Table of Contents for Guide to Privacy Rule

1. Definitions
2. General Rules
3. Uses and Disclosures
3.1. Permitted Uses and Disclosures
3.2. Required Disclosures
3.3. Disclosures by Whistleblowers and Workforce Member Crime Victims
3.4. Limited Data Set
3.5.  Uses/Disclosures for Fundraising
3.6. Uses/Disclosures for Underwriting and Related Purposes
3.7. Minimum Necessary
3.8. PHI of Deceased Individuals
3.9.  Personal Representatives
3.9.1. Adults and Emancipated Minors
3.9.2. Unemancipated Minors
3.9.3. Deceased Individuals
3.9.4. Abuse, neglect and endangerment
3.10. De-identification of PHI
4. Notice of Privacy Practices/Privacy Notice
4.1. Notice to Individuals Required
4.2. Content of Notice
4.2.3. Separate Statement for Certain Uses or Disclosures Required
4.2.4. Individual Rights
4.2.5. CE's Duties
4.2.6. Complaints
4.2.7. Contact
4.2.8. Effective Date
4.2.9. Optional Elements for Notice
4.2.10.  Revisions of Notice
4.3. Provision of Notice
4.3.1. Health Plans
4.3.2. Providers with a Direct Treatment Relationship with Individual
4.3.3. Electronic Notice
4.4. Joint Notice by Separate Covered Entities (CEs)
4.5. Documentation
5. Treatment, Payment and Health Care Operations (TPO)
5.1.1. Standard: Consent
5.1.2. Implementation TPO
6.

Uses/Disclosures Requiring Opportunity to Agree or to Object
6.1.

Facility Directories

6.2. Uses/Disclosures to Those Involved in Individual's Care, or for Notification Purposes

7. Authorization
7.1.

Authorization Requirement

7.2.

Authorization Required-Marketing

7.3. General Requirements for Authorization
7.3.4.

Compound Authorizations

7.3.5. Conditioning Authorizations
7.3.6. Revocation
7.3.7. Documentation
7.4. Core Elements
7.5. Required Statements
7.6. Additional Requirements
8. Individual's Rights Related to PHI
8.1.

 Access of Individuals to PHI
8.1.1.

Right of Access

8.1.2. Denial of Right to Access without Right to Review
8.1.3. Denial of Right to Access with Right of Review
8.1.4. Requests for Access; Timely Action
8.1.5. Provision of Access
8.1.6. Denial of Access
8.1.7. Documentation

8.2. Rights to Request Privacy Protection for PHI
8.2.1.

Individual Requested Restriction of Uses and Disclosures

8.2.2. Confidential Communications
8.3. Amendment of PHI
8.3.1. Right to Amend and Denial of Amendment
8.3.2. Request for Amendment and Timely Action
8.3.3. Accepting the Amendment
8.3.4. Denying the Amendment
8.3.6. Documentation
9. Uses and Disclosures of PHI for Which Consent, Authorization, or Opportunity to Agree or Object is Not Required
9.1. Uses and Disclosures for Health Oversight Activities
9.2. Uses and Disclosures for Public Health Activities
9.3. Uses/Disclosures Required by Law
9.4. Uses/Disclosures Relating to Abuse and Neglect
9.5. Uses/Disclosures for Judicial and Administrative Proceedings
9.6. Uses/Disclosures for Law Enforcement Purposes
9.6.1. Permitted Disclosures Pursuant to Process and as Otherwise Required by Law
9.6.2. Permitted Disclosure of Limited Information for Identification and Location Purposes
9.6.3. Victims of Crime
9.6.4. Decedents
9.6.5. Crime on Premises
9.6.6. Reporting Crime in Emergencies
9.6.7. Correctional Insitutions and Other Law Enforcement Custodial Situations
9.7. Uses and Disclosures to Avert Serious Threat to Health and Safety
9.8. Uses and Disclosures for Research Purposes
9.9. Uses and Disclosures about Decedents
9.10. Uses and Disclosures for Cadaveric, Organ, Eye or Tissue Donation Purposes
9.11. Uses and Disclosures for Specialized Government Functions
9.11.1. Military and Veterans Activities
9.11.2. National Security and Intelligence Activities
9.11.3. Protective Services for the President and Others
9.11.4. Medical Suitability Determinations
9.11.5. CEs that are Government Programs Providing Public Benefits
9.12. Disclosures for Workers' Compensation
10. Organizational Requirements
10.1.  Relevant Definitions
10.1.1. Common Control
10.1.2. Common Ownership
10.1.3. Health Care Component
10.1.4. Hybrid Entity
10.1.5. Organized Health Care Arrangement
10.1.6. Plan Administration Functions
10.1.7. Summary Health Information
10.2. Health Care Components
10.3. Hybrid Entities
10.4. Affiliated Covered Entities
10.5. Disclosures to Business Associates (BAs)
10.6. Group Health Plans
10.6.2 Plan Documents
10.7. Requirements for CE with Multiple Covered Functions
11. Administrative Requirements
11.1. Verfication Requirements
11.2. Accounting for Disclosures of PHI
11.2.2. Content of Accounting
11.2.3. Provision of the Accounting
11.2.4. Documentation
11.3. Administrative Requirements
11.3.1. Required Personnel Designations
11.3.2. Required Training
11.3.3. Safeguards to be in Place
11.3.4. Complaint Process
11.3.5. Sanctions to be in Place
11.3.6. Mitigation of Harmful Effects
11.3.7. Intimidating or Retaliatory Acts Prohibited
11.3.8. Waiver of Rights Prohibited
11.3.9. Necessary Policies and Procedures
11.3.10. Documentation Requirements
11.3.11. Group Health Plans
12. Compliance and Enforcement
12.1. Principles for Achieving Compliance
12.2. Complaints to the Secretary of HHS
12.3. Compliance Reviews
12.4. Responsibilities of CEs
12.5. Secretarial Action Regarding Complaints and Compliance Reviews
*Not Covered:
     Transition Provisions [164.532];
     Compliance Dates [164.534]

Index

Guide (PDF)