The Regulations Library · 112 entries
Every entry below is a brief, plain-English summary of one healthcare regulation, paired with a deep-link to the canonical source at HHS, OCR, CMS, NIST, the Code of Federal Regulations, or the responsible state regulator. D3rx is the research-aid layer. The regulator is the authority.
Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.
Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.
Required elements and statements for a valid HIPAA authorization, plus the prohibition on combining authorizations with other documents in most circumstances.
Required contract elements for any business associate that creates, receives, maintains, or transmits PHI on behalf of a covered entity.
Two methods for de-identifying PHI so that it is no longer subject to the Privacy Rule: the Safe Harbor method removing 18 identifier categories, and the Expert Determination method.
Disclosures permitted without authorization or opportunity to agree, including public health, judicial proceedings, law enforcement, and serious threats to health or safety.
Permitted disclosures for facility directories, disaster relief, and notification of family or friends involved in care, with individual opportunity to agree or object.
Covered entities may use limited PHI categories for their own fundraising but must include a clear opt-out mechanism in each communication and honor opt-outs going forward.
Incidental disclosures that occur as a by-product of an otherwise permitted use or disclosure are not violations, provided reasonable safeguards and minimum necessary policies are applied.
A limited data set excludes most direct identifiers but retains dates and geographic data; disclosure requires a written data use agreement.
Most communications encouraging an individual to purchase or use a product or service require a HIPAA-compliant authorization, with narrow exceptions for face-to-face communications and promotional gifts of nominal value.
Covered entities must make reasonable efforts to limit PHI uses, disclosures, and requests to the minimum necessary for the intended purpose, with specific carve-outs for treatment and a few other categories.
Covered entities must provide a Notice of Privacy Practices describing how PHI may be used and disclosed and the individual's rights, with specific delivery and posting requirements.
A covered entity must treat a personal representative — including parents of minors and court-appointed representatives — as the individual for purposes of the Privacy Rule, subject to defined exceptions.
The general rules covered entities follow for any use or disclosure of protected health information, including the minimum necessary standard and treatment, payment, and operations exceptions.
Research uses of PHI without individual authorization require either IRB or Privacy Board waiver, a limited data set with data use agreement, or reviews preparatory to research and decedent research with specific safeguards.
Individuals may request restrictions on use or disclosure of PHI and may request communications by alternative means or at alternative locations.
Individuals have a right to inspect and obtain copies of their PHI in a designated record set, in the form and format requested when readily producible, within 30 days.
Covered entities may use and disclose PHI for treatment, payment, and health care operations without authorization, subject to limits and notice requirements.
Technical policies and procedures for systems containing ePHI to allow access only to those granted access rights, with required specifications for unique user identification and emergency access.
Nine standards covering security management, workforce security, training, contingency planning, incident procedures, evaluation, and business associate contracts.
Required technical safeguard: implement hardware, software, and procedural mechanisms that record and examine activity in information systems containing ePHI.
Required standard to verify that a person or entity seeking access to ePHI is the one claimed. The Security Rule is technology-neutral on the mechanism; risk analysis drives whether MFA is reasonable.
Required specifications for business associate contracts under the Security Rule, complementing the Privacy Rule BAA at 164.504(e).
Required plans for responding to emergencies and other occurrences (fire, vandalism, system failure, natural disaster) that damage systems containing ePHI.
Required specifications for disposal of hardware and electronic media containing ePHI, and media re-use procedures.
Required standard for periodic technical and non-technical evaluation in response to environmental or operational changes affecting the security of ePHI.
Required standard for identifying and responding to security incidents involving ePHI, with mitigation, documentation, and outcome tracking.
Four standards covering facility access controls, workstation use and security, and device and media controls including disposal and re-use.
Required implementation specification: conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
Required standard for maintaining policies and procedures in written or electronic form, with a six-year retention requirement and periodic review and update.
Required objectives — confidentiality, integrity, and availability of ePHI — plus the flexibility provisions that govern how covered entities select and implement specific safeguards.
Five standards covering access control, audit controls, integrity, person or entity authentication, and transmission security for ePHI.
Required standard to guard against unauthorized access to ePHI transmitted over an electronic communications network, with addressable specs for integrity controls and encryption.
Standard requiring a security awareness and training program for all workforce members with addressable specifications for security reminders, malware protection, login monitoring, and password management.
Business associate must notify the covered entity of a breach of unsecured PHI without unreasonable delay and no later than 60 days from discovery, with required content for the covered entity's downstream notifications.
Definition of breach and the four-factor low-probability-of-compromise assessment that determines whether a non-permitted use or disclosure triggers notification.
Notification timing and content for HHS (annual for smaller breaches, 60 days for 500+) and the prominent media (500+ in a state or jurisdiction).
Required content, methods, and 60-day deadline for notifying affected individuals after a breach of unsecured PHI.
When unsecured PHI is accessed, used, or disclosed in a manner not permitted, the entity must follow individual, HHS, and (in some cases) media notification requirements within defined timelines.
OCR's authority to conduct compliance audits of covered entities and business associates, and the recurring posture under the Audit Program established by HITECH.
The four-tier culpability and penalty structure for HIPAA civil money penalties, with statutory caps adjusted annually for inflation.
Criminal sanctions for knowingly obtaining or disclosing PHI in violation of HIPAA, enforced by the Department of Justice rather than HHS, with three tiers escalating to ten years' imprisonment.
OCR's preferred enforcement disposition: a Resolution Agreement that includes a corrective action plan, payment, and reporting obligations spanning two to three years.
The framework for HHS investigation and enforcement of HIPAA violations: complaints, compliance reviews, informal resolution, civil money penalties, and the four-tier culpability structure.
Business associates are directly liable for Security Rule compliance, breach notification, certain Privacy Rule provisions, and BAA flow-down to subcontractors.
Two HITECH-era patient-rights expansions: the right to an electronic copy of EHR-resident PHI and the general prohibition on remuneration for PHI absent authorization.
HITECH expanded HIPAA enforcement with state attorney general civil actions, four-tier penalties, willful neglect mandatory investigation, and a percentage of CMPs to harmed individuals.
HITECH's EHR Incentive Programs evolved into the Medicare Promoting Interoperability program under MIPS; SRA attestation remains an annual requirement.
Title XIII of the American Recovery and Reinvestment Act amended HIPAA in 2009 to add breach notification, direct business associate liability, increased penalties, and the Meaningful Use program.
The 2024 Final Rule's substantive alignment of Part 2 with HIPAA for TPO consent, breach notification, accounting, civil and criminal enforcement, and a single patient notice.
Heightened federal confidentiality protections for records held by federally assisted SUD programs, with prior-written-consent and segregation requirements that differ from HIPAA.
Required elements for written consent to disclose SUD treatment records under Part 2, including the prohibition on redisclosure notice.
The narrow exception permitting disclosure of Part 2 records pursuant to a court order issued after specific good cause findings.
Permitted disclosures to medical personnel to the extent necessary to meet a bona fide medical emergency posing an immediate threat to the patient's or another's health.
Three classes of actors subject to information blocking: health care providers, health IT developers of certified health IT, and health information networks/exchanges.
CMS finalized disincentives for providers found to have committed information blocking by HHS OIG, applied through the MIPS Promoting Interoperability category, hospital Promoting Interoperability program, and Medicare Shared Savings Program.
EHI is the full electronic Designated Record Set as defined by HIPAA at 45 CFR 164.501 (since October 6, 2022), broader than the USCDI subset that applied during the initial phase.
The eight regulatory exceptions to information blocking: preventing harm, privacy, security, infeasibility, health IT performance, content and manner, fees, and licensing.
The 21st Century Cures Act information blocking provisions and the ONC rule prohibiting actions by providers, health IT developers, and HINs/HIEs that interfere with electronic health information access, exchange, or use.
Criminal prohibition on knowingly and willfully soliciting, receiving, offering, or paying remuneration to induce or reward federal health care program business, with safe harbors at 42 CFR 1001.952.
Safe harbor for compensation to an independent contractor for personal services, with seven conditions including written agreement, fair market value, and aggregate compensation set in advance.
Approximately 30 safe harbors define payment and business practices that, despite generating remuneration, do not result in AKS liability when all conditions are met.
Safe harbor for rental payments for office space when six conditions are met, including written lease, at least one-year term, and aggregate rent set in advance at fair market value.
Three safe harbors added in the 2020 Sprint to Coordinated Care final rule covering value-based arrangements at varying risk levels: care coordination, substantial downside risk, and full financial risk.
Strict structural and operational definition of 'group practice' for purposes of the in-office ancillary services exception and physician services exception.
Ownership/investment and compensation exception permitting many group-practice ancillary services (lab, imaging, PT) when furnished in the same building or centralized building under defined conditions.
Strict-liability prohibition on physician referrals to entities for designated health services payable by Medicare when the physician (or immediate family member) has a financial relationship with the entity, unless an exception applies.
Compensation arrangement exception for personal services with conditions parallel to but separate from the AKS personal services safe harbor.
Stark exception for rental payments for office space with conditions on lease form, term, fair market value, and exclusive use of rented space.
'Knowingly' under the FCA includes actual knowledge, deliberate ignorance, and reckless disregard of the truth or falsity of the information; no specific intent required.
The principal civil fraud statute for healthcare: prohibits knowingly presenting false claims to the federal government, with treble damages, per-claim penalties, qui tam relator actions, and integration with AKS and Stark.
Private whistleblowers (relators) may file civil FCA actions on behalf of the government under seal; DOJ investigates and may intervene; relators share in recoveries.
Medicare enrollment application for institutional providers including hospitals, CAHs, hospices, home health agencies, federally qualified health centers, rural health clinics, and similar entities.
The Medicare enrollment application for clinics, group practices, and certain other suppliers — the primary enrollment vehicle for medical practices that bill Part B.
Individual Medicare enrollment vehicle for physicians, NPPs, and certain other individual suppliers; required for any clinician billing Medicare under their own name.
Abbreviated Medicare enrollment for clinicians who order or certify items and services for Medicare beneficiaries but do not personally bill Medicare.
Authorization form for an individual physician/NPP to reassign their right to collect Medicare payment to a group practice or other eligible entity.
Medicare enrollment application for durable medical equipment, prosthetics, orthotics, and supplies suppliers, with heightened standards including accreditation and surety bond.
Modifier 25 is appended to an E/M code when the E/M is significant and separately identifiable from another procedure or service performed on the same day by the same provider.
Medicare's policy for reporting bilateral procedures uses the MPFS Bilateral Indicator (0, 1, 2, 3, 9) and depends on whether the code descriptor already includes both sides.
NCCI policy on bundling and separately reporting E/M services with procedures, including modifier 25 use and global surgical package interactions.
Medicare's global surgical package bundles preoperative, intraoperative, and routine postoperative care into a single payment for the surgical CPT code, with global periods of 0, 10, or 90 days.
Modifier 59 (and its more specific subsets XE, XS, XP, XU) is the principal mechanism for overriding a PTP edit when a procedure is distinct or independent from another performed on the same day.
MUEs are maximum units of service that a single provider would reasonably report on a single date for a single beneficiary, with three adjudication levels (line, date, claim).
The National Correct Coding Initiative is the CMS coding edits program that prevents improper Medicare payment due to incorrect code reporting; the Policy Manual is the authoritative coding-policy reference.
NCCI policies for clinical laboratory services, including panel-vs-component coding, automated multi-channel chemistry rules, and Date of Service rules for lab tests.
PTP edits identify code pairs that should not be reported together because one is a component of the other or because reporting both is otherwise inconsistent with correct coding.
NCCI policies specific to radiology services, including component coding rules (technical and professional), supervision and interpretation services, and contrast/non-contrast bundling.
Reference to Medicare's ABN form required before furnishing items or services Medicare may not cover, shifting financial responsibility to the beneficiary.
Reference to the 2021 CPT E/M office visit (99202-99215) code revisions: history and exam no longer used for code selection; medical decision making or time controls.
Reference to Medicare's incident-to billing rules permitting auxiliary personnel to furnish services billed under the physician's NPI, with strict supervision and treatment-plan requirements.
Reference to Medicare's coverage determinations: NCDs are issued by CMS; LCDs are issued by MACs; both define when an item or service is reasonable and necessary.
Reference to the modifiers most commonly used in Medicare professional billing: 25, 26, 50, 51, 57, 58, 59, 76, 77, 78, 79, 80, 82, and the X{EPSU} series.
Reference to the ACA-added requirement that a Medicare or Medicaid overpayment be reported and returned within 60 days of identification, with FCA exposure for retention beyond that window.
Reference to the CMS Place of Service code set used on professional claims to identify where a service was furnished, affecting payment under the facility/non-facility differential.
Reference to the Medicare rules for E/M services furnished jointly by a physician and an NPP in a facility setting, with the substantive-portion rule determining who reports.
Reference to Medicare's telehealth policy: covered services list, originating and distant site rules, technology requirements, and the COVID-era flexibilities and their post-PHE status.
Reference to the CMS rules for selecting an E/M code by total time on the date of the encounter, including the activities that count and prolonged service add-ons.
The 2024 update to the NIST CSF added the Govern function alongside Identify, Protect, Detect, Respond, and Recover — providing a common language for organizational cybersecurity risk management.
The authoritative federal control catalog organizing technical, operational, and management security and privacy controls into 20 control families.
Federal authentication framework defining three Authenticator Assurance Levels (AAL1, AAL2, AAL3), authenticator types, and lifecycle requirements.
NIST's 2024 update to the implementation guide for the HIPAA Security Rule, mapping the rule's standards to NIST Cybersecurity Framework subcategories and current cybersecurity practices.
Federal reference for sanitizing electronic media — Clear, Purge, and Destroy categories — with method selection based on media type and confidentiality of the data.
California state law providing broader patient confidentiality protections than HIPAA for medical information held by providers, contractors, and certain employers.
Colorado comprehensive consumer privacy law with consumer rights, controller/processor obligations, universal opt-out mechanism requirement, and an AG enforcement framework with HIPAA carve-outs.
Connecticut comprehensive consumer data privacy law with consumer rights, controller/processor obligations, and an AG enforcement framework — with substantial healthcare carve-outs.
Florida data breach notification and information security law requiring covered entities to maintain reasonable security and to notify affected individuals and the AG of breaches within 30 days.
Illinois state law regulating the collection, retention, use, and destruction of biometric identifiers, with a private right of action and statutory damages per violation.
Massachusetts data security regulation requiring a written information security program (WISP) protecting personal information of MA residents, with specific technical requirements.
New York data breach and information security law requiring reasonable administrative, technical, and physical safeguards for private information of NY residents, with expanded breach notification.
Often called 'Texas HIPAA,' this state law extends HIPAA-like protections to a broader class of 'covered entities,' adds Texas-specific training requirements, and provides for state enforcement.
Research aid, not legal advice. The summaries on this page are administrative research aids. They do not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text, follow the citation link on each entry to HHS, OCR, CMS, NIST, the Code of Federal Regulations, or the responsible state regulator. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.