HIPAA — Health Insurance Portability and Accountability Act (45 CFR 160, 162, 164)
HIPAA regula la proteccion de la informacion sanitaria protegida (PHI). La Privacy Rule gobierna usos y divulgaciones, la Security Rule exige salvaguardas administrativas, fisicas y tecnicas para la ePHI, y la Breach Notification Rule obliga a notificar brechas.
En vigor
26 mar 2013
Articulos
126
Guias oficiales
2
Privacidad, seguridad y brechas de informacion sanitaria protegida
HIPAA en breve
HIPAA regula el tratamiento de informacion sanitaria protegida en EE. UU. mediante reglas de privacidad, seguridad, enforcement y notificacion de brechas, con foco en covered entities y business associates.
A quién aplica
Proveedores sanitarios, health plans, healthcare clearinghouses y business associates que crean, reciben, mantienen o transmiten PHI/ePHI.
Plazos clave
- Privacy Rule: Aplicacion general desde 2003
- Security Rule: Aplicacion general desde 2005
- Breach Notification: Sin demora indebida y no mas tarde de 60 dias
Obligaciones principales
- Realizar analisis de riesgos y gestionar riesgos sobre ePHI.
- Implantar salvaguardas administrativas, fisicas y tecnicas.
- Gestionar accesos, logs, integridad, autenticacion y seguridad de transmision.
- Mantener politicas, procedimientos y documentacion auditables.
- Notificar brechas de unsecured PHI segun impacto, destinatarios y plazos.
Preguntas frecuentes
Que protege HIPAA?+
HIPAA protege informacion sanitaria protegida (PHI/ePHI) mediante reglas de privacidad, seguridad y notificacion de brechas.
Que controles exige la Security Rule?+
Requiere salvaguardas administrativas, fisicas y tecnicas, incluyendo analisis de riesgos, control de acceso, logs, integridad, autenticacion, transmision segura y documentacion.
Guias tecnicas y fuentes oficiales
General
126Statutory basis and purpose
Statutory basis and purpose — The requirements of this subchapter implement sections 1171-1180 of the Social Security Act (the Act), sections 262 and 264 of Public Law 104- 191, section 105 of Public Law…
Applicability
Applicability — (a) Except as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to the following entities: (1) A health plan.
Definitions
Definitions — Except as otherwise provided, the following definitions apply to this subchapter: Act means the Social Security Act.
Modifications
Modifications — (a) Except as provided in paragraph (b) of this section, the Secretary may adopt a modification to a standard or implementation specification adopted under this subchapter no more…
Compliance dates for implementation of new or modified standards and implementation specifications
Compliance dates for implementation of new or modified standards and implementation specifications — Except as otherwise provided, with respect to rules that adopt new standards and implementation specifications or modifications to standards and implementation specifications in…
Statutory basis
Statutory basis — The provisions of this subpart implement section 1178 of the Act, section 262 of Public Law 104-191, section 264(c) of Public Law 104-191, and section 13421(a) of Public Law 111-5.
of this subchapter
of this subchapter — (D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of this section, the description must include sufficient detail to place the individual on notice of the uses and…
General rule and exceptions
General rule and exceptions — A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law.
Process for requesting exception determinations
Process for requesting exception determinations — (a) A request to except a provision of State law from preemption under § 160.203(a) may be submitted to the Secretary.
Duration of effectiveness of exception determinations
Duration of effectiveness of exception determinations — An exception granted under this subpart remains in effect until: (a) Either the State law or the federal standard, requirement, or implementation specification that provided the…
Applicability
Applicability — This subpart applies to actions by the Secretary, covered entities, business associates, and others with respect to ascertaining the compliance by covered entities and business…
[Reserved] § 160
[Reserved] § 160 — 304 Principles for achieving compliance.
Principles for achieving compliance
Principles for achieving compliance — 20…
Complaints to the Secretary
Complaints to the Secretary — (a) Right to file a complaint.
Compliance reviews
Compliance reviews — (a) The Secretary will conduct a compliance review to determine whether a covered entity or business associate is complying with the applicable administrative simplification…
Responsibilities of covered entities and business associates
Responsibilities of covered entities and business associates — (a) Provide records and compliance reports.
Secretarial action regarding complaints and compliance reviews
Secretarial action regarding complaints and compliance reviews — (a) Resolution when noncompliance is indicated.
Investigational subpoenas and inquiries
Investigational subpoenas and inquiries — (a) The Secretary may issue subpoenas in accordance with 42 U.S.C.
of this subchapter
of this subchapter — (h) Standard: Waiver of rights.
Applicability
Applicability — 23…
Definitions
Definitions — As used in this subpart, the following terms have the following meanings: Reasonable cause means an act or omission in which a covered entity or business associate knew, or by…
Basis for a civil money penalty
Basis for a civil money penalty — (a) General rule. Subject to § 160.410, the Secretary will impose a civil money penalty upon a covered entity or business associate if the Secretary determines that the covered…
of this part and includes the plural of these terms
of this part and includes the plural of these terms — CMS stands for Centers for Medicare & Medicaid Services within the Department of Health and Human Services.
Violations of an identical requirement or prohibition
Violations of an identical requirement or prohibition — The Secretary will determine the number of violations of an administrative simplification provision based on the nature of the covered entity's or business associate's obligation…
Factors considered in determining the amount of a civil money penalty
Factors considered in determining the amount of a civil money penalty — In determining the amount of any civil money penalty, the Secretary will consider the following factors, which may be mitigating or aggravating as appropriate: (a) The nature and…
Affirmative defenses
Affirmative defenses — (a) The Secretary may not: (1) Prior to February 18, 2011, impose a civil money penalty on a covered entity or business associate for an act that violates an administrative…
of this part; and (iv) Compliance with subpart D of part 164, as provided under § 164
of this part; and (iv) Compliance with subpart D of part 164, as provided under § 164 — 414(b). (2) The Secretary has the burden of going forward and the burden of persuasion with respect to all other issues, including issues of liability other than with respect to…
Limitations
Limitations — No action under this subpart may be entertained unless commenced by the Secretary, in accordance with § 160.420, within 6 years from the date of the occurrence of the violation.
Authority to settle
Authority to settle — 26…
Penalty not exclusive
Penalty not exclusive — Except as otherwise provided by 42 U.S.C.
Notice of proposed determination
Notice of proposed determination — (a) If a penalty is proposed in accordance with this part, the Secretary must deliver, or send by certified mail with return receipt requested, to the respondent, written notice…
Failure to request a hearing
Failure to request a hearing — 26…
Collection of penalty
Collection of penalty — (a) Once a determination of the Secretary to impose a penalty has become final, the penalty will be collected by the Secretary, subject to the first sentence of 42 U.S.C.
Notification of the public and other agencies
Notification of the public and other agencies — Whenever a proposed penalty becomes final, the Secretary will notify, in such manner as the Secretary deems appropriate, the public and the following organizations and entities…
Applicability
Applicability — 27…
Definitions
Definitions — As used in this subpart, the following term has the following meaning: Board means the members of the HHS Departmental Appeals Board, in the Office of the Secretary, who issue…
Hearing before an ALJ
Hearing before an ALJ — (a) A respondent may request a hearing before an ALJ.
Rights of the parties
Rights of the parties — (a) Except as otherwise limited by this subpart, each party may— (1) Be accompanied, represented, and advised by an attorney; (2) Participate in any conference held by the ALJ;…
Authority of the ALJ
Authority of the ALJ — (a) The ALJ must conduct a fair and impartial hearing, avoid delay, maintain order, and ensure that a record of the proceeding is made.
Ex parte contacts
Ex parte contacts — No party or person (except employees of the ALJ's office) may communicate in any way with the ALJ on any matter at issue in a case, unless on notice and opportunity for both…
Prehearing conferences
Prehearing conferences — (a) The ALJ must schedule at least one prehearing conference, and may schedule additional prehearing conferences as appropriate, upon reasonable notice, which may not be less than…
Authority to settle
Authority to settle — 29 HIPAA Administrative Simplification Regulation Text March 2013 4
Discovery
Discovery — (a) A party may make a request to another party for production of documents for inspection and copying that are relevant and material to the issues before the ALJ.
Exchange of witness lists, witness statements, and exhibits
Exchange of witness lists, witness statements, and exhibits — (a) The parties must exchange witness lists, copies of prior written statements of proposed witnesses, and copies of proposed hearing exhibits, including copies of any written…
Subpoenas for attendance at hearing
Subpoenas for attendance at hearing — (a) A party wishing to procure the appearance and testimony of any person at the hearing may make a motion requesting the ALJ to issue a subpoena if the appearance and testimony…
Fees
Fees — The party requesting a subpoena must pay the cost of the fees and mileage of any witness subpoenaed in the amounts that would be payable to a witness in a proceeding in United…
Form, filing, and service of papers
Form, filing, and service of papers — (a) Forms. (1) Unless the ALJ directs the parties to do otherwise, documents filed with the ALJ must include an original and two copies. (2) Every pleading and paper filed in the…
Computation of time
Computation of time — (a) In computing any period of time under this subpart or in an order issued thereunder, the time begins with the day following the act, event or default, and includes the last…
Motions
Motions — (a) An application to the ALJ for an order or ruling must be by motion.
Sanctions
Sanctions — The ALJ may sanction a person, including any party or attorney, for failing to comply with an order or procedure, for failing to defend an action or for other misconduct that…
Collateral estoppel
Collateral estoppel — When a final determination that the respondent violated an administrative simplification provision has been rendered in any proceeding in which the respondent was a party and had…
The hearing
The hearing — (a) The ALJ must conduct a hearing on the record in order to determine whether the respondent should be found liable under this part.
Statistical sampling
Statistical sampling — (a) In meeting the burden of proof set forth in § 160.534, the Secretary may introduce the results of a statistical sampling study as evidence of the number of violations under
Witnesses
Witnesses — (a) Except as provided in paragraph (b) of this section, testimony at the hearing must be given orally by witnesses under oath or affirmation.
Evidence
Evidence — (a) The ALJ must determine the admissibility of evidence.
The record
The record — (a) The hearing must be recorded and transcribed.
Post hearing briefs
Post hearing briefs — The ALJ may require the parties to file post-hearing briefs.
ALJ's decision
ALJ's decision — (a) The ALJ must issue a decision, based only on the record, which must contain findings of fact and conclusions of law.
Appeal of the ALJ's decision
Appeal of the ALJ's decision — (a) Any party may appeal the decision of the ALJ to the Board by filing a notice of appeal with the Board within 30 days of the date of service of the ALJ decision.
Stay of the Secretary's decision
Stay of the Secretary's decision — (a) Pending judicial review, the respondent may file a request for stay of the effective date of any penalty with the ALJ.
Harmless error
Harmless error — No error in either the admission or the exclusion of evidence, and no error or defect in any ruling or order or in any act done or omitted by the ALJ or by any of the parties is…
Applicability
Applicability — 38…
Definitions
Definitions — For purposes of this part, the following definitions apply: Code set means any set of codes used to encode data elements, such as tables of terms, medical concepts, medical…
[Reserved] § 162
[Reserved] § 162 — 404 Compliance dates of the implementation of the standard unique health identifier for health care providers.
Compliance dates of the implementation of the standard unique health identifier for health care providers
Compliance dates of the implementation of the standard unique health identifier for health care providers — 39…
Standard unique health identifier for health care providers
Standard unique health identifier for health care providers — (a) Standard. The standard unique health identifier for health care providers is the National Provider Identifier (NPI). The NPI is a 10-position numeric identifier, with a check…
National Provider System
National Provider System — The National Provider System (NPS) shall do the following: (a) Assign a single, unique NPI to a health care provider, provided that— (1) The NPS may assign an NPI to a subpart of…
Implementation specifications: Health care providers
Implementation specifications: Health care providers — (a) A covered entity that is a covered health care provider must: (1) Obtain, by application if necessary, an NPI from the National Provider System (NPS) for itself or for any…
Implementation specifications: Health plans
Implementation specifications: Health plans — (a) A health plan must use the NPI of any health care provider (or subpart(s), if applicable) that has been assigned an NPI to identify that health care provider on all standard…
Implementation specifications: Health care clearinghouses
Implementation specifications: Health care clearinghouses — A health care clearinghouse must use the NPI of any health care provider (or subpart(s), if applicable) that has been assigned an NPI to identify that health care provider on all…
[Reserved] § 162
[Reserved] § 162 — 504 Compliance requirements for the implementation of the standard unique health plan identifier.
Compliance requirements for the implementation of the standard unique health plan identifier
Compliance requirements for the implementation of the standard unique health plan identifier — 40…
Standard unique health plan identifier
Standard unique health plan identifier — (a) Standard. The standard unique health plan identifier is the Health Plan Identifier (HPID) that is assigned by the Enumeration System identified in § 162.508. (b) Required and…
Enumeration System
Enumeration System — The Enumeration System must do all of the following: (a) Assign a single, unique— (1) HPID to a health plan, provided that the Secretary has sufficient information to permit the…
Full implementation requirements: Covered entities
Full implementation requirements: Covered entities — (a) A covered entity must use an HPID to identify a health plan that has an HPID when a covered entity identifies a health plan in a transaction for which the Secretary has…
Implementation specifications: Health plans
Implementation specifications: Health plans — (a) A controlling health plan must do all of the following: (1) Obtain an HPID from the Enumeration System for itself.
Other entity identifier
Other entity identifier — (a) An entity may obtain an Other Entity Identifier (OEID) to identify itself if the entity meets all of the following: (1) Needs to be identified in a transaction for which the…
Compliance dates of the implementation of the standard unique employer identifier
Compliance dates of the implementation of the standard unique employer identifier — (a) Health care providers. Health care providers must comply with the requirements of this subpart no later than July 30, 2004. (b) Health plans. A health plan must comply with…
Standard unique employer identifier
Standard unique employer identifier — The Secretary adopts the EIN as the standard unique employer identifier provided for by 42 U.S.C.
Implementation specifications for covered entities
Implementation specifications for covered entities — (a) The standard unique employer identifier of an employer of a particular employee is the EIN that appears on that employee's IRS Form W-2, Wage and Tax Statement, from the…
[Reserved] § 162
[Reserved] § 162 — 910 Maintenance of standards and adoption of modifications and new standards.
Trading partner agreements
Trading partner agreements — A covered entity must not enter into a trading partner agreement that would do any of the following: (a) Change the definition, data condition, or use of a data element or segment…
Availability of implementation specifications and operating rules
Availability of implementation specifications and operating rules — Certain material is incorporated by reference into this subpart with the approval of the Director of the Federal Register under 5 U.S.C.
Requirements for covered entities
Requirements for covered entities — (a) General rule. Except as otherwise provided in this part, if a covered entity conducts, with another covered entity that is required to comply with a transaction standard…
Additional requirements for health plans
Additional requirements for health plans — (a) General rules. (1) If an entity requests a health plan to conduct a transaction as a standard transaction, the health plan must do so. (2) A health plan may not delay or…
Additional rules for health care clearinghouses
Additional rules for health care clearinghouses — When acting as a business associate for another covered entity, a health care clearinghouse may perform the following functions: (a) Receive a standard transaction on behalf of…
Exceptions from standards to permit testing of proposed modifications
Exceptions from standards to permit testing of proposed modifications — 48 SUBPART J—CODE SETS.......................................................................................................
Statutory basis
Statutory basis — The provisions of this part are adopted pursuant to the Secretary's authority to prescribe standards, requirements, and implementation specifications under part C of title XI of…
Definitions
Definitions — As used in this part, the following terms have the following meanings: Common control exists if an entity has the power, directly or indirectly, significantly to influence or…
Applicability
Applicability — (a) Except as otherwise provided, the standards, requirements, and implementation specifications adopted under this part apply to the following entities: (1) A health plan.
Organizational requirements
Organizational requirements — (a)(1) Standard: Health care component.
Relationship to other parts
Relationship to other parts — In complying with the requirements of this part, covered entities and, where provided, business associates, are required to comply with the applicable provisions of parts 160 and…
Applicability
Applicability — A covered entity or business associate must comply with the applicable standards, implementation specifications, and requirements of this subpart with respect to electronic…
Definitions
Definitions — As used in this subpart, the following terms have the following meanings: Access means the ability or the means necessary to read, write, modify, or communicate data/information…
Security standards: General rules
Security standards: General rules — (a) General requirements. Covered entities and business associates must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected…
Administrative safeguards
Administrative safeguards — (a) A covered entity or business associate must, in accordance with § 164.306: (1)(i) Standard: Security management process.
Physical safeguards
Physical safeguards — A covered entity or business associate must, in accordance with § 164.306: (a)(1) Standard: Facility access controls.
Technical safeguards
Technical safeguards — A covered entity or business associate must, in accordance with § 164.306: (a)(1) Standard: Access control.
Organizational requirements
Organizational requirements — (a)(1) Standard: Business associate contracts or other arrangements.
Policies and procedures and documentation requirements
Policies and procedures and documentation requirements — A covered entity or business associate must, in accordance with § 164.306: (a) Standard: Policies and procedures.
Compliance dates for the initial implementation of the security standards
Compliance dates for the initial implementation of the security standards — (a) Health plan. (1) A health plan that is not a small health plan must comply with the applicable requirements of this subpart no later than April 20, 2005. (2) A small health…
Applicability
Applicability — The requirements of this subpart shall apply with respect to breaches of protected health information occurring on or after September 23, 2009.
Definitions
Definitions — As used in this subpart, the following terms have the following meanings: Breach means the acquisition, access use, or disclosure of protected health information in a manner not…
Notification to individuals
Notification to individuals — (a) Standard —(1) General rule.
Notification to the media
Notification to the media — (a) Standard. For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction, a covered entity shall, following the discovery…
Notification to the Secretary
Notification to the Secretary — (a) Standard. A covered entity shall, following the discovery of a breach of unsecured protected health information as provided in § 164.404(a)(2), notify the Secretary. HIPAA…
Notification by a business associate
Notification by a business associate — (a) Standard —(1) General rule.
Law enforcement delay
Law enforcement delay — If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal…
Administrative requirements and burden of proof
Administrative requirements and burden of proof — (a) Administrative requirements.
Applicability
Applicability — (a) Except as otherwise provided herein, the standards, requirements, and implementation specifications of HIPAA Administrative Simplification Regulation Text March 2013 74 this…
Definitions
Definitions — As used in this subpart, the following terms have the following meanings: Correctional institution means any penal or correctional facility, jail, reformatory, detention center,…
Uses and disclosures of protected health information: General rules
Uses and disclosures of protected health information: General rules — (a) Standard. A covered entity or business associate may not use or disclose protected health information except as permitted or required by this subpart or by subpart C of part…
Uses and disclosures: Organizational requirements
Uses and disclosures: Organizational requirements — (a) Definitions. As used in this section: Plan administration functions means administration functions performed by the plan sponsor of a group health plan on behalf of the group…
Uses and disclosures to carry out treatment, payment, or health care operations
Uses and disclosures to carry out treatment, payment, or health care operations — (a) Standard: Permitted uses and disclosures.
and 164
and 164 — 512(i), a covered entity may, to the extent allowed by one of the following permissions, use or disclose, for research, protected health information that it created or received…
Uses and disclosures requiring an opportunity for the individual to agree or to object
Uses and disclosures requiring an opportunity for the individual to agree or to object — A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to…
Uses and disclosures for which an authorization or opportunity to agree or object is not required
Uses and disclosures for which an authorization or opportunity to agree or object is not required — A covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the…
Other requirements relating to uses and disclosures of protected health information
Other requirements relating to uses and disclosures of protected health information — (a) Standard: De-identification of protected health information.
Notice of privacy practices for protected health information
Notice of privacy practices for protected health information — (a) Standard: notice of privacy practices, (1) Right to notice.
Rights to request privacy protection for protected health information
Rights to request privacy protection for protected health information — (a)(1) Standard: Right of an individual to request restriction of uses and disclosures.
or § 164
or § 164 — 528; and (ii) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subchapter.
Amendment of protected health information
Amendment of protected health information — (a) Standard: Right to amend. (1) Right to amend. An individual has the right to have a covered entity amend protected health information or a record about the individual in a…
Accounting of disclosures of protected health information
Accounting of disclosures of protected health information — (a) Standard: Right to an accounting of disclosures of protected health information.
Administrative requirements
Administrative requirements — (a)(1) Standard: Personnel designations.
Transition provisions
Transition provisions — 114…
Compliance dates for initial implementation of the privacy standards
Compliance dates for initial implementation of the privacy standards — (a) Health care providers. A covered health care provider must comply with the applicable requirements of this subpart no later than April 14, 2003. (b) Health plans. A health…