45 CFR Parts 160 and 164  (Download a copy in PDF)


This guidance explains and answers questions about key elements of the requirements of the HIPAA Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule). The Department of Health and Human Services (HHS) published the Privacy Rule on December 28, 2000, and adopted modifications of the Rule on August 14, 2002.

The Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) provides the first comprehensive Federal protection for the privacy of health information. All segments of the health care industry have expressed support for the objective of enhanced patient privacy in the health care system. The Privacy Rule, as modified, is carefully balanced to provide strong privacy protections that do not interfere with patient access to, or the quality of, health care delivery.

The guidance that follows is meant to communicate as clearly as possible the privacy policies contained in the Privacy Rule. For a particular segment in the Privacy Rule, the guidance will provide a brief explanation of the segment and how the Rule works.

The guidance does not address all of the relevant provisions in the Rule, although we anticipate adding segments in the future as we develop guidance on more Privacy Rule standards. We will also be adding to the “Frequently Asked Questions” on an ongoing basis as new questions arise. HHS plans to work expeditiously to address these additional questions to facilitate understanding of the Rule and to encourage voluntary compliance with its requirements. However, for a full understanding of one’s rights and responsibilities under the Rule, it is important to consult the Rule itself.

The Privacy Rule Standards Addressed

General Overview
Incidental Uses and Disclosures (45 CFR 164.502(a))
Minimum Necessary (45 CFR 164.502(b), 164.514(d))
Personal Representatives (45 CFR 164.502(g))
Business Associates (45 CFR 164.502(e), 164.504(e), 164.532(d) and (e))
Uses and Disclosures for Treatment, Payment, and Health Care Operations (45 CFR 164.506)
Marketing (45 CFR 164.501, 164.508(a))
Public Health (45 CFR 164.512(b))
Research (45 CFR 164.501, 164.508, 164.512(i), 164.514(e), 164.528, 164.532)
Workers’ Compensation Laws (45 CFR 164.512(l))
Notice (45 CFR 164.520)
Government Access (45 CFR Part 160, Subpart C, 164.512(f))

Please review our Frequently Asked Questions about the Privacy Rule.

Frequently Asked Questions for Professionals - Please see the HIPAA FAQs for additional guidance on health information privacy topics.

Content created by Office for Civil Rights (OCR)
Content last reviewed on November 5, 2015