List of Compliances under

the Health Insurance Portability and Accountability Act of 1996

Citation Important Definitions

45 CFR, Section (i) “Business associate” (1) Except as provided in paragraph (4) of this
160.103 definition, business associate means, with respect to a covered entity, a person
who: (i) On behalf of such covered entity or of an organized health care
arrangement (as defined in this section) in which the covered entity
participates, but other than in the capacity of a member of the workforce of
such covered entity or arrangement, creates, receives, maintains, or transmits
protected health information for a function or activity regulated by this
subchapter, including claims processing or administration, data analysis,
processing or administration, utilization review, quality assurance, patient
safety activities listed at 42 CFR 3.20, billing, benefit management, practice
management, and repricing; or (ii) Provides, other than in the capacity of a
member of the workforce of such covered entity, legal, actuarial, accounting,
consulting, data aggregation (as defined in Section 164.501 of this
subchapter), management, administrative, accreditation, or financial services
to or for such covered entity, or to or for an organized health care arrangement
in which the covered entity participates, where the provision of the service
involves the disclosure of protected health information from such covered
entity or arrangement, or from another business associate of such covered
entity or arrangement, to the person. (2) A covered entity may be a business
associate of another covered entity. (3) Business associate includes: (i) A
Health Information Organization, E-prescribing Gateway, or other person that
provides data transmission services with respect to protected health
information to a covered entity and that requires access on a routine basis to
such protected health information. (ii) A person that offers a personal health
record to one or more individuals on behalf of a covered entity. (iii) A
subcontractor that creates, receives, maintains, or transmits protected health
information on behalf of the business associate. (4) Business associate does
not include: (i) A health care provider, with respect to disclosures by a covered
entity to the health care provider concerning the treatment of the individual.
(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a
health insurance issuer or HMO with respect to a group health plan) to the
plan sponsor, to the extent that the requirements of § 164.504(f) of this
subchapter apply and are met. (iii) A government agency, with respect to
determining eligibility for, or enrollment in, a government health plan that
provides public benefits and is administered by another government agency, or
collecting protected health information for such purposes, to the extent such
activities are authorized by law. (iv) A covered entity participating in an
organized health care arrangement that performs a function or activity as
described by paragraph (1)(i) of this definition for or on behalf of such
organized health care arrangement, or that provides a service as described in
paragraph (1)(ii) of this definition to or for such organized health care
arrangement by virtue of such activities or services.
(ii) “Covered entity” means: (1) A health plan. (2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic
form in connection with a transaction covered by this subchapter.

(iii) “Disclosure” means the release, transfer, provision of access to, or divulging
in any manner of information outside the entity holding the information.

(iv) “Health care” means care, services, or supplies related to the health of an
individual. Health care includes, but is not limited to, the following: (1)
Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative
care, and counseling, service, assessment, or procedure with respect to the
physical or mental condition, or functional status, of an individual or that
affects the structure or function of the body; and (2) Sale or dispensing of a
drug, device, equipment, or other item in accordance with a prescription.

(v) “Health information” means any information, including genetic information,

whether oral or recorded in any form or medium, that: (1) Is created or
received by a health care provider, health plan, public health authority,
employer, life insurer, school or university, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition
of an individual; the provision of health care to an individual; or the past,
present, or future payment for the provision of health care to an individual.

(vi) “Individually identifiable health information” is information that is a subset

of health information, including demographic information collected from an
individual, and: (1) Is created or received by a health care provider, health
plan, employer, or health care clearinghouse; and (2) Relates to the past,
present, or future physical or mental health or condition of an individual; the
provision of health care to an individual; or the past, present, or future
payment for the provision of health care to an individual; and (i) That
identifies the individual; or (ii) With respect to which there is a reasonable
basis to believe the information can be used to identify the individual.

(vii) “Organized health care arrangement” means: (1) A clinically integrated

care setting in which individuals typically receive health care from more than
one health care provider; (2) An organized system of health care in which
more than one covered entity participates and in which the participating
covered entities: (i) Hold themselves out to the public as participating in a
joint arrangement; and (ii) Participate in joint activities that include at least
one of the following: (A) Utilization review, in which health care decisions by
participating covered entities are reviewed by other participating covered
entities or by a third party on their behalf; (B) Quality assessment and
improvement activities, in which treatment provided by participating covered
entities is assessed by other participating covered entities or by a third party on
their behalf; or (C) Payment activities, if the financial risk for delivering
health care is shared, in part or in whole, by participating covered entities
through the joint arrangement and if protected health information created or
received by a covered entity is reviewed by other participating covered entities
or by a third party on their behalf for the purpose of administering the sharing
 of financial risk. (3) A group health plan and a health insurance issuer or HMO
with respect to such group health plan, but only with respect to protected
health information created or received by such health insurance issuer or
HMO that relates to individuals who are or who have been participants or
beneficiaries in such group health plan; (4) A group health plan and one or
more other group health plans each of which are maintained by the same plan
sponsor; or (5) The group health plans described in paragraph (4) of this
definition and health insurance issuers or HMOs with respect to such group
health plans, but only with respect to protected health information created or
received by such health insurance issuers or HMOs that relates to individuals
who are or have been participants or beneficiaries in any of such group health
plans.

(viii) “Protected health information” means individually identifiable health

information: (1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media; (ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium. (2) Protected
health information excludes individually identifiable health information: (i) In
education records covered by the Family Educational Rights and Privacy Act,
as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)
(4)(B)(iv); (iii) In employment records held by a covered entity in its role as
employer; and (iv) Regarding a person who has been deceased for more than
50 years.

(ix) “Transaction” means the transmission of information between two parties to

carry out financial or administrative activities related to health care. It includes
the following types of information transmissions: (1) Health care claims or
equivalent encounter information. (2) Health care payment and remittance
advice. (3) Coordination of benefits. (4) Health care claim status. (5)
Enrollment and disenrollment in a health plan. (6) Eligibility for a health plan.
(7) Health plan premium payments. (8) Referral certification and
authorization. (9) First report of injury. (10) Health claims attachments. (11)
Health care electronic funds transfers (EFT) and remittance advice. (12) Other
transactions that the Secretary may prescribe by regulation.

Compliances under HIPAA Privacy and Security Rules

Provided under Title 45-Code of Federal Regulations, Part 164, Subpart A, Subpart C and Subpart
E

Subpart A, “Common ownership” exists if an entity or entities possess an ownership or equity

Section 164.103 interest of 5 percent or more in another entity.
(Definitions)
“Covered functions” means those functions of a covered entity the performance of
which makes the entity a health plan, health care provider, or health care
clearinghouse.

“Health care component” means a component or combination of components of a

hybrid entity designated by the hybrid entity in accordance with§164.105(a)(2)(iii)
(D).
 “Hybrid entity” means a single legal entity:
(1) That is a covered entity;
(2) Whose business activities include both covered and non-covered functions; and
(3) That designates health care components in accordance with paragraph §
164.105(a)(2)(iii)(D).

(a) Except as otherwise provided, the standards, requirements, and implementation

Section 164.104 specifications adopted under this part apply to the following entities:
(Applicability)
(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic
form in connection with a transaction covered by this subchapter.

(b) Where provided, the standards, requirements, and implementation specifications

adopted under this part apply to a business associate.

Subpart C, (i) General Requirements

Section 164.306
– (Security (a) Ensure Confidentiality, Integrity, and Availability (CIA) of electronic
Standards: protected information.
General Rules)
(b) Verify that all electronic protected health information created, received,
maintained, or transmitted is protected to ensure its confidentiality,
integrity, and availability.

(c) Implement physical, administrative, and technical safeguards to protect

ePHI.

(ii) Protection Against Threats: Assess and implement safeguards against

reasonably anticipated threats to the security or integrity of electronic
protected health information.

(iii) Protection Against Improper Use or Disclosure: Implement policies and

procedures that limit uses and disclosures of, and access to, ePHI to only those
that are permitted or required by HIPAA rules.

(iv) Workforce Compliance

(a) Educate and train workforce members on HIPAA policies and

procedures.

(b) Monitor workforce compliance with security measures.

(c) Apply appropriate sanctions against workforce members who fail to

 comply with security policies and procedures.

(v) Flexibility of Approach

(vi) Security Measures

(a) Use security measures that best allow for compliance with the standards
and implementation specifications in § 164.306.

(b) Document and justify all chosen security measures.

(vii) Factors in Deciding Security Measures

(a) Evaluate the size, complexity, and capabilities of your organization.

(b) Assess your technical infrastructure, hardware, and software security

capabilities.

(c) Consider the costs of security measures relative to the potential risks.

(d) Evaluate the probability and criticality of potential risks to ePHI.

(viii) Compliance with Standards

(a) Ensure adherence to all applicable standards and implementation

specifications as outlined in §§ 164.308, 164.310, 164.312, 164.314,
and 164.316.

(b) Periodically review and update security measures and practices in

response to environmental or operational changes affecting the security
of ePHI.

(ix) Implementation Specifications Overview

(a) Identify all implementation specifications listed as either “Required” or

“Addressable” in § 164.308, § 164.310, § 164.312, § 164.314, and §
164.316.

(b) Review each implementation specification to understand whether it is

mandatory or allows for flexibility based on your specific environment.

(x) Required Implementation Specifications

(a) Ensure that all “Required” implementation specifications have been

implemented.
(b) Regularly review and update these measures to ensure ongoing
compliance and effectiveness.
(xi) Assessment of Addressable Specifications

(a) Assess each “Addressable” implementation specification to determine if

 it is a reasonable and appropriate safeguard in your environment.

(b) Consider the potential benefits and protective impact of each

specification on ePHI.

(xii) Decision on Addressable Specifications

(a) For each addressable specification:

Implement the specification if it is deemed reasonable and appropriate.
If not implementing, document the reasons why it is not reasonable and
appropriate.
If not implementing, assess and, if reasonable and appropriate,
implement an equivalent alternative measure.
Maintain documentation of decisions and actions taken regarding
addressable specifications.
Section § 164.306(e) - Maintenance of Security Measures

Regular Review and Modification

Ongoing Security Measure Review
Regularly review and modify security measures to address any changes
in the environment, technology, or potential new threats to ePHI.
Ensure security measures remain reasonable and appropriate to protect
ePHI under current conditions.
Documentation Updates
Update documentation of security measures and related decisions as
required by § 164.316(b)(2)(iii).
Maintain clear, accessible records of all reviews, modifications, and
actions taken to secure ePHI.

Section 164.308 (i) A covered entity or business associate must in accordance with section
(Administrative 164.306 implement the following standards:
Safeguards)
Standard

(a) Security Management Process: Implement policies and procedures to

prevent, detect, contain, and correct security violations.

Implementation

(b) Risk Analysis (Required): Conduct an accurate and thorough risk analysis of
potential risks to ePHI.

(c) Risk Management (Required): Implement security measures to reduce risks

to ePHI to reasonable levels.

(d) Sanction Policy (Required): Develop and apply sanctions against workforce
members for non-compliance with security policies.

(e) Information System Activity Review (Required): Regularly review audit

logs, access reports, and security incident tracking.
 Standard

(f) Security Official Identification: Designate a security official responsible for

the security policy and procedure management required under Section
164.308 for the covered entity or business associate.

Standard

(g) Workforce Security: Implement policies and procedures so that all members
of the workforce have appropriate access to ePHI.

Implementation

(h) Authorization and Supervision (Addressable): Implement procedures to

oversee workforce members handling ePHI.

(i) Workforce Clearance Procedure (Addressable): Ensure procedures are in

place to validate workforce members' access to ePHI is appropriate.

(j) Termination Procedures (Addressable): Implement processes to terminate

access to ePHI when necessary.

Standard

(k) Information Access Management: Implement policies and procedures for

authorizing access to ePHI that are consistent with the applicable
requirements laid down under Subpart E.

Implementation

(l) Isolating Health Care Clearinghouse Functions (Required): Enforce policies

and procedures to protect ePHI from unauthorized access if health care
organization is part of larger organization structures.

(m) Access Authorization (Addressable): Develop and enforce policies and

procedures for ePHI access authorization.

(n) Access Establishment and Modification (Addressable): Establish and review

mechanisms to control access rights to ePHI.

Standard

(o) Security Awareness and Training: Implement a security awareness and

training program for all members of the workforce including management.

Implementation Specification

(p) Security Reminders (Addressable): implement periodic security updates and

reminders.
 (q) Protection from Malicious Software (Addressable): deploy procedures to
protect against, detect, and report malicious software.

(r) Log-in Monitoring (Addressable): monitor and report discrepancies in log-in

attempts.

(s) Password Management (Addressable): establish processes for secure

password creation, change, and protection.

Standard

(t) Security Incident Procedures: implement policies and procedures to address

security incidents.

Implementation specification

(u) Response and Reporting: develop policies to identify and respond to

suspected or known security incidents, mitigate harmful effects of security
incidents that are known to the covered entity and document security incident
and their outcomes.

Standard

(v) Contingency Plan: establish and implement policies and procedures for
responding to an emergency or other occurrence such as fire, vandalism,
system failure, and natural disaster that damages systems that contain ePHI.

(w) Data Backup Plan (Required): implement procedures to maintain retrievable

exact copies of ePHI.

(x) Disaster Recovery Plan (Required): establish procedures to restore lost data.

(y) Emergency Mode Operation Plan (Required): ensure continuation of critical

business processes for ePHI security during emergencies.

(z) Testing and Revision Procedures (Addressable): periodically test and update
contingency plans.

(aa) Applications and Data Criticality Analysis (Addressable): evaluate the

criticality of specific applications and data in contingency planning.

Standard

(bb) Evaluation: Conduct periodic technical and non-technical evaluations,

initially based on the existing standards and then in reaction to any changes in
environment or operations that impact the security of electronic protected
health information.

(ii) Business Associate Contracts and Arrangements: Ensure written contracts or

 other arrangements with business associates comply with HIPA
requirements.

Section 164.310 (i) Maintenance Records (Addressable): Implement policies and procedures to
(Physical document repairs and modifications to the security-related physical
Safeguards) components of a facility (e.g., hardware, walls, doors, locks).

(ii) Workstation Use (Required): Implement policies and procedures that

specify the functions to be performed at workstations, the manner in which
those functions are to be performed, and the physical attributes of the
environment where workstations that access electronic protected health
information (ePHI) are located.

(iii) Workstation Security (Required): Implement physical safeguards at all

workstations to limit access to authorized users only.

(iv) Device and Media Controls:

(a) Disposal (Required): Develop and enforce policies and procedures for
the proper disposal of ePHI and the hardware or electronic media on
which it is stored.

(b) Media Re-use (Required): Implement procedures to remove ePHI from

electronic media before the media are reused.

(c) Accountability (Addressable): Maintain a record of the movements of

hardware and electronic media and the persons responsible for those
movements.

(d) Data Backup and Storage (Addressable): Create retrievable, exact

copies of ePHI when needed, particularly before moving equipment.

(v) Additional Specifications.

(a) Contingency Operations (Addressable): Establish and implement

procedures to enable facility access in support of data recovery under
the disaster recovery plan and emergency operations, in the event of an
emergency.

(b) Facility Security Plan (Addressable): Implement policies and

procedures to safeguard electronic information systems and the
facilities and its equipment from unauthorized physical access,
tampering, and theft.

(c) Access Control and Validation Procedures (Addressable): Implement

procedures to control and validate a person’s access to facilities based
on their role or function, including controls for visitor access and
access to software programs for testing and revisions.
Section 164.312 (i) Access Control: Establish and enforce technical policies for
(Technical electronic systems containing protected health information to
Safeguards) ensure access is limited to authorized users and programs, as
outlined in § 164.308(a)(4).

(ii) Unique User Identification (Required): Assign a unique identifier

(name or number) to each user for identification and tracking.

(iii) Emergency Access Procedure (Required): Establish procedures to

ensure that necessary ePHI can be accessed during an emergency.

(iv) Automatic Logoff (Addressable): Implement automatic logoff to

terminate sessions after a period of inactivity to prevent
unauthorized access.

(v) Encryption and Decryption (Addressable): Deploy encryption and

decryption methods to protect ePHI.

(vi) Audit Controls: Implement audit controls using hardware,

software, or procedures to monitor and record activities in systems
handling electronic protected health information.

(vii) Integrity: Develop policies and procedures to prevent improper

alteration or destruction of ePHI.

(viii) Mechanism to Authenticate ePHI (Addressable): Implement

measures to verify that ePHI has not been altered or destroyed in
an unauthorized manner.

(ix) Person or Entity Authentication: Implement procedures to verify

that a person or entity requesting access to ePHI is the one
claimed.

(x) Transmission Security and Integrity Controls (Addressable):

Establish security measures to ensure that ePHI is not improperly
altered without detection during transmission.

(xi) Encryption (Addressable): Use encryption to protect ePHI during

transmission, applying it as deemed necessary.

Section 164.314 (i) Business Associate Contracts: Mandate business associates to

(Organizational comply with this Subpart C, ensure subcontractors also comply,
Requirements) and report any security incidents.

(ii) Other Arrangements: Maintain alternative arrangements that meet

specified requirements.
 (iii) Subcontractor Contracts: Apply the same requirements to
subcontractor arrangements as to business associates.

(iv) Group Health Plans (Required): Group health plans must ensure
their plan documents enforce safeguards for ePHI handled by plan
sponsors, except under specified exceptions.

(v) Implementation Specifications: Amend plan documents to include

safeguards that protect ePHI, ensure adequate separation of data,
require agents to implement protective measures, and mandate
reporting of security incidents.

Section 164.316 General Requirements

(i) Adopt Policies and Procedures: Implement reasonable and appropriate policies
and procedures to comply with the standards and requirements of this subpart,
considering factors specified in § 164.306(b)(2).

(ii) Flexibility in Policy Modification: Modify policies and procedures as needed,

ensuring changes are documented and implemented in accordance with
regulatory requirements.

Documentation Standards

(iii) Maintain Written Records: Keep all policies and required actions, activities, or
assessments documented in written (including electronic) form.

(iv) Retention Period: Retain all required documentation for 6 years from the date
of creation or when it was last in effect, whichever is later.

(v) Accessibility of Documentation: Ensure documentation is accessible to those

responsible for implementing the related procedures.

(vi) Regular Updates: Periodically review and update documentation in response

to environmental or operational changes affecting ePHI security.

Subpart E (i) A covered entity or business associate may not use or disclose protected health
164.502 information except as permitted or required by this subpart or by subpart c of
Uses and Part 160.
disclosures of
protected health (ii) Permitted Uses and Disclosures by Covered Entities:
information:
General rules (a) To the individual directly.

(b) For treatment, payment, or health care operations in accordance with

Section164.506.
(c) Incident to a permitted or required use or disclosure, ensuring
compliance with Sections 164.502(b), 164.514(d), and 164.530(c).
 (d) With valid authorization under Section 164.508, except where
otherwise prohibited.

(e) As per agreements or permissions granted under Section 164.510.

(f) In compliance with Section 164.512, § 164.514(e), (f), or (g).

(iii) Required Disclosures by Covered Entities

(a) To individuals requesting access or accounting of their PHI as required

by Section 164.524 or Section 164.528.

(b) When the Secretary of Health and Human Services under Subpart C of
Part 160 requires it to investigate or determine compliance.

(iv) Permitted Uses and Disclosures by Business Associates

(a) Only as allowed through a business associate contract or as required by

law, according to Section164.504(e).

(b) Not to use or disclose PHI in ways that would violate the covered
entity’s rules if performed by the covered entity, except as specifically
allowed in the contract.

(v) Required Disclosures by Business Associates

(a) When the Secretary requires it to investigate or determine compliance.

(b) To the covered entity, individual, or designated person to fulfill the

covered entity’s obligations concerning requests for an electronic copy
of PHI.

(vi) Prohibitions on Use and Disclosure

(a) Genetic Information: Do not use or disclose genetic information for

underwriting purposes in health plans, with exceptions noted for
determining medical appropriateness.

(vii) Sale of Protected Health Information (PHI):

(a) Prohibited unless in compliance with § 164.508(a)(4).

(b) Does not include:

(1) Public Health: Disclosures for public health purposes as outlined

in Sections 164.512(b) or 164.514(e).

(2) Research: Disclosures for research where remuneration to the

covered entity or business associate is limited to reasonable costs
 for preparing and transmitting PHI, pursuant to §§ 164.512(i) or
164.514(e).

(3) Treatment and Payment: Disclosures made for treatment and

payment purposes in accordance with § 164.506(a).

(4) Business Transactions: Disclosures related to the sale, transfer,

merger, or consolidation of all or part of a covered entity and due
diligence activities as described under health care operations and
Section 164.506(a).

(5) Business Associate Activities: Disclosures to or by a business

associate for activities it performs on behalf of a covered entity or
another business associate (in case of a subcontractor), where the
remuneration is for the performance of such activities as permitted
under Sections164.502(e) and 164.504(e).

(6) Individual Requests: Disclosures made directly to an individual

upon their request, according to Sections 164.524 or 164.528.

(7) Legal Requirements: Disclosures that are required by law, as

allowed under Sections 164.512(a).

(8) Permitted Purposes: Disclosures for any other permitted purposes

where the only remuneration involves a reasonable, cost-based fee
to cover costs for preparing and transmitting PHI or is explicitly
allowed by other laws, in accordance with the relevant sections of
HIPAA regulations.

(viii) Standard: Minimum Necessary Requirement:

(a) General Rule: When using, disclosing, or requesting PHI from another
covered entity or business associate, it is mandatory to limit the
information to the minimum necessary to achieve the intended purpose.

(b) Exceptions:

(1) Treatment Communications: PHI disclosures or requests by

healthcare providers for treatment purposes are exempt.

(2) Individual Requests: Uses or disclosures made directly to the

individual involved.

(3) Authorized Uses: Activities that occur under a formal authorization

as outlined in § 164.508.

(4) Government Disclosures: Disclosures made to the Secretary in

compliance with subpart C of part 160.
(5) Legal Requirements: Uses or disclosures mandated by law (§
164.512(a)).
 (6) Compliance Necessities: Uses or disclosures required for compliance
with applicable regulations of the subchapter.

(ix) Standard: Restrictions on Use and Disclosure.

(a) Agreed Restrictions: If a restriction is agreed upon as per § 164.522(a)(1),

the PHI covered by that restriction must not be used or disclosed contrary
to the terms of the agreement, unless otherwise permitted under §
164.522(a).

(x) Standard: Handling De-Identified Information

(a) Creating De-Identified Data: PHI may be used or disclosed to create de-
identified information, which can be done either by the covered entity
itself or via a business associate.

(b) De-Identified Data Use and Disclosure: Information that meets de-
identification standards per § 164.514(a) and (b) is no longer considered
PHI and is exempt from the requirements of this subpart.

(c) Re-identification: Any code or method used to allow re-identification of

de-identified information is considered PHI. Furthermore, if de-identified
information is re-identified, it must be handled as PHI according to
applicable regulations.

(xi) Business Associate Disclosures

(a) Primary Business Associates: A covered entity may disclose PHI to a

business associate, or allow them to create, receive, maintain, or transmit
PHI, provided the entity obtains written assurances that the business
associate will adequately safeguard the information.

(b) Subcontractors as Business Associates: A business associate is allowed to

disclose PHI to a subcontractor and permit them to manage PHI on their
behalf if written assurances of proper safeguarding are secured in line
with § 164.504(e)(1)(i).

(c) Implementation Specifications: The necessary assurances must be

documented through written contracts or other agreements that meet the
requirements specified in § 164.504(e).

(xii) Deceased Individuals: PHI of deceased individuals must be protected for 50

years post the individual’s death, adhering to the same regulations as for living
individuals.

(xiii) Personal Representatives

(a) General Treatment: Personal representatives are to be treated as the

individual themselves for the purposes of this subchapter, with specific
 exceptions noted below.

(b) Adults and Emancipated Minors: If legally authorized, a person acting on

behalf of an adult or emancipated minor in healthcare decisions is
recognized as a personal representative regarding relevant PHI.

(c) Unemancipated Minors: Parents, guardians, or others acting in loco

parentis are recognized as personal representatives in making healthcare
decisions unless the minor is permitted by law to consent to specific
health services without parental consent or desires confidentiality.

(d) Specific Exceptions: Disclosure of PHI to a personal representative may

be restricted if it is believed that doing so might subject the individual to
abuse, neglect, or endangerment.

(e) Deceased Individuals: Executors or administrators authorized under law

are treated as personal representatives for handling PHI of deceased
individuals.

(f) Abuse, Neglect, Endangerment Situations: A covered entity may opt not
to treat a person as a personal representative if there is a reasonable belief
of potential harm to the individual by doing so.

(g) Confidential Communications: Covered healthcare providers and health

plans must adhere to § 164.522(b) ensuring PHI communications are
handled confidentially as specified.

(h) Consistency with Notice: A covered entity must not use or disclose PHI in
a way that is inconsistent with its notice of privacy practices as required
by Section 164.520. Specific statements related to particular activities
must be included in the notice if the entity engages in those activities.