42 CFR 403.812 - HIPAA privacy, security, administrative data standards, and national identifiers.

Status message

There is 1 rule appearing in the Federal Register for 42 CFR 403. View below or at eCFR (GPOAccess)
§ 403.812 HIPAA privacy, security, administrative data standards, and national identifiers.
(a) HIPAA covered entities. An endorsed sponsor is a HIPAA covered entity and must comply with the standards, implementation specifications, and requirements in 45 CFR parts 160, 162, and 164 as set forth in this section. Those functions of an endorsed sponsor the performance of which are necessary or directly related to the operations of the endorsed discount card program are covered functions for purposes of applying to endorsed sponsors the standards, implementation specifications, and requirements in 45 CFR parts 160, 162, and 164.
(b) HIPAA privacy requirements. An endorsed sponsor must comply with the standards, implementation specifications, and requirements in the Standards for Privacy of Individually Identifiable Health Information, 45 CFR parts 160 and 164, subparts A and E, in the same manner as a health plan, except to the extent such requirements are temporarily waived by the Secretary.
(c) Security requirements—
(1) Standard. An endorsed sponsor must comply with the applicable standards, implementation specifications, and requirements in the HIPAA Security Rule, 45 CFR parts 160 and 164, subparts A and C, in the same manner as other covered entities as of the compliance date of such Rule.
(2) Attestation. An applicant in its application shall—
(i) Attest that, as of the initial enrollment date, it will have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information in accordance with 45 CFR 164.530(c); and
(ii) Attest that its information security measures will meet the standards, implementation specifications, and requirements of 45 CFR part 164 subparts A and C as of the initial enrollment date, or, if unable to make this attestation, provide a plan for coming into compliance with these requirements by the compliance date of the Security Rule set forth in 45 CFR part 164, subpart C.
(d) Administrative data standards. An endorsed sponsor must comply with any applicable standards, implementation specifications, and requirements in the Standards for Electronic Transactions under 45 CFR parts 160 and 162 subparts I through R.
(e) Unique identifiers. An endorsed sponsor must comply with any applicable standards, implementation specifications, and requirements regarding standard unique identifiers under 45 CFR parts 160 and 162 as of the compliance date of any final rule for standard unique identifiers.
(f) Applicability of other regulations. Nothing in this paragraph or in § 403.813 shall be deemed a modification of parts 160, 162 and 164 of title 45, Code of Federal Regulations or otherwise modify the applicability of such regulations to other organizations or covered entities independently subject to the mandates of HIPAA. If an endorsed sponsor is also a health plan, health care provider, or health care clearinghouse, nothing is this paragraph shall impair or otherwise affect the application of HIPAA or parts 160, 162 and 164 of title 45, Code of Federal Regulations to such entity and its performance of those functions which make such entity a health plan, health care provider, or health care clearinghouse.

Title 42 published on 2014-10-01

The following are only the Rules published in the Federal Register after the published date of Title 42.

For a complete list of all Rules, Proposed Rules, and Notices view the Rulemaking tab.

  • 2014-11-13; vol. 79 # 219 - Thursday, November 13, 2014
    1. 79 FR 67548 - Medicare Program; Revisions to Payment Policies Under the Physician Fee Schedule, Clinical Laboratory Fee Schedule, Access to Identifiable Data for the Center for Medicare and Medicaid Innovation Models & Other Revisions to Part B for CY 2015
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Centers for Medicare & Medicaid Services
      Final rule with comment period.
      Effective date: The provisions of this final rule are effective on January 1, 2015, with the exception of amendments to parts 412, 413, and 495 which are effective October 31, 2014. Comment date: To be assured consideration, comments must be received at one of the addresses provided below, no later than 5 p.m. on December 30, 2014. Compliance date: The compliance date for new data collection requirements in § 403.904(c)(8) is January 1, 2016.
      42 CFR Parts 403, 405, 410, 411, 412, 413, 414, 425, 489, 495, and 498

This is a list of United States Code sections, Statutes at Large, Public Laws, and Presidential Documents, which provide rulemaking authority for this CFR Part.

This list is taken from the Parallel Table of Authorities and Rules provided by GPO [Government Printing Office].

It is not guaranteed to be accurate or up-to-date, though we do refresh the database weekly. More limitations on accuracy are described at the GPO site.


United States Code
Public Laws

Title 42 published on 2014-10-01

The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 42 CFR 403 after this date.

  • 2014-11-13; vol. 79 # 219 - Thursday, November 13, 2014
    1. 79 FR 67548 - Medicare Program; Revisions to Payment Policies Under the Physician Fee Schedule, Clinical Laboratory Fee Schedule, Access to Identifiable Data for the Center for Medicare and Medicaid Innovation Models & Other Revisions to Part B for CY 2015
      GPO FDSys XML | Text
      DEPARTMENT OF HEALTH AND HUMAN SERVICES, Centers for Medicare & Medicaid Services
      Final rule with comment period.
      Effective date: The provisions of this final rule are effective on January 1, 2015, with the exception of amendments to parts 412, 413, and 495 which are effective October 31, 2014. Comment date: To be assured consideration, comments must be received at one of the addresses provided below, no later than 5 p.m. on December 30, 2014. Compliance date: The compliance date for new data collection requirements in § 403.904(c)(8) is January 1, 2016.
      42 CFR Parts 403, 405, 410, 411, 412, 413, 414, 425, 489, 495, and 498