[Code of Federal Regulations]
[Title 45, Volume 1]
[Revised as of October 1, 2001]
From the U.S. Government Printing Office via GPO Access
[CITE: 45CFR164.501]
[Page 684-688]
TITLE 45--PUBLIC WELFARE
SUBTITLE A--DEPARTMENT OF HEALTH
AND HUMAN SERVICES
PART 164--SECURITY AND PRIVACY--Table of Contents
Subpart E--Privacy of Individually Identifiable Health Information
Sec. 164.501 Definitions.
As used in this subpart, the following terms have the following
meanings:
Correctional institution means any penal or correctional facility,
jail, reformatory, detention center, work farm, halfway house, or
residential community program center operated by, or under contract to,
the United States, a State, a territory, a political subdivision of a
State or territory, or an Indian tribe, for the confinement or
rehabilitation of persons charged with or convicted of a criminal
offense or other persons held in lawful custody. Other persons held in
lawful custody includes juvenile offenders adjudicated delinquent,
aliens detained awaiting deportation, persons committed to mental
institutions through the criminal justice system, witnesses, or others
awaiting charges or trial.
Covered functions means those functions of a covered entity the
performance of which makes the entity a health plan, health care
provider, or health care clearinghouse.
Data aggregation means, with respect to protected health information
created or received by a business associate
[[Page 685]]
in its capacity as the business associate of a covered entity, the
combining of such protected health information by the business associate
with the protected health information received by the business associate
in its capacity as a business associate of another covered entity, to
permit data analyses that relate to the health care operations of the
respective covered entities.
Designated record set means:
(1) A group of records maintained by or for a covered entity that
is:
(i) The medical records and billing records about individuals
maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or
medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to
make decisions about individuals.
(2) For purposes of this paragraph, the term record means any item,
collection, or grouping of information that includes protected health
information and is maintained, collected, used, or disseminated by or
for a covered entity.
Direct treatment relationship means a treatment relationship between
an individual and a health care provider that is not an indirect
treatment relationship.
Disclosure means the release, transfer, provision of access to, or
divulging in any other manner of information outside the entity holding
the information.
Health care operations means any of the following activities of the
covered entity to the extent that the activities are related to covered
functions, and any of the following activities of an organized health
care arrangement in which the covered entity participates:
(1) Conducting quality assessment and improvement activities,
including outcomes evaluation and development of clinical guidelines,
provided that the obtaining of generalizable knowledge is not the
primary purpose of any studies resulting from such activities;
population-based activities relating to improving health or reducing
health care costs, protocol development, case management and care
coordination, contacting of health care providers and patients with
information about treatment alternatives; and related functions that do
not include treatment;
(2) Reviewing the competence or qualifications of health care
professionals, evaluating practitioner and provider performance, health
plan performance, conducting training programs in which students,
trainees, or practitioners in areas of health care learn under
supervision to practice or improve their skills as health care
providers, training of non-health care professionals, accreditation,
certification, licensing, or credentialing activities;
(3) Underwriting, premium rating, and other activities relating to
the creation, renewal or replacement of a contract of health insurance
or health benefits, and ceding, securing, or placing a contract for
reinsurance of risk relating to claims for health care (including stop-
loss insurance and excess of loss insurance), provided that the
requirements of Sec. 164.514(g) are met, if applicable;
(4) Conducting or arranging for medical review, legal services, and
auditing functions, including fraud and abuse detection and compliance
programs;
(5) Business planning and development, such as conducting cost-
management and planning-related analyses related to managing and
operating the entity, including formulary development and
administration, development or improvement of methods of payment or
coverage policies; and
(6) Business management and general administrative activities of the
entity, including, but not limited to:
(i) Management activities relating to implementation of and
compliance with the requirements of this subchapter;
(ii) Customer service, including the provision of data analyses for
policy holders, plan sponsors, or other customers, provided that
protected health information is not disclosed to such policy holder,
plan sponsor, or customer.
(iii) Resolution of internal grievances;
[[Page 686]]
(iv) Due diligence in connection with the sale or transfer of assets
to a potential successor in interest, if the potential successor in
interest is a covered entity or, following completion of the sale or
transfer, will become a covered entity; and
(v) Consistent with the applicable requirements of Sec. 164.514,
creating de-identified health information, fundraising for the benefit
of the covered entity, and marketing for which an individual
authorization is not required as described in Sec. 164.514(e)(2).
Health oversight agency means an agency or authority of the United
States, a State, a territory, a political subdivision of a State or
territory, or an Indian tribe, or a person or entity acting under a
grant of authority from or contract with such public agency, including
the employees or agents of such public agency or its contractors or
persons or entities to whom it has granted authority, that is authorized
by law to oversee the health care system (whether public or private) or
government programs in which health information is necessary to
determine eligibility or compliance, or to enforce civil rights laws for
which health information is relevant.
Indirect treatment relationship means a relationship between an
individual and a health care provider in which:
(1) The health care provider delivers health care to the individual
based on the orders of another health care provider; and
(2) The health care provider typically provides services or
products, or reports the diagnosis or results associated with the health
care, directly to another health care provider, who provides the
services or products or reports to the individual.
Individual means the person who is the subject of protected health
information.
Individually identifiable health information is information that is
a subset of health information, including demographic information
collected from an individual, and:
(1) Is created or received by a health care provider, health plan,
employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision of
health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe
the information can be used to identify the individual.
Inmate means a person incarcerated in or otherwise confined to a
correctional institution.
Law enforcement official means an officer or employee of any agency
or authority of the United States, a State, a territory, a political
subdivision of a State or territory, or an Indian tribe, who is
empowered by law to:
(1) Investigate or conduct an official inquiry into a potential
violation of law; or
(2) Prosecute or otherwise conduct a criminal, civil, or
administrative proceeding arising from an alleged violation of law.
Marketing means to make a communication about a product or service a
purpose of which is to encourage recipients of the communication to
purchase or use the product or service.
(1) Marketing does not include communications that meet the
requirements of paragraph (2) of this definition and that are made by a
covered entity:
(i) For the purpose of describing the entities participating in a
health care provider network or health plan network, or for the purpose
of describing if and the extent to which a product or service (or
payment for such product or service) is provided by a covered entity or
included in a plan of benefits; or
(ii) That are tailored to the circumstances of a particular
individual and the communications are:
(A) Made by a health care provider to an individual as part of the
treatment of the individual, and for the purpose of furthering the
treatment of that individual; or
(B) Made by a health care provider or health plan to an individual
in the course of managing the treatment of that individual, or for the
purpose of
[[Page 687]]
directing or recommending to that individual alternative treatments,
therapies, health care providers, or settings of care.
(2) A communication described in paragraph (1) of this definition is
not included in marketing if:
(i) The communication is made orally; or
(ii) The communication is in writing and the covered entity does not
receive direct or indirect remuneration from a third party for making
the communication.
Organized health care arrangement means:
(1) A clinically integrated care setting in which individuals
typically receive health care from more than one health care provider;
(2) An organized system of health care in which more than one
covered entity participates, and in which the participating covered
entities:
(i) Hold themselves out to the public as participating in a joint
arrangement; and
(ii) Participate in joint activities that include at least one of
the following:
(A) Utilization review, in which health care decisions by
participating covered entities are reviewed by other participating
covered entities or by a third party on their behalf;
(B) Quality assessment and improvement activities, in which
treatment provided by participating covered entities is assessed by
other participating covered entities or by a third party on their
behalf; or
(C) Payment activities, if the financial risk for delivering health
care is shared, in part or in whole, by participating covered entities
through the joint arrangement and if protected health information
created or received by a covered entity is reviewed by other
participating covered entities or by a third party on their behalf for
the purpose of administering the sharing of financial risk.
(3) A group health plan and a health insurance issuer or HMO with
respect to such group health plan, but only with respect to protected
health information created or received by such health insurance issuer
or HMO that relates to individuals who are or who have been participants
or beneficiaries in such group health plan;
(4) A group health plan and one or more other group health plans
each of which are maintained by the same plan sponsor; or
(5) The group health plans described in paragraph (4) of this
definition and health insurance issuers or HMOs with respect to such
group health plans, but only with respect to protected health
information created or received by such health insurance issuers or HMOs
that relates to individuals who are or have been participants or
beneficiaries in any of such group health plans.
Payment means:
(1) The activities undertaken by:
(i) A health plan to obtain premiums or to determine or fulfill its
responsibility for coverage and provision of benefits under the health
plan; or
(ii) A covered health care provider or health plan to obtain or
provide reimbursement for the provision of health care; and
(2) The activities in paragraph (1) of this definition relate to the
individual to whom health care is provided and include, but are not
limited to:
(i) Determinations of eligibility or coverage (including
coordination of benefits or the determination of cost sharing amounts),
and adjudication or subrogation of health benefit claims;
(ii) Risk adjusting amounts due based on enrollee health status and
demographic characteristics;
(iii) Billing, claims management, collection activities, obtaining
payment under a contract for reinsurance (including stop-loss insurance
and excess of loss insurance), and related health care data processing;
(iv) Review of health care services with respect to medical
necessity, coverage under a health plan, appropriateness of care, or
justification of charges;
(v) Utilization review activities, including precertification and
preauthorization of services, concurrent and retrospective review of
services; and
(vi) Disclosure to consumer reporting agencies of any of the
following protected health information relating to collection of
premiums or reimbursement:
(A) Name and address;
[[Page 688]]
(B) Date of birth;
(C) Social security number;
(D) Payment history;
(E) Account number; and
(F) Name and address of the health care provider and/or health plan.
Plan sponsor is defined as defined at section 3(16)(B) of ERISA, 29
U.S.C. 1002(16)(B).
Protected health information means individually identifiable health
information:
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in any medium described in the definition of
electronic media at Sec. 162.103 of this subchapter; or
(iii) Transmitted or maintained in any other form or medium.
(2) Protected health information excludes individually identifiable
health information in:
(i) Education records covered by the Family Educational Right and
Privacy Act, as amended, 20 U.S.C. 1232g; and
(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv).
Psychotherapy notes means notes recorded (in any medium) by a health
care provider who is a mental health professional documenting or
analyzing the contents of conversation during a private counseling
session or a group, joint, or family counseling session and that are
separated from the rest of the individual's medical record.
Psychotherapy notes excludes medication prescription and monitoring,
counseling session start and stop times, the modalities and frequencies
of treatment furnished, results of clinical tests, and any summary of
the following items: Diagnosis, functional status, the treatment plan,
symptoms, prognosis, and progress to date.
Public health authority means an agency or authority of the United
States, a State, a territory, a political subdivision of a State or
territory, or an Indian tribe, or a person or entity acting under a
grant of authority from or contract with such public agency, including
the employees or agents of such public agency or its contractors or
persons or entities to whom it has granted authority, that is
responsible for public health matters as part of its official mandate.
Required by law means a mandate contained in law that compels a
covered entity to make a use or disclosure of protected health
information and that is enforceable in a court of law. Required by law
includes, but is not limited to, court orders and court-ordered
warrants; subpoenas or summons issued by a court, grand jury, a
governmental or tribal inspector general, or an administrative body
authorized to require the production of information; a civil or an
authorized investigative demand; Medicare conditions of participation
with respect to health care providers participating in the program; and
statutes or regulations that require the production of information,
including statutes or regulations that require such information if
payment is sought under a government program providing public benefits.
Research means a systematic investigation, including research
development, testing, and evaluation, designed to develop or contribute
to generalizable knowledge.
Treatment means the provision, coordination, or management of health
care and related services by one or more health care providers,
including the coordination or management of health care by a health care
provider with a third party; consultation between health care providers
relating to a patient; or the referral of a patient for health care from
one health care provider to another.
Use means, with respect to individually identifiable health
information, the sharing, employment, application, utilization,
examination, or analysis of such information within an entity that
maintains such information.