The General Rules in the HIPAA Privacy framework outline the fundamental principles and regulations for protecting the privacy of individuals' health information. These rules govern the collection, use, and disclosure of protected health information (PHI) by covered entities and business associates, ensuring compliance with privacy requirements.

• Prohibited Uses and Disclosures 164.502(a)(5)(i)

  This section outlines certain uses and disclosures of protected health information (PHI) that are prohibited under the HIPAA Privacy Rule.

• Deceased Individuals 164.502(f)

  This section addresses the protection of protected health information (PHI) of deceased individuals under the HIPAA Privacy Rule.

• Personal Representatives 164.502(g)

  This section pertains to the rights and responsibilities of personal representatives under the HIPAA Privacy Rule.

• Confidential Communications 164.502(h)

  This section addresses an individual's right to receive confidential communications of their protected health information (PHI).

• Uses and Disclosures Consistent with Notice 164.502(i)

  This section clarifies that uses and disclosures of protected health information (PHI) must be consistent with the information provided in the Notice of Privacy Practices.

• Disclosures by Whistleblowers 164.502(j)(1)

  This section addresses disclosures of protected health information (PHI) by individuals who are whistleblowers, reporting violations or suspected violations of laws and regulations.

• Disclosures by Workforce Members who are Victims of a Crime 164.502(j)(2)

  This section pertains to disclosures made by workforce members who are victims of a crime.

• Prohibited Uses and Disclosures 164.502(a)(5)(i)

  This section outlines certain uses and disclosures of protected health information (PHI) that are prohibited under the HIPAA Privacy Rule.

• Deceased Individuals 164.502(f)

  This section addresses the protection of protected health information (PHI) of deceased individuals under the HIPAA Privacy Rule.

• Personal Representatives 164.502(g)

  This section pertains to the rights and responsibilities of personal representatives under the HIPAA Privacy Rule.

• Confidential Communications 164.502(h)

  This section addresses an individual's right to receive confidential communications of their protected health information (PHI).

• Uses and Disclosures Consistent with Notice 164.502(i)

  This section clarifies that uses and disclosures of protected health information (PHI) must be consistent with the information provided in the Notice of Privacy Practices.

• Disclosures by Whistleblowers 164.502(j)(1)

  This section addresses disclosures of protected health information (PHI) by individuals who are whistleblowers, reporting violations or suspected violations of laws and regulations.

• Disclosures by Workforce Members who are Victims of a Crime 164.502(j)(2)

  This section pertains to disclosures made by workforce members who are victims of a crime.

Organizational Requirements pertain to the policies and procedures that covered entities and business associates must implement to maintain the privacy of PHI. These requirements address workforce training, designation of a privacy officer, and ensuring that appropriate safeguards are in place to protect the confidentiality of health information.

• Business Associate Contracts 164.504(e)

  This section addresses the requirements for business associate contracts under the HIPAA Privacy Rule.

• Requirements for Group Health Plans 164.504(f)

  This section outlines the privacy requirements that apply to group health plans under the HIPAA Privacy Rule.

• Requirements for a Covered Entity with Multiple Covered Functions 164.504(g)

  This section addresses the privacy requirements for covered entities that engage in multiple covered functions under the HIPAA Privacy Rule.

• Business Associate Contracts 164.504(e)

  This section addresses the requirements for business associate contracts under the HIPAA Privacy Rule.

• Requirements for Group Health Plans 164.504(f)

  This section outlines the privacy requirements that apply to group health plans under the HIPAA Privacy Rule.

• Requirements for a Covered Entity with Multiple Covered Functions 164.504(g)

  This section addresses the privacy requirements for covered entities that engage in multiple covered functions under the HIPAA Privacy Rule.

Treatment and Operations within the HIPAA Privacy framework relate to the permissible uses and disclosures of PHI for treatment, payment, and healthcare operations. This control ensures that healthcare providers can share necessary patient information for authorized purposes while maintaining privacy.

• Permitted Uses and Disclosures 164.506(a)

  This section provides an overview of permitted uses and disclosures of protected health information (PHI) under the HIPAA Privacy Rule.

• Consent for Uses and Disclosures 164.506(b)

  This section addresses the concept of consent for uses and disclosures of protected health information (PHI) under the HIPAA Privacy Rule.

• Permitted Uses and Disclosures 164.506(a)

  This section provides an overview of permitted uses and disclosures of protected health information (PHI) under the HIPAA Privacy Rule.

• Consent for Uses and Disclosures 164.506(b)

  This section addresses the concept of consent for uses and disclosures of protected health information (PHI) under the HIPAA Privacy Rule.

The Authorizations control specifies the circumstances under which individuals must provide written authorization for the use and disclosure of their PHI beyond treatment, payment, and healthcare operations. This control helps ensure that patients have control over their health information and can authorize its use for specific purposes.

• Authorizations for Uses and Disclosures 164.508

  This section outlines the requirements for authorizations for uses and disclosures of protected health information (PHI) under the HIPAA Privacy Rule.

• Compound Authorizations - Exceptions 164.508(b)(3)

  This section addresses compound authorizations and exceptions to the general requirements for separate authorizations for uses and disclosures of protected health information (PHI).

• Prohibition on Conditioning of Authorizations 164.508(b)(4)

  This section prohibits covered entities from conditioning the provision of treatment, payment, enrollment, or eligibility for benefits on the individual providing an authorization for the use or disclosure of their protected health information (PHI).

• Uses and Disclosures for Which an Authorization is Required - Documentation and Content 164.508(b)(6)-(c)(1-4)

  This section outlines the requirements for the content and documentation of authorizations for uses and disclosures of protected health information (PHI).

• Authorizations for Uses and Disclosures 164.508

  This section outlines the requirements for authorizations for uses and disclosures of protected health information (PHI) under the HIPAA Privacy Rule.

• Compound Authorizations - Exceptions 164.508(b)(3)

  This section addresses compound authorizations and exceptions to the general requirements for separate authorizations for uses and disclosures of protected health information (PHI).

• Prohibition on Conditioning of Authorizations 164.508(b)(4)

  This section prohibits covered entities from conditioning the provision of treatment, payment, enrollment, or eligibility for benefits on the individual providing an authorization for the use or disclosure of their protected health information (PHI).

• Uses and Disclosures for Which an Authorization is Required - Documentation and Content 164.508(b)(6)-(c)(1-4)

  This section outlines the requirements for the content and documentation of authorizations for uses and disclosures of protected health information (PHI).

Consent or Objection refers to the right of individuals to provide or withhold consent for the use and disclosure of their PHI for certain purposes. This control empowers patients to express their preferences regarding the sharing of their health information in various situations.

• Use and Disclosure for Facility Directories; Opportunity to Object 164.510(a)(1-2)

  This section addresses the use and disclosure of an individual's information in a facility directory and the opportunity for the individual to object to such disclosures.

• Uses and Disclosures for Facility Directories in Emergency Circumstances 164.510(a)(3)

  This section addresses the use and disclosure of protected health information (PHI) from a facility directory in emergency circumstances.

• Permitted Uses and Disclosures 164.510(b)(1)

  This section outlines the permitted uses and disclosures of protected health information (PHI) under the HIPAA Privacy Rule.

• Uses and Disclosures with the Individual Present 164.510(b)(2)

  This section addresses the use and disclosure of protected health information (PHI) when the individual is present and has the opportunity to agree or object to the use or disclosure.

• Limited Uses and Disclosures When the Individual is not Present 164.510(b)(3)

  This section addresses the limited use and disclosure of protected health information (PHI) when the individual is not present to agree or object to the use or disclosure.

• Uses and Disclosures for Disaster Relief Purposes 164.510(b)(4)

  This section addresses the use and disclosure of protected health information (PHI) for disaster relief purposes.

• Uses and Disclosures When the Individual is Deceased 164.510(b)(5)

  This section addresses the use and disclosure of protected health information (PHI) about individuals who are deceased.

• Use and Disclosure for Facility Directories; Opportunity to Object 164.510(a)(1-2)

  This section addresses the use and disclosure of an individual's information in a facility directory and the opportunity for the individual to object to such disclosures.

• Uses and Disclosures for Facility Directories in Emergency Circumstances 164.510(a)(3)

  This section addresses the use and disclosure of protected health information (PHI) from a facility directory in emergency circumstances.

• Permitted Uses and Disclosures 164.510(b)(1)

  This section outlines the permitted uses and disclosures of protected health information (PHI) under the HIPAA Privacy Rule.

• Uses and Disclosures with the Individual Present 164.510(b)(2)

  This section addresses the use and disclosure of protected health information (PHI) when the individual is present and has the opportunity to agree or object to the use or disclosure.

• Limited Uses and Disclosures When the Individual is not Present 164.510(b)(3)

  This section addresses the limited use and disclosure of protected health information (PHI) when the individual is not present to agree or object to the use or disclosure.

• Uses and Disclosures for Disaster Relief Purposes 164.510(b)(4)

  This section addresses the use and disclosure of protected health information (PHI) for disaster relief purposes.

• Uses and Disclosures When the Individual is Deceased 164.510(b)(5)

  This section addresses the use and disclosure of protected health information (PHI) about individuals who are deceased.

The Use and Disclosure Without Consent control addresses the limited circumstances where PHI can be used or disclosed without the need for patient consent. These instances include public health reporting, law enforcement activities, and emergencies.

• Uses and Disclosures Required by Law 164.512(a)

  This section addresses the use and disclosure of protected health information (PHI) when required by law.

• Uses and Disclosures for Public Health Activities 164.512(b)

  This section addresses the use and disclosure of protected health information (PHI) for public health activities.

• Disclosures About Victims of Abuse, Neglect, or Domestic Violence 164.512(c)

  This section addresses the disclosure of protected health information (PHI) about victims of abuse, neglect, or domestic violence.

• Uses and Disclosures for Health Oversight Activities 164.512(d)

  This section addresses the use and disclosure of protected health information (PHI) for health oversight activities.

• Disclosures for Judicial and Administrative Proceedings 164.512(e)

  This section addresses the disclosure of protected health information (PHI) for judicial and administrative proceedings.

• Disclosures for Law Enforcement Purposes 164.512(f)(1)

  This section addresses the disclosure of protected health information (PHI) for law enforcement purposes.

• Disclosures for Law Enforcement Purposes - for Identification and Location 164.512(f)(2)

  This section addresses the disclosure of protected health information (PHI) for law enforcement purposes related to the identification and location of suspects, witnesses, or missing persons.

• Disclosures for Law Enforcement Purposes - PHI of a Possible Victim of a Crime 164.512(f)(3)

  This section addresses the disclosure of protected health information (PHI) to law enforcement when the individual may be a victim of a crime.

• Disclosures for Law Enforcement Purposes - an Individual who has Died as a Result of Suspected Criminal Guide 164.512(f)(4)

  This section addresses the disclosure of protected health information (PHI) to law enforcement when an individual has died as a result of suspected criminal activity.

• Disclosures for Law Enforcement Purposes - Crime on Premises 164.512(f)(5)

  This section addresses the disclosure of protected health information (PHI) to law enforcement regarding a crime that occurred on the covered entity's premises.

• Disclosures for Law Enforcement Purposes 164.512(f)(6)

  This section addresses the disclosure of protected health information (PHI) to law enforcement when required by law for law enforcement custodial situations.

• Uses and Disclosures about Decedents 164.512(g)

  This section addresses the use and disclosure of protected health information (PHI) about deceased individuals for various purposes.

• Uses and Disclosures for Cadaveric Organ, Eye, or Tissue Donation 164.512(h)

  This section addresses the use and disclosure of protected health information (PHI) for cadaveric organ, eye, or tissue donation purposes.

• Uses and Disclosures for Research Purposes - Permitted Uses and Disclosures 164.512(i)(1)

  This section addresses the use and disclosure of protected health information (PHI) for research purposes, as permitted under the Privacy Rule.

• Uses and Disclosures for Research Purposes - Documentation of Waiver Approval 164.512(i)(2)

  This section addresses the documentation requirements when obtaining a waiver of authorization for research purposes.

• Uses and Disclosures for Specialized Government Functions - Military 164.512(k)(1)

  This section addresses the use and disclosure of protected health information (PHI) for specialized government functions related to military activities.

• Uses and Disclosures for Specialized Government Functions - National Security and Intelligence Activities 164.512(k)(2)

  This section addresses the use and disclosure of protected health information (PHI) for specialized government functions related to national security and intelligence activities.

• Uses and Disclosures for Specialized Government Functions - Protective Services 164.512(k)(3)

  This section addresses the use and disclosure of protected health information (PHI) for specialized government functions related to protective services.

• Uses and Disclosures for Specialized Government Functions - Medical Suitability Determinations 164.512(k)(4)

  This section addresses the use and disclosure of protected health information (PHI) for specialized government functions related to medical suitability determinations.

• Uses and Disclosures for Specialized Government Functions - Correctional Institutions 164.512(k)(5)

  This section addresses the use and disclosure of protected health information (PHI) for specialized government functions related to correctional institutions.

• Uses and Disclosures for Specialized Government Functions - Providing Public Benefits 164.512(k)(6)

  This section addresses the use and disclosure of protected health information (PHI) for specialized government functions related to providing public benefits.

• Disclosures for Workers' Compensation 164.512(I)

  This section addresses the disclosure of protected health information (PHI) for workers' compensation purposes.

• Requirements for De-Identification of PHI and Re-Identification of PHI 164.514(b-c)

  This section addresses the requirements and processes for de-identification and re-identification of protected health information (PHI).

• Uses and Disclosures Required by Law 164.512(a)

  This section addresses the use and disclosure of protected health information (PHI) when required by law.

• Uses and Disclosures for Public Health Activities 164.512(b)

  This section addresses the use and disclosure of protected health information (PHI) for public health activities.

• Disclosures About Victims of Abuse, Neglect, or Domestic Violence 164.512(c)

  This section addresses the disclosure of protected health information (PHI) about victims of abuse, neglect, or domestic violence.

• Uses and Disclosures for Health Oversight Activities 164.512(d)

  This section addresses the use and disclosure of protected health information (PHI) for health oversight activities.

• Disclosures for Judicial and Administrative Proceedings 164.512(e)

  This section addresses the disclosure of protected health information (PHI) for judicial and administrative proceedings.

• Disclosures for Law Enforcement Purposes 164.512(f)(1)

  This section addresses the disclosure of protected health information (PHI) for law enforcement purposes.

• Disclosures for Law Enforcement Purposes - for Identification and Location 164.512(f)(2)

  This section addresses the disclosure of protected health information (PHI) for law enforcement purposes related to the identification and location of suspects, witnesses, or missing persons.

• Disclosures for Law Enforcement Purposes - PHI of a Possible Victim of a Crime 164.512(f)(3)

  This section addresses the disclosure of protected health information (PHI) to law enforcement when the individual may be a victim of a crime.

• Disclosures for Law Enforcement Purposes - an Individual who has Died as a Result of Suspected Criminal Guide 164.512(f)(4)

  This section addresses the disclosure of protected health information (PHI) to law enforcement when an individual has died as a result of suspected criminal activity.

• Disclosures for Law Enforcement Purposes - Crime on Premises 164.512(f)(5)

  This section addresses the disclosure of protected health information (PHI) to law enforcement regarding a crime that occurred on the covered entity's premises.

• Disclosures for Law Enforcement Purposes 164.512(f)(6)

  This section addresses the disclosure of protected health information (PHI) to law enforcement when required by law for law enforcement custodial situations.

• Uses and Disclosures about Decedents 164.512(g)

  This section addresses the use and disclosure of protected health information (PHI) about deceased individuals for various purposes.

• Uses and Disclosures for Cadaveric Organ, Eye, or Tissue Donation 164.512(h)

  This section addresses the use and disclosure of protected health information (PHI) for cadaveric organ, eye, or tissue donation purposes.

• Uses and Disclosures for Research Purposes - Permitted Uses and Disclosures 164.512(i)(1)

  This section addresses the use and disclosure of protected health information (PHI) for research purposes, as permitted under the Privacy Rule.

• Uses and Disclosures for Research Purposes - Documentation of Waiver Approval 164.512(i)(2)

  This section addresses the documentation requirements when obtaining a waiver of authorization for research purposes.

• Uses and Disclosures for Specialized Government Functions - Military 164.512(k)(1)

  This section addresses the use and disclosure of protected health information (PHI) for specialized government functions related to military activities.

• Uses and Disclosures for Specialized Government Functions - National Security and Intelligence Activities 164.512(k)(2)

  This section addresses the use and disclosure of protected health information (PHI) for specialized government functions related to national security and intelligence activities.

• Uses and Disclosures for Specialized Government Functions - Protective Services 164.512(k)(3)

  This section addresses the use and disclosure of protected health information (PHI) for specialized government functions related to protective services.

• Uses and Disclosures for Specialized Government Functions - Medical Suitability Determinations 164.512(k)(4)

  This section addresses the use and disclosure of protected health information (PHI) for specialized government functions related to medical suitability determinations.

• Uses and Disclosures for Specialized Government Functions - Correctional Institutions 164.512(k)(5)

  This section addresses the use and disclosure of protected health information (PHI) for specialized government functions related to correctional institutions.

• Uses and Disclosures for Specialized Government Functions - Providing Public Benefits 164.512(k)(6)

  This section addresses the use and disclosure of protected health information (PHI) for specialized government functions related to providing public benefits.

• Disclosures for Workers' Compensation 164.512(I)

  This section addresses the disclosure of protected health information (PHI) for workers' compensation purposes.

• Requirements for De-Identification of PHI and Re-Identification of PHI 164.514(b-c)

  This section addresses the requirements and processes for de-identification and re-identification of protected health information (PHI).

Special Case Requirements involve specific situations where additional privacy protections are necessary for certain types of health information. This control ensures that sensitive information, such as mental health records, substance abuse treatment, and HIV/AIDS-related information, receives appropriate privacy safeguards.

• Standard - Minimum Necessary Uses of PHI 164.514(d)(1-2)

  This section sets the standard for the minimum necessary uses of protected health information (PHI) by covered entities.

• Minimum Necessary - Disclosures of PHI 164.514(d)(3)

  This section sets the standard for the minimum necessary disclosures of protected health information (PHI) by covered entities.

• Minimum Necessary Requests for Protected Health Information 164.514(d)(4)

  This section sets the standard for the minimum necessary requests of protected health information (PHI) by covered entities.

• Minimum Necessary - Other Content Requirement 164.514(d)(5)

  This section clarifies that the minimum necessary standard does not apply to certain types of communications, such as when providing PHI to individuals or as required by law.

• Limited Data Sets and Data Use Agreements 164.514(e)

  This section addresses the use and disclosure of limited data sets (LDS) of protected health information (PHI) and the requirements for data use agreements.

• Uses and Disclosures for Fundraising 164.514(f)

  This section addresses the use and disclosure of protected health information (PHI) for fundraising purposes.

• Uses and Disclosures for Underwriting and Related Purposes 164.514(g)

  This section addresses the use and disclosure of protected health information (PHI) for underwriting purposes by health plans.

• Verification Requirements 164.514(h)

  This section addresses the verification requirements for certain disclosures of protected health information (PHI).

• Standard - Minimum Necessary Uses of PHI 164.514(d)(1-2)

  This section sets the standard for the minimum necessary uses of protected health information (PHI) by covered entities.

• Minimum Necessary - Disclosures of PHI 164.514(d)(3)

  This section sets the standard for the minimum necessary disclosures of protected health information (PHI) by covered entities.

• Minimum Necessary Requests for Protected Health Information 164.514(d)(4)

  This section sets the standard for the minimum necessary requests of protected health information (PHI) by covered entities.

• Minimum Necessary - Other Content Requirement 164.514(d)(5)

  This section clarifies that the minimum necessary standard does not apply to certain types of communications, such as when providing PHI to individuals or as required by law.

• Limited Data Sets and Data Use Agreements 164.514(e)

  This section addresses the use and disclosure of limited data sets (LDS) of protected health information (PHI) and the requirements for data use agreements.

• Uses and Disclosures for Fundraising 164.514(f)

  This section addresses the use and disclosure of protected health information (PHI) for fundraising purposes.

• Uses and Disclosures for Underwriting and Related Purposes 164.514(g)

  This section addresses the use and disclosure of protected health information (PHI) for underwriting purposes by health plans.

• Verification Requirements 164.514(h)

  This section addresses the verification requirements for certain disclosures of protected health information (PHI).

The Notice of Privacy Practices control mandates that covered entities provide patients with a clear and understandable notice describing how their PHI will be used and disclosed, as well as their privacy rights and how to exercise them.

• Notice of Privacy Practices 164.520(a)(1), (b)(1)

  This section addresses the requirements for covered entities to provide individuals with a notice of privacy practices (NPP) regarding the use and disclosure of their protected health information (PHI).

• Provisions of Notice - Health Plans 164.520(c)(1)

  This section specifies the requirements for the content of the Notice of Privacy Practices (NPP) that must be provided by health plans to individuals.

• Provisions of Notice - Certain Covered Health Care Providers 164.520(c)(2)

  This section specifies the requirements for the content of the Notice of Privacy Practices (NPP) that must be provided by certain covered health care providers to individuals.

• Provision of Notice - Electronic Notice 164.520(c)(3)

  This section addresses the provision of the Notice of Privacy Practices (NPP) through electronic means, such as email or posting on a website.

• Joint Notice by Separate Covered Entities 164.520(d)

  This section addresses the requirements for multiple covered entities that participate in an organized health care arrangement to create a joint notice of privacy practices (NPP).

• Documentation 164.520(e)

  This section addresses the requirement for covered entities to maintain documentation related to their privacy practices.

• Notice of Privacy Practices 164.520(a)(1), (b)(1)

  This section addresses the requirements for covered entities to provide individuals with a notice of privacy practices (NPP) regarding the use and disclosure of their protected health information (PHI).

• Provisions of Notice - Health Plans 164.520(c)(1)

  This section specifies the requirements for the content of the Notice of Privacy Practices (NPP) that must be provided by health plans to individuals.

• Provisions of Notice - Certain Covered Health Care Providers 164.520(c)(2)

  This section specifies the requirements for the content of the Notice of Privacy Practices (NPP) that must be provided by certain covered health care providers to individuals.

• Provision of Notice - Electronic Notice 164.520(c)(3)

  This section addresses the provision of the Notice of Privacy Practices (NPP) through electronic means, such as email or posting on a website.

• Joint Notice by Separate Covered Entities 164.520(d)

  This section addresses the requirements for multiple covered entities that participate in an organized health care arrangement to create a joint notice of privacy practices (NPP).

• Documentation 164.520(e)

  This section addresses the requirement for covered entities to maintain documentation related to their privacy practices.

The Rights to Request Privacy Protection control gives individuals the right to request additional privacy protections for their PHI. This includes restrictions on certain uses and disclosures or the use of secure communications channels for sensitive information.

• Right of an Individual to Request Restriction of Uses and Disclosures 164.522(a)(1)

  This section addresses the right of individuals to request restrictions on the use and disclosure of their protected health information (PHI).

• Terminating a Restriction 164.522(a)(2)

  This section addresses the circumstances under which a covered entity may terminate a previously agreed-upon restriction on the use and disclosure of an individual's protected health information (PHI).

• Documentation 164.522(a)(3)

  This section addresses the requirement for covered entities to document the agreed-upon restrictions on the use and disclosure of protected health information (PHI).

• Confidential Communications Requirements 164.522(b)(1)

  This section addresses the right of individuals to request confidential communications of their protected health information (PHI).

• Right of an Individual to Request Restriction of Uses and Disclosures 164.522(a)(1)

  This section addresses the right of individuals to request restrictions on the use and disclosure of their protected health information (PHI).

• Terminating a Restriction 164.522(a)(2)

  This section addresses the circumstances under which a covered entity may terminate a previously agreed-upon restriction on the use and disclosure of an individual's protected health information (PHI).

• Documentation 164.522(a)(3)

  This section addresses the requirement for covered entities to document the agreed-upon restrictions on the use and disclosure of protected health information (PHI).

• Confidential Communications Requirements 164.522(b)(1)

  This section addresses the right of individuals to request confidential communications of their protected health information (PHI).

Access to PHI allows individuals to request access to their own health information held by covered entities. This control ensures that patients can review and obtain copies of their medical records.

• Right to Access 164.524(a)(1), (b)(1-2), (c)(2-4), (d)(1), (d)(3)

  This section addresses an individual's right to access their protected health information (PHI) held by covered entities.

• Unreviewable Grounds for Denial 164.524(a)(2)

  This section addresses the circumstances under which a covered entity may deny an individual's request for access to their protected health information (PHI) without the right to appeal the denial.

• Reviewable Grounds for Denial 164.524(a)(3)

  This section addresses the circumstances under which a covered entity may deny an individual's request for access to their protected health information (PHI) with the right to appeal the denial.

• Review of Denial of Access 164.524(a)(4), (d)(4)

  This section addresses the process of reviewing and resolving an individual's appeal regarding the denial of their request for access to protected health information (PHI).

• Denial of Access 164.524(d)(2)

  This section addresses the circumstances under which a covered entity may deny an individual's request for access to their protected health information (PHI) after the review process.

• Documentation 164.524(e)

  This section addresses the requirement for covered entities to document the actions taken in response to an individual's request for access to their protected health information (PHI).

• Right to Access 164.524(a)(1), (b)(1-2), (c)(2-4), (d)(1), (d)(3)

  This section addresses an individual's right to access their protected health information (PHI) held by covered entities.

• Unreviewable Grounds for Denial 164.524(a)(2)

  This section addresses the circumstances under which a covered entity may deny an individual's request for access to their protected health information (PHI) without the right to appeal the denial.

• Reviewable Grounds for Denial 164.524(a)(3)

  This section addresses the circumstances under which a covered entity may deny an individual's request for access to their protected health information (PHI) with the right to appeal the denial.

• Review of Denial of Access 164.524(a)(4), (d)(4)

  This section addresses the process of reviewing and resolving an individual's appeal regarding the denial of their request for access to protected health information (PHI).

• Denial of Access 164.524(d)(2)

  This section addresses the circumstances under which a covered entity may deny an individual's request for access to their protected health information (PHI) after the review process.

• Documentation 164.524(e)

  This section addresses the requirement for covered entities to document the actions taken in response to an individual's request for access to their protected health information (PHI).

The Amendment of PHI control grants individuals the right to request corrections or amendments to their health information if they believe it is inaccurate or incomplete. Covered entities must comply with these requests, subject to certain limitations.

• Right to Amend 164.526(a)(1)

  This section addresses the right of individuals to request an amendment to their protected health information (PHI) held by covered entities.

• Denying the Amendment 164.526(a)(2)

  This section addresses the circumstances under which a covered entity may deny an individual's request to amend their protected health information (PHI).

• Accepting the Amendment 164.526(c)

  This section addresses the process of accepting an individual's request to amend their protected health information (PHI).

• Denying the Amendment 164.526(d)

  This section addresses the process of denying an individual's request to amend their protected health information (PHI) after the review process.

• Right to Amend 164.526(a)(1)

  This section addresses the right of individuals to request an amendment to their protected health information (PHI) held by covered entities.

• Denying the Amendment 164.526(a)(2)

  This section addresses the circumstances under which a covered entity may deny an individual's request to amend their protected health information (PHI).

• Accepting the Amendment 164.526(c)

  This section addresses the process of accepting an individual's request to amend their protected health information (PHI).

• Denying the Amendment 164.526(d)

  This section addresses the process of denying an individual's request to amend their protected health information (PHI) after the review process.

Accounting of Disclosures involves keeping a record of certain disclosures of PHI made by covered entities. This control allows individuals to obtain information about when and to whom their health information was disclosed.

• Right to an Accounting of Disclosures of PHI 164.528(a)

  This section addresses the right of individuals to request an accounting of disclosures of their protected health information (PHI) made by a covered entity.

• Content of the Accounting 164.528(b)

  This section addresses the content requirements for an accounting of disclosures of protected health information (PHI) made by a covered entity.

• Provision of the Accounting 164.528(c)

  This section addresses the timeframe and format for providing an accounting of disclosures of protected health information (PHI) to an individual.

• Documentation 164.528(d)

  This section addresses the requirement for covered entities to maintain documentation of actions taken in response to requests for an accounting of disclosures of protected health information (PHI).

• Right to an Accounting of Disclosures of PHI 164.528(a)

  This section addresses the right of individuals to request an accounting of disclosures of their protected health information (PHI) made by a covered entity.

• Content of the Accounting 164.528(b)

  This section addresses the content requirements for an accounting of disclosures of protected health information (PHI) made by a covered entity.

• Provision of the Accounting 164.528(c)

  This section addresses the timeframe and format for providing an accounting of disclosures of protected health information (PHI) to an individual.

• Documentation 164.528(d)

  This section addresses the requirement for covered entities to maintain documentation of actions taken in response to requests for an accounting of disclosures of protected health information (PHI).

Administrative Requirements encompass the overall policies, procedures, and responsibilities related to privacy compliance within covered entities. This control ensures that organizations establish a comprehensive privacy program to protect PHI.

• Personnel Designations 164.530(a)

  This section addresses the requirement for covered entities to designate a privacy official and a security official responsible for the development and implementation of policies and procedures related to the HIPAA Privacy Rule and Security Rule.

• Training 164.530(b)

  This section addresses the requirement for covered entities to provide training to their workforce members on the policies and procedures regarding protected health information (PHI) and the HIPAA Privacy Rule.

• Safeguards 164.530(c)

  This section addresses the requirement for covered entities to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI).

• Complaints to the Covered Entity 164.530(d)(2)

  This section addresses the requirement for covered entities to provide individuals with a process to file complaints regarding their privacy practices and the handling of protected health information (PHI).

• Sanctions 164.530(e)(1)

  This section addresses the requirement for covered entities to apply appropriate sanctions against workforce members who violate the policies and procedures related to the HIPAA Privacy Rule.

• Mitigation 164.530(f)

  This section addresses the requirement for covered entities to mitigate any harmful effects resulting from a privacy violation or breach of protected health information (PHI).

• Refraining from Intimidating or Retaliatory Acts 164.530(g)

  This section addresses the requirement for covered entities to prohibit intimidating or retaliatory acts against individuals who exercise their rights under the HIPAA Privacy Rule.

• Waiver of Rights 164.530(h)

  This section addresses the prohibition on covered entities from requiring individuals to waive their rights under the HIPAA Privacy Rule.

• Policies and Procedures 164.530(i)

  This section addresses the requirement for covered entities to develop and implement policies and procedures to comply with the HIPAA Privacy Rule.

• Documentation 164.530(j)

  This section addresses the requirement for covered entities to maintain documentation of their HIPAA Privacy Rule compliance efforts.

• Personnel Designations 164.530(a)

  This section addresses the requirement for covered entities to designate a privacy official and a security official responsible for the development and implementation of policies and procedures related to the HIPAA Privacy Rule and Security Rule.

• Training 164.530(b)

  This section addresses the requirement for covered entities to provide training to their workforce members on the policies and procedures regarding protected health information (PHI) and the HIPAA Privacy Rule.

• Safeguards 164.530(c)

  This section addresses the requirement for covered entities to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI).

• Complaints to the Covered Entity 164.530(d)(2)

  This section addresses the requirement for covered entities to provide individuals with a process to file complaints regarding their privacy practices and the handling of protected health information (PHI).

• Sanctions 164.530(e)(1)

  This section addresses the requirement for covered entities to apply appropriate sanctions against workforce members who violate the policies and procedures related to the HIPAA Privacy Rule.

• Mitigation 164.530(f)

  This section addresses the requirement for covered entities to mitigate any harmful effects resulting from a privacy violation or breach of protected health information (PHI).

• Refraining from Intimidating or Retaliatory Acts 164.530(g)

  This section addresses the requirement for covered entities to prohibit intimidating or retaliatory acts against individuals who exercise their rights under the HIPAA Privacy Rule.

• Waiver of Rights 164.530(h)

  This section addresses the prohibition on covered entities from requiring individuals to waive their rights under the HIPAA Privacy Rule.

• Policies and Procedures 164.530(i)

  This section addresses the requirement for covered entities to develop and implement policies and procedures to comply with the HIPAA Privacy Rule.

• Documentation 164.530(j)

  This section addresses the requirement for covered entities to maintain documentation of their HIPAA Privacy Rule compliance efforts.

Breach Definitions define what constitutes a breach of PHI under HIPAA. This control clarifies when unauthorized access, use, or disclosure of PHI triggers the requirement to notify affected individuals and regulatory authorities.

• Breach - Risk Assessment 164.402

  This section addresses the requirement for covered entities to conduct a risk assessment to determine the probability that protected health information (PHI) has been compromised in the event of a breach.

• Breach - Exceptions 164.402

  This section addresses the exceptions to the breach notification requirements under certain circumstances.

• Breach - Risk Assessment 164.402

  This section addresses the requirement for covered entities to conduct a risk assessment to determine the probability that protected health information (PHI) has been compromised in the event of a breach.

• Breach - Exceptions 164.402

  This section addresses the exceptions to the breach notification requirements under certain circumstances.

Notification of a Breach control mandates that covered entities promptly notify affected individuals and relevant authorities in the event of a breach of unsecured PHI. This ensures transparency and allows individuals to take necessary steps to protect themselves.

• Notice to Individuals 164.404(a)

  This section addresses the requirement for covered entities to provide notifications to individuals affected by a breach of protected health information (PHI).

• Timeliness of Notification 164.404(b)

  This section addresses the requirement for covered entities to provide breach notifications to affected individuals without unreasonable delay.

• Content of Notification 164.404(c)(1)

  This section addresses the required content of breach notifications provided to affected individuals.

• Methods of Notification 164.404(d)

  This section addresses the permissible methods of providing breach notifications to affected individuals.

• Notification to the Media 164.406

  This section addresses the requirement for covered entities to provide breach notifications to prominent media outlets in certain circumstances.

• Notification to the Secretary 164.408

  This section addresses the requirement for covered entities to provide breach notifications to the U.S. Department of Health and Human Services (HHS) Secretary.

• Notification by a Business Associate 164.410

  This section addresses the requirement for business associates to provide breach notifications to covered entities.

• Notice to Individuals 164.404(a)

  This section addresses the requirement for covered entities to provide notifications to individuals affected by a breach of protected health information (PHI).

• Timeliness of Notification 164.404(b)

  This section addresses the requirement for covered entities to provide breach notifications to affected individuals without unreasonable delay.

• Content of Notification 164.404(c)(1)

  This section addresses the required content of breach notifications provided to affected individuals.

• Methods of Notification 164.404(d)

  This section addresses the permissible methods of providing breach notifications to affected individuals.

• Notification to the Media 164.406

  This section addresses the requirement for covered entities to provide breach notifications to prominent media outlets in certain circumstances.

• Notification to the Secretary 164.408

  This section addresses the requirement for covered entities to provide breach notifications to the U.S. Department of Health and Human Services (HHS) Secretary.

• Notification by a Business Associate 164.410

  This section addresses the requirement for business associates to provide breach notifications to covered entities.

Administrative Requirements for breaches focus on the processes and responsibilities that covered entities must follow in the event of a breach. This includes conducting risk assessments, investigating incidents, and implementing corrective actions to prevent future breaches.

• Law Enforcement Delay 164.412

  This section addresses the provision that allows covered entities to delay breach notifications at the request of law enforcement.

• Administrative 164.414(a)

  This section addresses the penalties and enforcement provisions for non-compliance with the HIPAA Privacy Rule.

• Burden of Proof 164.414(b)

  This section addresses the burden of proof placed on covered entities in administrative penalty proceedings.

• Training 164.530(b)

  This section addresses the requirement for covered entities to provide training to their workforce members on the policies and procedures regarding protected health information (PHI) and the HIPAA Privacy Rule.

• Complaints 164.530(d)

  This section addresses the requirement for covered entities to provide individuals with a process to file complaints regarding their privacy practices and the handling of protected health information (PHI).

• Sanctions 164.530(e)

  This section addresses the requirement for covered entities to apply appropriate sanctions against workforce members who violate the policies and procedures related to the HIPAA Privacy Rule.

• Refraining from Retaliatory Acts 164.530(g)

  This section addresses the requirement for covered entities to prohibit retaliatory acts against individuals who exercise their rights under the HIPAA Privacy Rule.

• Waiver of Rights 164.530(h)

  This section addresses the prohibition on covered entities from requiring individuals to waive their rights under the HIPAA Privacy Rule.

• Policies and Procedures 164.530(i)

  This section addresses the requirement for covered entities to develop and implement policies and procedures to comply with the HIPAA Privacy Rule.

• Documentation 164.530(j)

  This section addresses the requirement for covered entities to maintain documentation of their HIPAA Privacy Rule compliance efforts.

• Law Enforcement Delay 164.412

  This section addresses the provision that allows covered entities to delay breach notifications at the request of law enforcement.

• Administrative 164.414(a)

  This section addresses the penalties and enforcement provisions for non-compliance with the HIPAA Privacy Rule.

• Burden of Proof 164.414(b)

  This section addresses the burden of proof placed on covered entities in administrative penalty proceedings.

• Training 164.530(b)

  This section addresses the requirement for covered entities to provide training to their workforce members on the policies and procedures regarding protected health information (PHI) and the HIPAA Privacy Rule.

• Complaints 164.530(d)

  This section addresses the requirement for covered entities to provide individuals with a process to file complaints regarding their privacy practices and the handling of protected health information (PHI).

• Sanctions 164.530(e)

  This section addresses the requirement for covered entities to apply appropriate sanctions against workforce members who violate the policies and procedures related to the HIPAA Privacy Rule.

• Refraining from Retaliatory Acts 164.530(g)

  This section addresses the requirement for covered entities to prohibit retaliatory acts against individuals who exercise their rights under the HIPAA Privacy Rule.

• Waiver of Rights 164.530(h)

  This section addresses the prohibition on covered entities from requiring individuals to waive their rights under the HIPAA Privacy Rule.

• Policies and Procedures 164.530(i)

  This section addresses the requirement for covered entities to develop and implement policies and procedures to comply with the HIPAA Privacy Rule.

• Documentation 164.530(j)

  This section addresses the requirement for covered entities to maintain documentation of their HIPAA Privacy Rule compliance efforts.