HIPAA Administrative Simplification

1 Department of Health and Human Services Office for Civil Rights HIPAA Administrative Simplification Regulation Text 45 CFR Parts 160, 162, and 164 (Unofficial Version, as amended through March 26, 2013) HIPAA Administrative Simplification Regulation Text March 2013 2 HIPAA Administrative Simplification Table of Contents Page Section PART 160 GENERAL Administrative REQUIREMENTS ..10 SUBPART A GENERAL PROVISIONS .. 10 Statutory basis and purpose.. 10 Applicability.. 11 Definitions.. 11 Modifications.. 17 Compliance dates for implementation of new or modified standards and implementation specifications.. 17 SUBPART B PREEMPTION OF STATE LAW .. 17 Statutory basis.. 17 Definitions.. 18 General rule and exceptions.. 18 Process for requesting exception determinations.. 19 Duration of effectiveness of exception determinations.. 19 SUBPART C COMPLIANCE AND INVESTIGATIONS.

2 19 Applicability.. 19 [Reserved] .. 20 Principles for achieving compliance.. 20 Complaints to the Secretary.. 20 Compliance reviews.. 20 Responsibilities of covered entities and business associates.. 20 HIPAA Administrative Simplification Regulation Text March 2013 3 Secretarial action regarding complaints and compliance reviews.. 21 Investigational subpoenas and inquiries.. 21 Refraining from intimidation or retaliation.. 23 SUBPART D IMPOSITION OF CIVIL MONEY PENALTIES .. 23 Applicability.. 23 Definitions.. 23 Basis for a civil money penalty.. 23 Amount of a civil money penalty.. 24 Violations of an identical requirement or prohibition.. 24 Factors considered in determining the amount of a civil money penalty.. 25 Affirmative defenses.. 25 26 Limitations.. 26 Authority to settle.. 26 Penalty not exclusive.

3 26 Notice of proposed determination.. 26 Failure to request a hearing.. 26 Collection of penalty.. 27 Notification of the public and other agencies.. 27 SUBPART E PROCEDURES FOR HEARINGS .. 27 Applicability.. 27 Definitions.. 27 Hearing before an ALJ.. 27 Rights of the parties.. 28 Authority of the ALJ.. 28 Ex parte contacts.. 29 Prehearing conferences.. 29 Authority to settle.. 29 HIPAA Administrative Simplification Regulation Text March 2013 4 Discovery.. 29 Exchange of witness lists, witness statements, and exhibits.. 30 Subpoenas for attendance at hearing.. 30 Fees.. 31 Form, filing, and service of papers.. 31 Computation of time.. 31 Motions.. 31 Sanctions.. 32 Collateral estoppel.. 32 The hearing.. 32 Statistical sampling.. 33 Witnesses.. 33 Evidence.. 33 The record.

4 34 Post hearing briefs.. 34 ALJ's decision.. 34 Appeal of the ALJ's decision.. 34 Stay of the Secretary's decision.. 35 PART 162 Administrative REQUIREMENTS ..37 SUBPART A GENERAL PROVISIONS .. 38 Applicability.. 38 Definitions.. 38 SUBPARTS B-C [RESERVED] .. 39 SUBPART D STANDARD UNIQUE HEALTH IDENTIFIER FOR HEALTH CARE PROVIDERS .. 39 [Reserved] .. 39 HIPAA Administrative Simplification Regulation Text March 2013 5 Compliance dates of the implementation of the standard unique health identifier for health care providers.. 39 Standard unique health identifier for health care providers.. 39 National Provider System.. 39 Implementation specifications: Health care providers.. 40 Implementation specifications: Health plans.. 40 Implementation specifications: Health care clearinghouses.. 40 SUBPART E STANDARD UNIQUE HEALTH IDENTIFIER FOR HEALTH PLANS 40 [Reserved].

5 40 Compliance requirements for the implementation of the standard unique health plan identifier.. 40 Standard unique health plan identifier.. 41 Enumeration 41 Full implementation requirements: Covered entities.. 41 Implementation specifications: Health plans.. 41 Other entity identifier.. 42 SUBPART F STANDARD UNIQUE EMPLOYER IDENTIFIER .. 42 Compliance dates of the implementation of the standard unique employer identifier.. 42 Standard unique employer identifier.. 42 Implementation specifications for covered entities.. 42 SUBPARTS G-H [RESERVED] .. 42 SUBPART I GENERAL PROVISIONS FOR TRANSACTIONS .. 42 [Reserved] .. 42 Maintenance of standards and adoption of modifications and new standards.. 42 Trading partner agreements.. 43 Availability of implementation specifications and operating rules.. 43 Requirements for covered entities.. 46 Additional requirements for health plans.

6 47 HIPAA Administrative Simplification Regulation Text March 2013 6 Additional rules for health care clearinghouses.. 47 Exceptions from standards to permit testing of proposed modifications.. 48 SUBPART J CODE 49 General requirements.. 49 Medical data code sets.. 49 Valid code sets.. 50 SUBPART K HEALTH CARE CLAIMS OR EQUIVALENT ENCOUNTER INFORMATION .. 50 Health care claims or equivalent encounter information transaction.. 50 Standards for health care claims or equivalent encounter information transaction.. 50 SUBPART L ELIGIBILITY FOR A HEALTH PLAN .. 52 Eligibility for a health plan transaction.. 52 Standards for eligibility for a health plan transaction.. 52 Operating rules for eligibility for a health plan transaction.. 52 SUBPART M REFERRAL CERTIFICATION AND AUTHORIZATION .. 53 Referral certification and authorization transaction.. 53 Standards for referral certification and authorization transaction.

7 53 SUBPART N HEALTH CARE CLAIM STATUS .. 54 Health care claim status transaction.. 54 Standards for health care claim status transaction.. 54 Operating rules for health care claim status transaction.. 54 SUBPART O ENROLLMENT AND DISENROLLMENT IN A HEALTH PLAN .. 54 Enrollment and disenrollment in a health plan transaction.. 54 Standards for enrollment and disenrollment in a health plan transaction.. 54 SUBPART P HEALTH CARE ELECTRONIC FUNDS TRANSFERS (EFT) AND REMITTANCE ADVICE .. 55 Health care electronic funds transfers (EFT) and remittance advice transaction.. 55 HIPAA Administrative Simplification Regulation Text March 2013 7 Standards for health care electronic funds transfers (EFT) and remittance advice transaction.. 55 Operating rules for health care electronic funds transfers (EFT) and remittance advice transaction.. 56 SUBPART Q HEALTH PLAN PREMIUM PAYMENTS .. 56 Health plan premium payments transaction.

8 56 Standards for health plan premium payments transaction.. 56 SUBPART R COORDINATION OF BENEFITS .. 57 Coordination of benefits transaction.. 57 Standards for coordination of benefits information transaction.. 57 SUBPART S MEDICAID PHARMACY SUBROGATION .. 58 Medicaid pharmacy subrogation transaction.. 58 Standard for Medicaid pharmacy subrogation transaction.. 58 PART 164 SECURITY AND PRIVACY ..59 SUBPART A GENERAL PROVISIONS .. 59 Statutory basis.. 59 Definitions.. 59 Applicability.. 60 Organizational requirements.. 60 Relationship to other parts.. 62 SUBPART B [RESERVED] .. 62 SUBPART C SECURITY STANDARDS FOR THE PROTECTION OF ELECTRONIC PROTECTED HEALTH INFORMATION .. 62 Applicability.. 62 Definitions.. 62 Security standards: General rules.. 63 Administrative safeguards.. 64 HIPAA Administrative Simplification Regulation Text March 2013 8 Physical safeguards.

9 66 Technical safeguards.. 66 Organizational requirements.. 67 Policies and procedures and documentation requirements.. 68 Compliance dates for the initial implementation of the security standards.. 68 SUBPART D NOTIFICATION IN THE CASE OF BREACH OF UNSECURED PROTECTED HEALTH INFORMATION .. 71 Applicability.. 71 Definitions.. 71 Notification to individuals.. 71 Notification to the media.. 72 Notification to the Secretary.. 72 Notification by a business associate.. 73 Law enforcement delay.. 73 Administrative requirements and burden of proof.. 73 SUBPART E PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION .. 73 Applicability.. 73 Definitions.. 74 Uses and disclosures of protected health information: General rules.. 77 Uses and disclosures: Organizational requirements.. 81 Uses and disclosures to carry out treatment, payment, or health care operations.

10 84 Uses and disclosures for which an authorization is required.. 85 Uses and disclosures requiring an opportunity for the individual to agree or to 87 Uses and disclosures for which an authorization or opportunity to agree or object is not required.. 88 Other requirements relating to uses and disclosures of protected health information.. 96 Notice of privacy practices for protected health information.. 101 Rights to request privacy protection for protected health information.. 104 HIPAA Administrative Simplification Regulation Text March 2013 9 Access of individuals to protected health information.. 105 Amendment of protected health information.. 108 Accounting of disclosures of protected health information.. 110 Administrative requirements.. 111 Transition provisions.. 114 Compliance dates for initial implementation of the privacy standards.. 115 HIPAA Administrative Simplification Regulation Text March 2013 10 PART 160 GENERAL Administrative REQUIREMENTS Contents Subpart A General Provisions Statutory basis and purpose.