What Is the HIPAA CFR? 45 CFR Parts 160, 162 & 164 Explained

HIPAA Administrative Simplification Overview

HIPAA’s Administrative Simplification rules are codified in Title 45 of the Code of Federal Regulations (CFR) and exist to do two things: standardize how you exchange health care data for billing and administration, and safeguard protected health information—especially in electronic form. Practically, that framework lives in three parts: Part 160 (general administrative requirements), Part 162 (standards for electronic transactions and related code sets/identifiers), and Part 164 (security, privacy, and breach notification). Together, they form the backbone of healthcare transactions compliance and electronic health information protection across covered entities and business associates. ([cms.gov](https://www.cms.gov/medicare/regulations-guidance/administrative-simplification?utm_source=openai))

45 CFR Part 160 General Administrative Requirements

Part 160 lays the ground rules. It defines key terms (like “transaction,” “business associate,” and “covered entity”), establishes who must comply, and sets the federal preemption framework that generally overrides conflicting state requirements while preserving certain state laws that are more protective or meet specific exceptions. It also authorizes the HHS Office for Civil Rights (OCR) to investigate complaints and conduct compliance reviews. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.103?utm_source=openai))

Part 160 also houses the HIPAA Enforcement Rule. OCR applies a four-tier, culpability-based civil money penalty structure, with amounts adjusted annually under a separate regulation. Understanding this structure—and how corrective action, cooperation, and timeliness affect outcomes—is central to reducing enforcement risk. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html?utm_source=openai))

45 CFR Part 162 Standards for Electronic Healthcare Transactions

Part 162 requires you to use nationally adopted standards when you send or receive common administrative transactions electronically. Covered transactions include health care claims, eligibility inquiries and responses, claim status, enrollment/disenrollment, premium payments, coordination of benefits, referral certification/authorizations, and electronic funds transfer/remittance advice. If you conduct any of these electronically, you must use the adopted standards—no proprietary substitutes. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/transactions/faqs?utm_source=openai))

These requirements promote frictionless data exchange between providers, health plans, and clearinghouses. They also prohibit health plans from rejecting or disadvantaging a transaction simply because it follows the standard—an important safeguard for efficient, uniform operations. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/162.925?utm_source=openai))

45 CFR Part 164 Security and Privacy Standards

HIPAA Privacy Rule (Subpart E)

The HIPAA Privacy Rule sets national standards for how you may use and disclose protected health information (PHI) and what rights individuals have over their PHI (for example, to access, obtain copies, request amendments, and receive a notice of privacy practices). It applies to health plans, health care clearinghouses, and most providers that conduct HIPAA-covered electronic transactions. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?utm_source=openai))

HIPAA Security Rule (Subpart C)

The Security Rule requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI). Its flexible, risk-based standards focus on ensuring the confidentiality, integrity, and availability of ePHI, protecting against reasonably anticipated threats and impermissible uses/disclosures, and ensuring workforce compliance. ([hhs.gov](https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html?utm_source=openai))

Where Breach Notification Fits

HIPAA’s Breach Notification provisions reside in Part 164 Subpart D and work in tandem with the Privacy and Security Rules. They trigger specific obligations if unsecured PHI is compromised; details follow in the enforcement section below. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-D?utm_source=openai))

HIPAA Enforcement and Breach Notification Rules

OCR enforces the HIPAA Rules. The Enforcement Rule—located in Part 160, Subparts C, D, and E—governs investigations, civil money penalties, and administrative hearings. Understanding your investigative duties and how OCR assesses penalties can materially influence your response strategy after an incident or complaint. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html?utm_source=openai))

The Breach Notification Rule (Part 164, Subpart D) generally requires you to notify affected individuals, HHS, and, for incidents affecting more than 500 residents of a state or jurisdiction, the media—without unreasonable delay and no later than 60 calendar days after discovery. A breach is presumed after an impermissible use or disclosure unless a documented risk assessment shows a low probability that PHI was compromised, considering specified factors. Business associates must promptly notify covered entities of breaches at or by the associate. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

HIPAA Transactions and Code Set Standards

When you conduct a standard electronic transaction, HIPAA requires nationally adopted medical and nonmedical code sets to ensure consistent data content. Core code sets include ICD-10 (diagnoses/procedures), CPT and HCPCS (procedures/services/supplies), CDT (dental), and NDC (drugs). Using the correct, valid codes at the time of service is essential for clean claims, accurate remittances, and audit-ready records. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/code-sets?utm_source=openai))

HIPAA Identifier Standards

HIPAA standardizes key identifiers that appear in transactions. For providers, the National Provider Identifier (NPI) is the required 10-digit number used in HIPAA transactions and other lawful purposes. For employers, the standard unique identifier is the IRS Employer Identification Number (EIN), which must be used wherever an employer identifier is required. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/162.406?utm_source=openai))

HHS previously adopted a Health Plan Identifier (HPID), but later rescinded that requirement. Today, health plans do not obtain or use HPIDs under HIPAA’s Administrative Simplification, and any active HPIDs/OEIDs were slated for deactivation per the final rule. ([cms.gov](https://www.cms.gov/priorities/key-initiatives/burden-reduction/administrative-simplification/unique-identifiers/hpid?utm_source=openai))

Bottom line: consistent use of unique healthcare identifiers supports transaction integrity, while the Privacy, Security, and Breach rules in Part 164 protect PHI and drive electronic health information protection across your ecosystem. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?utm_source=openai))

FAQs.

What does 45 CFR Part 160 regulate?

Part 160 contains the general administrative requirements for HIPAA, including definitions, applicability, federal preemption of conflicting state laws, and the HIPAA Enforcement Rule provisions for compliance, investigations, penalties, and hearings administered by HHS OCR. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/part-160/subpart-B?utm_source=openai))

How do 45 CFR Parts 162 and 164 differ?

Part 162 standardizes the “plumbing” of electronic healthcare transactions, code sets, and identifiers so your data can flow uniformly between covered entities. Part 164 sets the substantive Security and Privacy standards—and breach notification requirements—that govern how you protect and disclose PHI. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/part-162?utm_source=openai))

What are the penalties for HIPAA violations under CFR?

OCR applies a four-tier civil money penalty framework in 45 CFR 160.404, scaled to the level of culpability (from “did not know” to “willful neglect not corrected”). Dollar amounts are updated annually under a separate rulemaking, and OCR also considers factors like the nature and extent of the violation and harm. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.404?utm_source=openai))

How does the HIPAA Breach Notification Rule apply?

If unsecured PHI is breached, you must notify affected individuals, HHS, and sometimes the media, without unreasonable delay and within 60 calendar days of discovery. Whether an incident is a reportable “breach” turns on a documented risk assessment that weighs specific factors; business associates must alert covered entities of breaches at or by the associate. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))