronically, to such individual after thecompliance date for the covered health careprovider; or

(B) In an emergency treatment situation,as soon as reasonably practicable after theemergency treatment situation.

(ii) Except in an emergency treatmentsituation, make a good faith effort to obtain awritten acknowledgment of receipt of thenotice provided in accordance with paragraph(c)(2)(i) of this section, and if not obtained,document its good faith efforts to obtain suchacknowledgment and the reason why theacknowledgment was not obtained;

(iii) If the covered health care providermaintains a physical service delivery site:

(A) Have the notice available at theservice delivery site for individuals to requestto take with them; and

(B) Post the notice in a clear andprominent location where it is reasonable toexpect individuals seeking service from thecovered health care provider to be able toread the notice; and

(iv) Whenever the notice is revised, makethe notice available upon request on or afterthe effective date of the revision and promptlycomply with the requirements of paragraph(c)(2)(iii) of this section, if applicable.

(3) Specific requirements for electronicnotice.

(i) A covered entity that maintains a website that provides information about thecovered entity’s customer services or benefitsmust prominently post its notice on the website and make the notice availableelectronically through the web site.

(ii) A covered entity may provide thenotice required by this section to anindividual by e-mail, if the individual agreesto electronic notice and such agreement hasnot been withdrawn. If the covered entity

knows that the e-mail transmission has failed,a paper copy of the notice must be providedto the individual. Provision of electronicnotice by the covered entity will satisfy theprovision requirements of paragraph (c) ofthis section when timely made in accordancewith paragraph (c)(1) or (2) of this section.

(iii) For purposes of paragraph (c)(2)(i) ofthis section, if the first service delivery to anindividual is delivered electronically, thecovered health care provider must provideelectronic notice automatically andcontemporaneously in response to theindividual’s first request for service. Therequirements in paragraph (c)(2)(ii) of thissection apply to electronic notice.

(iv) The individual who is the recipient ofelectronic notice retains the right to obtain apaper copy of the notice from a covered entityupon request.

(d) Implementation specifications: jointnotice by separate covered entities. Coveredentities that participate in organized healthcare arrangements may comply with thissection by a joint notice, provided that:

(1) The covered entities participating in theorganized health care arrangement agree toabide by the terms of the notice with respectto protected health information created orreceived by the covered entity as part of itsparticipation in the organized health carearrangement;

(2) The joint notice meets theimplementation specifications in paragraph(b) of this section, except that the statementsrequired by this section may be altered toreflect the fact that the notice covers morethan one covered entity; and

(i) Describes with reasonable specificitythe covered entities, or class of entities, towhich the joint notice applies;

(ii) Describes with reasonable specificitythe service delivery sites, or classes of servicedelivery sites, to which the joint noticeapplies; and

(iii) If applicable, states that the coveredentities participating in the organized healthcare arrangement will share protected healthinformation with each other, as necessary tocarry out treatment, payment, or health careoperations relating to the organized healthcare arrangement.

(3) The covered entities included in thejoint notice must provide the notice toindividuals in accordance with the applicableimplementation specifications of paragraph(c) of this section. Provision of the jointnotice to an individual by any one of thecovered entities included in the joint noticewill satisfy the provision requirement ofparagraph (c) of this section with respect to


October 2002

-25-

all others covered by the joint notice. (e) Implementation specifications:

Documentation. A covered entity mustdocument compliance with the noticerequirements, as required by § 164.530(j), byretaining copies of the notices issued by thecovered entity and, if applicable, any writtenacknowledgments of receipt of the notice ordocumentation of good faith efforts to obtainsuch written acknowledgment, in accordancewith paragraph (c)(2)(ii) of this section.

§ 164.522 Rights to request privacyprotection for protected healthinformation.

(a)(1) Standard: right of an individual torequest restriction of uses and disclosures.

(i) A covered entity must permit anindividual to request that the covered entityrestrict:

(A) Uses or disclosures of protectedhealth information about the individual tocarry out treatment, payment, or health careoperations; and

(B) Disclosures permitted under §164.510(b).

(ii) A covered entity is not required toagree to a restriction.

(iii) A covered entity that agrees to arestriction under paragraph (a)(1)(i) of thissection may not use or disclose protectedhealth information in violation of suchrestriction, except that, if the individual whorequested the restriction is in need ofemergency treatment and the restrictedprotected health information is needed toprovide the emergency treatment, the coveredentity may use the restricted protected healthinformation, or may disclose suchinformation to a health care provider, toprovide such treatment to the individual.

(iv) If restricted protected healthinformation is disclosed to a health careprovider for emergency treatment underparagraph (a)(1)(iii) of this section, thecovered entity must request that such healthcare provider not further use or disclose theinformation.

(v) A restriction agreed to by a coveredentity under paragraph (a) of this section, isnot effective under this subpart to preventuses or disclosures permitted or requiredunder §§ 164.502(a)(2)(ii), 164.510(a) or164.512.

(2) Implementation specifications:terminating a restriction. A covered entitymay terminate its agreement to a restriction,if:

(i) The individual agrees to or requeststhe termination in writing;

(ii) The individual orally agrees to the

termination and the oral agreement isdocumented; or

(iii) The covered entity informs theindividual that it is terminating its agreementto a restriction, except that such terminationis only effective with respect to protectedhealth information created or received after ithas so informed the individual.

(3) Implementation specification:documentation. A covered entity that agreesto a restriction must document the restrictionin accordance with § 164.530(j).

(b)(1) Standard: confidentialcommunications requirements.

(i) A covered health care provider mustpermit individuals to request and mustaccommodate reasonable requests byindividuals to receive communications ofprotected health information from the coveredhealth care provider by alternative means orat alternative locations.

(ii) A health plan must permitindividuals to request and must accommodatereasonable requests by individuals to receivecommunications of protected healthinformation from the health plan byalternative means or at alternative locations,if the individual clearly states that thedisclosure of all or part of that informationcould endanger the individual.

(2) Implementation specifications:conditions on providing confidentialcommunications.

(i) A covered entity may require theindividual to make a request for aconfidential communication described inparagraph (b)(1) of this section in writing.

(ii) A covered entity may condition theprovision of a reasonable accommodation on:

(A) When appropriate, information as tohow payment, if any, will be handled; and

(B) Specification of an alternativeaddress or other method of contact.

(iii) A covered health care provider maynot require an explanation from the individualas to the basis for the request as a conditionof providing communications on aconfidential basis.

(iv) A health plan may require that arequest contain a statement that disclosure ofall or part of the information to which therequest pertains could endanger theindividual.

§ 164.524 Access of individuals toprotected health information.

(a) Standard: access to protected healthinformation.

(1) Right of access. Except as otherwiseprovided in paragraph (a)(2) or (a)(3) of thissection, an individual has a right of access to

inspect and obtain a copy of protected healthinformation about the individual in adesignated record set, for as long as theprotected health information is maintained inthe designated record set, except for:

(i) Psychotherapy notes;(ii) Information compiled in reasonable

anticipation of, or for use in, a civil, criminal,or administrative action or proceeding; and

(iii) Protected health informationmaintained by a covered entity that is:

(A) Subject to the Clinical LaboratoryImprovements Amendments of 1988, 42U.S.C. 263a, to the extent the provision ofaccess to the individual would be prohibitedby law; or

(B) Exempt from the ClinicalLaboratory Improvements Amendments of1988, pursuant to 42 CFR 493.3(a)(2).

(2) Unreviewable grounds for denial. Acovered entity may deny an individual accesswithout providing the individual anopportunity for review, in the followingcircumstances.

(i) The protected health information isexcepted from the right of access byparagraph (a)(1) of this section.

(ii) A covered entity that is a correctionalinstitution or a covered health care provideracting under the direction of the correctionalinstitution may deny, in whole or in part, aninmate’s request to obtain a copy of protectedhealth information, if obtaining such copywould jeopardize the health, safety, security,custody, or rehabilitation of the individual orof other inmates, or the safety of any officer,employee, or other person at the correctionalinstitution or responsible for the transportingof the inmate.

(iii) An individual’s access to protectedhealth information created or obtained by acovered health care provider in the course ofresearch that includes treatment may betemporarily suspended for as long as theresearch is in progress, provided that theindividual has agreed to the denial of accesswhen consenting to participate in the researchthat includes treatment, and the coveredhealth care provider has informed theindividual that the right of access will bereinstated upon completion of the research.

(iv) An individual’s access to protectedhealth information that is contained inrecords that are subject to the Privacy Act, 5U.S.C. § 552a, may be denied, if the denial ofaccess under the Privacy Act would meet therequirements of that law.

(v) An individual’s access may be deniedif the protected health information wasobtained from someone other than a healthcare provider under a promise of


October 2002

-26-

confidentiality and the access requestedwould be reasonably likely to reveal thesource of the information.

(3) Reviewable grounds for denial. Acovered entity may deny an individual access,provided that the individual is given a right tohave such denials reviewed, as required byparagraph (a)(4) of this section, in thefollowing circumstances:

(i) A licensed health care professional hasdetermined, in the exercise of professionaljudgment, that the access requested isreasonably likely to endanger the life orphysical safety of the individual or anotherperson;

(ii) The protected health informationmakes reference to another person (unlesssuch other person is a health care provider)and a licensed health care professional hasdetermined, in the exercise of professionaljudgment, that the access requested isreasonably likely to cause substantial harm tosuch other person; or

(iii) The request for access is made by theindividual’s personal representative and alicensed health care professional hasdetermined, in the exercise of professionaljudgment, that the provision of access to suchpersonal representative is reasonably likely tocause substantial harm to the individual oranother person.

(4) Review of a denial of access. If accessis denied on a ground permitted underparagraph (a)(3) of this section, the individualhas the right to have the denial reviewed by alicensed health care professional who isdesignated by the covered entity to act as areviewing official and who did not participatein the original decision to deny. The coveredentity must provide or deny access inaccordance with the determination of thereviewing official under paragraph (d)(4) ofthis section.

(b) Implementation specifications: requestsfor access and timely action.

(1) Individual’s request for access. Thecovered entity must permit an individual torequest access to inspect or to obtain a copyof the protected health information about theindividual that is maintained in a designatedrecord set. The covered entity may requireindividuals to make requests for access inwriting, provided that it informs individualsof such a requirement.

(2) Timely action by the covered entity. (i) Except as provided in paragraph

(b)(2)(ii) of this section, the covered entitymust act on a request for access no later than30 days after receipt of the request as follows.

(A) If the covered entity grants therequest, in whole or in part, it must inform

the individual of the acceptance of the requestand provide the access requested, inaccordance with paragraph (c) of this section.

(B) If the covered entity denies therequest, in whole or in part, it must providethe individual with a written denial, inaccordance with paragraph (d) of this section.

(ii) If the request for access is forprotected health information that is notmaintained or accessible to the covered entityon-site, the covered entity must take an actionrequired by paragraph (b)(2)(i) of this sectionby no later than 60 days from the receipt ofsuch a request.

(iii) If the covered entity is unable to takean action required by paragraph (b)(2)(i)(A)or (B) of this section within the time requiredby paragraph (b)(2)(i) or (ii) of this section,as applicable, the covered entity may extendthe time for such actions by no more than 30days, provided that:

(A) The covered entity, within the timelimit set by paragraph (b)(2)(i) or (ii) of thissection, as applicable, provides the individualwith a written statement of the reasons for thedelay and the date by which the coveredentity will complete its action on the request;and

(B) The covered entity may have onlyone such extension of time for action on arequest for access.

(c) Implementation specifications: provisionof access. If the covered entity provides anindividual with access, in whole or in part, toprotected health information, the coveredentity must comply with the followingrequirements.

(1) Providing the access requested. Thecovered entity must provide the accessrequested by individuals, including inspectionor obtaining a copy, or both, of the protectedhealth information about them in designatedrecord sets. If the same protected healthinformation that is the subject of a request foraccess is maintained in more than onedesignated record set or at more than onelocation, the covered entity need only producethe protected health information once inresponse to a request for access.

(2) Form of access requested. (i) The covered entity must provide the

individual with access to the protected healthinformation in the form or format requestedby the individual, if it is readily producible insuch form or format; or, if not, in a readablehard copy form or such other form or formatas agreed to by the covered entity and theindividual.

(ii) The covered entity may provide theindividual with a summary of the protectedhealth information requested, in lieu of

providing access to the protected healthinformation or may provide an explanation ofthe protected health information to whichaccess has been provided, if:

(A) The individual agrees in advance tosuch a summary or explanation; and

(B) The individual agrees in advance tothe fees imposed, if any, by the covered entityfor such summary or explanation.

(3) Time and manner of access. Thecovered entity must provide the access asrequested by the individual in a timelymanner as required by paragraph (b)(2) ofthis section, including arranging with theindividual for a convenient time and place toinspect or obtain a copy of the protectedhealth information, or mailing the copy of theprotected health information at theindividual’s request. The covered entity maydiscuss the scope, format, and other aspectsof the request for access with the individualas necessary to facilitate the timely provisionof access.

(4) Fees. If the individual requests a copyof the protected health information or agreesto a summary or explanation of suchinformation, the covered entity may impose areasonable, cost-based fee, provided that thefee includes only the cost of:

(i) Copying, including the cost ofsupplies for and labor of copying, theprotected health information requested by theindividual;

(ii) Postage, when the individual hasrequested the copy, or the summary orexplanation, be mailed; and

(iii) Preparing an explanation or summaryof the protected health information, if agreedto by the individual as required by paragraph(c)(2)(ii) of this section.

(d) Implementation specifications: denial ofaccess. If the covered entity denies access, inwhole or in part, to protected healthinformation, the covered entity must complywith the following requirements.

(1) Making other information accessible. The covered entity must, to the extentpossible, give the individual access to anyother protected health information requested,after excluding the protected healthinformation as to which the covered entityhas a ground to deny access.

(2) Denial. The covered entity mustprovide a timely, written denial to theindividual, in accordance with paragraph(b)(2) of this section. The denial must be inplain language and contain:

(i) The basis for the denial;(ii) If applicable, a statement of the

individual’s review rights under paragraph(a)(4) of this section, including a description


October 2002

-27-

of how the individual may exercise suchreview rights; and

(iii) A description of how the individualmay complain to the covered entity pursuantto the complaint procedures in § 164.530(d)or to the Secretary pursuant to the proceduresin § 160.306. The description must includethe name, or title, and telephone number ofthe contact person or office designated in §164.530(a)(1)(ii).

(3) Other responsibility. If the coveredentity does not maintain the protected healthinformation that is the subject of theindividual’s request for access, and thecovered entity knows where the requestedinformation is maintained, the covered entitymust inform the individual where to direct therequest for access.

(4) Review of denial requested. If theindividual has requested a review of a denialunder paragraph (a)(4) of this section, thecovered entity must designate a licensedhealth care professional, who was not directlyinvolved in the denial to review the decisionto deny access. The covered entity mustpromptly refer a request for review to suchdesignated reviewing official. The designatedreviewing official must determine, within areasonable period of time, whether or not todeny the access requested based on thestandards in paragraph (a)(3) of this section. The covered entity must promptly providewritten notice to the individual of thedetermination of the designated reviewingofficial and take other action as required bythis section to carry out the designatedreviewing official’s determination.

(e) Implementation specification:documentation. A covered entity mustdocument the following and retain thedocumentation as required by § 164.530(j):

(1) The designated record sets that aresubject to access by individuals; and

(2) The titles of the persons or officesresponsible for receiving and processingrequests for access by individuals.

§ 164.526 Amendment of protectedhealth information.

(a) Standard: right to amend.(1) Right to amend. An individual has the

right to have a covered entity amendprotected health information or a record aboutthe individual in a designated record set for aslong as the protected health information ismaintained in the designated record set.

(2) Denial of amendment. A covered entitymay deny an individual’s request foramendment, if it determines that the protectedhealth information or record that is thesubject of the request:

(i) Was not created by the covered entity,unless the individual provides a reasonablebasis to believe that the originator ofprotected health information is no longeravailable to act on the requested amendment;

(ii) Is not part of the designated recordset;

(iii) Would not be available forinspection under § 164.524; or

(iv) Is accurate and complete.(b) Implementation specifications: requests

for amendment and timely action. (1) Individual’s request for amendment.

The covered entity must permit an individualto request that the covered entity amend theprotected health information maintained inthe designated record set. The covered entitymay require individuals to make requests foramendment in writing and to provide a reasonto support a requested amendment, providedthat it informs individuals in advance of suchrequirements.

(2) Timely action by the covered entity. (i) The covered entity must act on the

individual’s request for an amendment nolater than 60 days after receipt of such arequest, as follows.

(A) If the covered entity grants therequested amendment, in whole or in part, itmust take the actions required by paragraphs(c)(1) and (2) of this section.

(B) If the covered entity denies therequested amendment, in whole or in part, itmust provide the individual with a writtendenial, in accordance with paragraph (d)(1) ofthis section.

(ii) If the covered entity is unable to acton the amendment within the time requiredby paragraph (b)(2)(i) of this section, thecovered entity may extend the time for suchaction by no more than 30 days, providedthat:

(A) The covered entity, within the timelimit set by paragraph (b)(2)(i) of this section,provides the individual with a writtenstatement of the reasons for the delay and thedate by which the covered entity willcomplete its action on the request; and

(B) The covered entity may have onlyone such extension of time for action on arequest for an amendment.

(c) Implementation specifications:accepting the amendment. If the coveredentity accepts the requested amendment, inwhole or in part, the covered entity mustcomply with the following requirements.

(1) Making the amendment. The coveredentity must make the appropriate amendmentto the protected health information or recordthat is the subject of the request foramendment by, at a minimum, identifying the

records in the designated record set that areaffected by the amendment and appending orotherwise providing a link to the location ofthe amendment.

(2) Informing the individual. Inaccordance with paragraph (b) of this section,the covered entity must timely inform theindividual that the amendment is acceptedand obtain the individual’s identification ofand agreement to have the covered entitynotify the relevant persons with which theamendment needs to be shared in accordancewith paragraph (c)(3) of this section.

(3) Informing others. The covered entitymust make reasonable efforts to inform andprovide the amendment within a reasonabletime to:

(i) Persons identified by the individual ashaving received protected health informationabout the individual and needing theamendment; and

(ii) Persons, including businessassociates, that the covered entity knows havethe protected health information that is thesubject of the amendment and that may haverelied, or could foreseeably rely, on suchinformation to the detriment of the individual.

(d) Implementation specifications: denyingthe amendment. If the covered entity deniesthe requested amendment, in whole or in part,the covered entity must comply with thefollowing requirements.

(1) Denial. The covered entity mustprovide the individual with a timely, writtendenial, in accordance with paragraph (b)(2) ofthis section. The denial must use plainlanguage and contain:

(i) The basis for the denial, in accordancewith paragraph (a)(2) of this section;

(ii) The individual’s right to submit awritten statement disagreeing with the denialand how the individual may file such astatement;

(iii) A statement that, if the individualdoes not submit a statement of disagreement,the individual may request that the coveredentity provide the individual’s request foramendment and the denial with any futuredisclosures of the protected healthinformation that is the subject of theamendment; and

(iv) A description of how the individualmay complain to the covered entity pursuantto the complaint procedures established in §164.530(d) or to the Secretary pursuant to theprocedures established in § 160.306. Thedescription must include the name, or title,and telephone number of the contact personor office designated in §164.530(a)(1)(ii).

(2) Statement of disagreement. Thecovered entity must permit the individual to


October 2002

-28-

submit to the covered entity a writtenstatement disagreeing with the denial of all orpart of a requested amendment and the basisof such disagreement. The covered entitymay reasonably limit the length of a statementof disagreement.

(3) Rebuttal statement. The covered entitymay prepare a written rebuttal to theindividual’s statement of disagreement. Whenever such a rebuttal is prepared, thecovered entity must provide a copy to theindividual who submitted the statement ofdisagreement.

(4) Recordkeeping. The covered entitymust, as appropriate, identify the record orprotected health information in the designatedrecord set that is the subject of the disputedamendment and append or otherwise link theindividual’s request for an amendment, thecovered entity’s denial of the request, theindividual’s statement of disagreement, ifany, and the covered entity’s rebuttal, if any,to the designated record set.

(5) Future disclosures. (i) If a statement of disagreement has

been submitted by the individual, the coveredentity must include the material appended inaccordance with paragraph (d)(4) of thissection, or, at the election of the coveredentity, an accurate summary of any suchinformation, with any subsequent disclosureof the protected health information to whichthe disagreement relates.

(ii) If the individual has not submitted awritten statement of disagreement, thecovered entity must include the individual’srequest for amendment and its denial, or anaccurate summary of such information, withany subsequent disclosure of the protectedhealth information only if the individual hasrequested such action in accordance withparagraph (d)(1)(iii) of this section.

(iii) When a subsequent disclosuredescribed in paragraph (d)(5)(i) or (ii) of thissection is made using a standard transactionunder part 162 of this subchapter that doesnot permit the additional material to beincluded with the disclosure, the coveredentity may separately transmit the materialrequired by paragraph (d)(5)(i) or (ii) of thissection, as applicable, to the recipient of thestandard transaction.

(e) Implementation specification: actions onnotices of amendment. A covered entity thatis informed by another covered entity of anamendment to an individual’s protectedhealth information, in accordance withparagraph (c)(3) of this section, must amendthe protected health information in designatedrecord sets as provided by paragraph (c)(1) ofthis section.

(f) Implementation specification:documentation. A covered entity mustdocument the titles of the persons or officesresponsible for receiving and processingrequests for amendments by individuals andretain the documentation as required by §164.530(j).

§ 164.528 Accounting of disclosures ofprotected health information.

(a) Standard: right to an accounting ofdisclosures of protected health information.

(1) An individual has a right to receive anaccounting of disclosures of protected healthinformation made by a covered entity in thesix years prior to the date on which theaccounting is requested, except fordisclosures:

(i) To carry out treatment, payment andhealth care operations as provided in §164.506;

(ii) To individuals of protected healthinformation about them as provided in §164.502;

(iii) Incident to a use or disclosureotherwise permitted or required by thissubpart, as provided in § 164.502;

(iv) Pursuant to an authorization asprovided in § 164.508;

(v) For the facility’s directory or topersons involved in the individual’s care orother notification purposes as provided in §164.510;

(vi) For national security or intelligencepurposes as provided in § 164.512(k)(2);

(vii) To correctional institutions or lawenforcement officials as provided in §164.512(k)(5);

(viii) As part of a limited data set inaccordance with § 164.514(e); or

(ix) That occurred prior to thecompliance date for the covered entity.

(2)(i) The covered entity must temporarilysuspend an individual’s right to receive anaccounting of disclosures to a healthoversight agency or law enforcement official,as provided in § 164.512(d) or (f),respectively, for the time specified by suchagency or official, if such agency or officialprovides the covered entity with a writtenstatement that such an accounting to theindividual would be reasonably likely toimpede the agency's activities and specifyingthe time for which such a suspension isrequired.

(ii) If the agency or official statement inparagraph (a)(2)(i) of this section is madeorally, the covered entity must:

(A) Document the statement, includingthe identity of the agency or official makingthe statement;

(B) Temporarily suspend theindividual’s right to an accounting ofdisclosures subject to the statement; and

(C) Limit the temporary suspension tono longer than 30 days from the date of theoral statement, unless a written statementpursuant to paragraph (a)(2)(i) of this sectionis submitted during that time.

(3) An individual may request anaccounting of disclosures for a period of timeless than six years from the date of therequest.

(b) Implementation specifications: contentof the accounting. The covered entity mustprovide the individual with a writtenaccounting that meets the followingrequirements.

(1) Except as otherwise provided byparagraph (a) of this section, the accountingmust include disclosures of protected healthinformation that occurred during the six years(or such shorter time period at the request ofthe individual as provided in paragraph (a)(3)of this section) prior to the date of the requestfor an accounting, including disclosures to orby business associates of the covered entity.

(2) Except as otherwise provided byparagraphs (b)(3) or (b)(4) of this section, theaccounting must include for each disclosure:

(i) The date of the disclosure;(ii) The name of the entity or person who

received the protected health information and,if known, the address of such entity orperson;

(iii) A brief description of the protectedhealth information disclosed; and

(iv) A brief statement of the purpose ofthe disclosure that reasonably informs theindividual of the basis for the disclosure or, inlieu of such statement, a copy of a writtenrequest for a disclosure under §§164.502(a)(2)(ii) or 164.512, if any.

(3) If, during the period covered by theaccounting, the covered entity has mademultiple disclosures of protected healthinformation to the same person or entity for asingle purpose under §§ 164.502(a)(2)(ii) or164.512, the accounting may, with respect tosuch multiple disclosures, provide:

(i) The information required by paragraph(b)(2) of this section for the first disclosureduring the accounting period;

(ii) The frequency, periodicity, or numberof the disclosures made during the accountingperiod; and

(iii) The date of the last such disclosureduring the accounting period.

(4)(i) If, during the period covered by theaccounting, the covered entity has madedisclosures of protected health informationfor a particular research purpose in


October 2002

-29-

accordance with § 164.512(i) for 50 or moreindividuals, the accounting may, with respectto such disclosures for which the protectedhealth information about the individual mayhave been included, provide:

(A) The name of the protocol or otherresearch activity;

(B) A description, in plain language, ofthe research protocol or other researchactivity, including the purpose of the researchand the criteria for selecting particularrecords;

(C) A brief description of the type ofprotected health information that wasdisclosed;

(D) The date or period of time duringwhich such disclosures occurred, or may haveoccurred, including the date of the last suchdisclosure during the accounting period;

(E) The name, address, and telephonenumber of the entity that sponsored theresearch and of the researcher to whom theinformation was disclosed; and

(F) A statement that the protected healthinformation of the individual may or may nothave been disclosed for a particular protocolor other research activity.

(ii) If the covered entity provides anaccounting for research disclosures, inaccordance with paragraph (b)(4) of thissection, and if it is reasonably likely that theprotected health information of the individualwas disclosed for such research protocol oractivity, the covered entity shall, at therequest of the individual, assist in contactingthe entity that sponsored the research and theresearcher.

(c) Implementation specifications: provisionof the accounting.

(1) The covered entity must act on theindividual’s request for an accounting, nolater than 60 days after receipt of such arequest, as follows.

(i) The covered entity must provide theindividual with the accounting requested; or

(ii) If the covered entity is unable toprovide the accounting within the timerequired by paragraph (c)(1) of this section,the covered entity may extend the time toprovide the accounting by no more than 30days, provided that:

(A) The covered entity, within the timelimit set by paragraph (c)(1) of this section,provides the individual with a writtenstatement of the reasons for the delay and thedate by which the covered entity will providethe accounting; and

(B) The covered entity may have onlyone such extension of time for action on arequest for an accounting.

(2) The covered entity must provide the

first accounting to an individual in any 12month period without charge. The coveredentity may impose a reasonable, cost-basedfee for each subsequent request for anaccounting by the same individual within the12 month period, provided that the coveredentity informs the individual in advance ofthe fee and provides the individual with anopportunity to withdraw or modify therequest for a subsequent accounting in orderto avoid or reduce the fee.

(d) Implementation specification:documentation. A covered entity mustdocument the following and retain thedocumentation as required by § 164.530(j):

(1) The information required to beincluded in an accounting under paragraph(b) of this section for disclosures of protectedhealth information that are subject to anaccounting under paragraph (a) of thissection;

(2) The written accounting that is providedto the individual under this section; and

(3) The titles of the persons or officesresponsible for receiving and processingrequests for an accounting by individuals.

§ 164.530 Administrative requirements.(a)(1) Standard: personnel designations.

(i) A covered entity must designate aprivacy official who is responsible for thedevelopment and implementation of thepolicies and procedures of the entity.

(ii) A covered entity must designate acontact person or office who is responsiblefor receiving complaints under this sectionand who is able to provide furtherinformation about matters covered by thenotice required by § 164.520.

(2) Implementation specification:personnel designations. A covered entitymust document the personnel designations inparagraph (a)(1) of this section as required byparagraph (j) of this section.

(b)(1) Standard: training. A covered entitymust train all members of its workforce onthe policies and procedures with respect toprotected health information required by thissubpart, as necessary and appropriate for themembers of the workforce to carry out theirfunction within the covered entity.

(2) Implementation specifications:training.

(i) A covered entity must provide trainingthat meets the requirements of paragraph(b)(1) of this section, as follows:

(A) To each member of the coveredentity's workforce by no later than thecompliance date for the covered entity;

(B) Thereafter, to each new member ofthe workforce within a reasonable period of

time after the person joins the coveredentity’s workforce; and

(C) To each member of the coveredentity’s workforce whose functions areaffected by a material change in the policiesor procedures required by this subpart, withina reasonable period of time after the materialchange becomes effective in accordance withparagraph (i) of this section.

(ii) A covered entity must document thatthe training as described in paragraph(b)(2)(i) of this section has been provided, asrequired by paragraph (j) of this section.

(c)(1) Standard: safeguards. A coveredentity must have in place appropriateadministrative, technical, and physicalsafeguards to protect the privacy of protectedhealth information.

(2) Implementation specification:safeguards.

(i) A covered entity must reasonablysafeguard protected health information fromany intentional or unintentional use ordisclosure that is in violation of the standards,implementation specifications or otherrequirements of this subpart.

(ii) A covered entity must reasonablysafeguard protected health information tolimit incidental uses or disclosures madepursuant to an otherwise permitted orrequired use or disclosure.

(d)(1) Standard: complaints to the coveredentity. A covered entity must provide aprocess for individuals to make complaintsconcerning the covered entity's policies andprocedures required by this subpart or itscompliance with such policies and proceduresor the requirements of this subpart.

(2) Implementation specification:documentation of complaints. As required byparagraph (j) of this section, a covered entitymust document all complaints received, andtheir disposition, if any.

(e)(1) Standard: sanctions. A coveredentity must have and apply appropriatesanctions against members of its workforcewho fail to comply with the privacy policiesand procedures of the covered entity or therequirements of this subpart. This standarddoes not apply to a member of the coveredentity’s workforce with respect to actions thatare covered by and that meet the conditionsof § 164.502(j) or paragraph (g)(2) of thissection.

(2) Implementation specification:documentation. As required by paragraph (j)of this section, a covered entity mustdocument the sanctions that are applied, ifany.

(f) Standard: mitigation. A covered entitymust mitigate, to the extent practicable, any


October 2002

-30-

harmful effect that is known to the coveredentity of a use or disclosure of protectedhealth information in violation of its policiesand procedures or the requirements of thissubpart by the covered entity or its businessassociate.

(g) Standard: refraining from intimidatingor retaliatory acts. A covered entity may notintimidate, threaten, coerce, discriminateagainst, or take other retaliatory actionagainst:

(1) Individuals. Any individual for theexercise by the individual of any right under,or for participation by the individual in anyprocess established by this subpart, includingthe filing of a complaint under this section;

(2) Individuals and others. Any individualor other person for:

(i) Filing of a complaint with theSecretary under subpart C of part 160 of thissubchapter;

(ii) Testifying, assisting, or participatingin an investigation, compliance review,proceeding, or hearing under Part C of TitleXI; or

(iii) Opposing any act or practice madeunlawful by this subpart, provided theindividual or person has a good faith beliefthat the practice opposed is unlawful, and themanner of the opposition is reasonable anddoes not involve a disclosure of protectedhealth information in violation of thissubpart.

(h) Standard: waiver of rights. A coveredentity may not require individuals to waivetheir rights under § 160.306 of thissubchapter or this subpart as a condition ofthe provision of treatment, payment,enrollment in a health plan, or eligibility forbenefits.

(i)(1) Standard: policies and procedures. Acovered entity must implement policies andprocedures with respect to protected healthinformation that are designed to comply withthe standards, implementation specifications,or other requirements of this subpart. Thepolicies and procedures must be reasonablydesigned, taking into account the size of andthe type of activities that relate to protectedhealth information undertaken by the coveredentity, to ensure such compliance. Thisstandard is not to be construed to permit orexcuse an action that violates any otherstandard, implementation specification, orother requirement of this subpart.

(2) Standard: changes to policies orprocedures.

(i) A covered entity must change itspolicies and procedures as necessary andappropriate to comply with changes in thelaw, including the standards, requirements,

and implementation specifications of thissubpart;

(ii) When a covered entity changes aprivacy practice that is stated in the noticedescribed in § 164.520, and makescorresponding changes to its policies andprocedures, it may make the changes effectivefor protected health information that itcreated or received prior to the effective dateof the notice revision, if the covered entityhas, in accordance with §164.520(b)(1)(v)(C), included in the notice astatement reserving its right to make such achange in its privacy practices; or

(iii) A covered entity may make anyother changes to policies and procedures atany time, provided that the changes aredocumented and implemented in accordancewith paragraph (i)(5) of this section.

(3) Implementation specification: changesin law. Whenever there is a change in lawthat necessitates a change to the coveredentity’s policies or procedures, the coveredentity must promptly document andimplement the revised policy or procedure. Ifthe change in law materially affects thecontent of the notice required by § 164.520,the covered entity must promptly make theappropriate revisions to the notice inaccordance with § 164.520(b)(3). Nothing inthis paragraph may be used by a coveredentity to excuse a failure to comply with thelaw.

(4) Implementation specifications:changes to privacy practices stated in thenotice.

(i) To implement a change as provided byparagraph (i)(2)(ii) of this section, a coveredentity must:

(A) Ensure that the policy or procedure,as revised to reflect a change in the coveredentity’s privacy practice as stated in itsnotice, complies with the standards,requirements, and implementationspecifications of this subpart;

(B) Document the policy or procedure,as revised, as required by paragraph (j) of thissection; and

(C) Revise the notice as required by §164.520(b)(3) to state the changed practiceand make the revised notice available asrequired by § 164.520(c). The covered entitymay not implement a change to a policy orprocedure prior to the effective date of therevised notice.

(ii) If a covered entity has not reserved itsright under § 164.520(b)(1)(v)(C) to change aprivacy practice that is stated in the notice,the covered entity is bound by the privacypractices as stated in the notice with respectto protected health information created or

received while such notice is in effect. Acovered entity may change a privacy practicethat is stated in the notice, and the relatedpolicies and procedures, without havingreserved the right to do so, provided that:

(A) Such change meets theimplementation specifications in paragraphs(i)(4)(i)(A)-(C) of this section; and

(B) Such change is effective only withrespect to protected health informationcreated or received after the effective date ofthe notice.

(5) Implementation specification: changesto other policies or procedures. A coveredentity may change, at any time, a policy orprocedure that does not materially affect thecontent of the notice required by § 164.520,provided that:

(i) The policy or procedure, as revised,complies with the standards, requirements,and implementation specifications of thissubpart; and

(ii) Prior to the effective date of thechange, the policy or procedure, as revised, isdocumented as required by paragraph (j) ofthis section.

(j)(1) Standard: documentation. A coveredentity must:

(i) Maintain the policies and proceduresprovided for in paragraph (i) of this section inwritten or electronic form;

(ii) If a communication is required by thissubpart to be in writing, maintain suchwriting, or an electronic copy, asdocumentation; and

(iii) If an action, activity, or designationis required by this subpart to be documented,maintain a written or electronic record ofsuch action, activity, or designation.

(2) Implementation specification:retention period. A covered entity mustretain the documentation required byparagraph (j)(1) of this section for six yearsfrom the date of its creation or the date whenit last was in effect, whichever is later.

(k) Standard: group health plans. (1) A group health plan is not subject to

the standards or implementationspecifications in paragraphs (a) through (f)and (i) of this section, to the extent that:

(i) The group health plan provides healthbenefits solely through an insurance contractwith a health insurance issuer or an HMO;and

(ii) The group health plan does not createor receive protected health information,except for:

(A) Summary health information asdefined in § 164.504(a); or

(B) Information on whether theindividual is participating in the group health


October 2002

-31-

plan, or is enrolled in or has disenrolled froma health insurance issuer or HMO offered bythe plan.

(2) A group health plan described inparagraph (k)(1) of this section is subject tothe standard and implementationspecification in paragraph (j) of this sectiononly with respect to plan documents amendedin accordance with § 164.504(f).

§ 164.532 Transition provisions.(a) Standard: Effect of prior authorizations.

Notwithstanding §§ 164.508 and 164.512(i),a covered entity may use or disclose protectedhealth information, consistent withparagraphs (b) and (c) of this section,pursuant to an authorization or other expresslegal permission obtained from an individualpermitting the use or disclosure of protectedhealth information, informed consent of theindividual to participate in research, or awaiver of informed consent by an IRB.

(b) Implementation specification: Effect ofprior authorization for purposes other thanresearch. Notwithstanding any provisions in§ 164.508, a covered entity may use ordisclose protected health information that itcreated or received prior to the applicablecompliance date of this subpart pursuant toan authorization or other express legalpermission obtained from an individual priorto the applicable compliance date of thissubpart, provided that the authorization orother express legal permission specificallypermits such use or disclosure and there is noagreed-to restriction in accordance with §164.522(a).

(c) Implementation specification: Effect ofprior permission for research. Notwithstanding any provisions in §§164.508 and 164.512(i), a covered entitymay, to the extent allowed by one of thefollowing permissions, use or disclose, forresearch, protected health information that itcreated or received either before or after theapplicable compliance date of this subpart,provided that there is no agreed-to restrictionin accordance with § 164.522(a), and thecovered entity has obtained, prior to theapplicable compliance date, either:

(1) An authorization or other express legalpermission from an individual to use ordisclose protected health information for theresearch;

(2) The informed consent of the individualto participate in the research; or

(3) A waiver, by an IRB, of informedconsent for the research, in accordance with 7CFR 1c.116(d), 10 CFR 745.116(d), 14 CFR1230.116(d), 15 CFR 27.116(d), 16 CFR1028.116(d), 21 CFR 50.24, 22 CFR

225.116(d), 24 CFR 60.116(d), 28 CFR46.116(d), 32 CFR 219.116(d), 34 CFR97.116(d), 38 CFR 16.116(d), 40 CFR26.116(d), 45 CFR 46.116(d), 45 CFR690.116(d), or 49 CFR 11.116(d), providedthat a covered entity must obtainauthorization in accordance with § 164.508if, after the compliance date, informedconsent is sought from an individualparticipating in the research.

(d) Standard: Effect of prior contracts orother arrangements with business associates. Notwithstanding any other provisions of thissubpart, a covered entity, other than a smallhealth plan, may disclose protected healthinformation to a business associate and mayallow a business associate to create, receive,or use protected health information on itsbehalf pursuant to a written contract or otherwritten arrangement with such businessassociate that does not comply with §§164.502(e) and 164.504(e) consistent withthe requirements, and only for such time, setforth in paragraph (e) of this section.

(e) Implementation specification: Deemedcompliance.

(1) Qualification. Notwithstanding othersections of this subpart, a covered entity,other than a small health plan, is deemed tobe in compliance with the documentation andcontract requirements of §§ 164.502(e) and164.504(e), with respect to a particularbusiness associate relationship, for the timeperiod set forth in paragraph (e)(2) of thissection, if:

(i) Prior to October 15, 2002, suchcovered entity has entered into and isoperating pursuant to a written contract orother written arrangement with a businessassociate for such business associate toperform functions or activities or provideservices that make the entity a businessassociate; and

(ii) The contract or other arrangement isnot renewed or modified from October 15,2002, until the compliance date set forth in §164.534.

(2) Limited deemed compliance period. Aprior contract or other arrangement that meetsthe qualification requirements in paragraph(e) of this section, shall be deemed compliantuntil the earlier of:

(i) The date such contract or otherarrangement is renewed or modified on orafter the compliance date set forth in §164.534; or

(ii) April 14, 2004.(3) Covered entity responsibilities.

Nothing in this section shall alter therequirements of a covered entity to complywith Part 160, Subpart C of this subchapter

and §§ 164.524, 164.526, 164.528, and164.530(f) with respect to protected healthinformation held by a business associate.

§ 164.534 Compliance dates for initialimplementation of the privacy standards.

(a) Health care providers. A covered healthcare provider must comply with theapplicable requirements of this subpart nolater than April 14, 2003.

(b) Health plans. A health plan mustcomply with the applicable requirements ofthis subpart no later than the following date,as applicable:

(1) Health plans other than small healthplans – April 14, 2003.

(2) Small health plans – April 14, 2004.(c) Health care clearinghouses. A health

care clearinghouse must comply with theapplicable requirements of this subpart nolater than April 14, 2003.