Where to Find HIPAA Regulations: Official Sources and Direct Links

You can locate the authoritative HIPAA regulations quickly by focusing on a few official sources. This guide shows you exactly where to find the core rules, what each agency provides, and how to navigate the sites using citation shortcuts like 45 CFR Parts 160-164.

By the end, you’ll know how to access the combined regulation text, the HIPAA Privacy Rule and HIPAA Security Rule, CMS Administrative Simplification and Identifier Standards resources, and the Breach Notification Rule and Enforcement Rule materials.

U.S. Department of Health and Human Services Overview

The U.S. Department of Health and Human Services (HHS) maintains the HIPAA regulatory framework and publishes official guidance. Within HHS, the Office for Civil Rights (OCR) administers and enforces the HIPAA Privacy Rule, HIPAA Security Rule, the Breach Notification Rule, and the Enforcement Rule.

What you’ll find on HHS OCR

• Combined Regulation Text that compiles the current HIPAA rules into one document for easy reading.
• “HIPAA for Professionals” guidance organized by topic (uses and disclosures, right of access, business associates, safeguards, and more).
• FAQs, guidance bulletins, and enforcement materials that clarify requirements and illustrate compliance expectations.

How to locate it quickly

• Use the HHS site search for “OCR HIPAA” or “Health Information Privacy.”
• Open the HIPAA section and look for page titles like “Combined Regulation Text” and “HIPAA for Professionals.”
• If you know a citation, search it directly (for example, “45 CFR 164.524” for the right of access).

Centers for Medicare & Medicaid Services Details

The Centers for Medicare & Medicaid Services (CMS) leads HIPAA Administrative Simplification. CMS materials cover electronic data interchange standards, code sets, operating rules, and Identifier Standards such as the National Provider Identifier (NPI). These requirements are primarily located in 45 CFR Part 162 and complement OCR’s Privacy, Security, Breach Notification, and Enforcement Rules.

Key CMS resources for Administrative Simplification

• Regulations and guidance for standard transactions, code sets, and operating rules under Part 162.
• Identifier Standards resources (for example, NPI information and enumeration guidance).
• Compliance overviews and educational tools for health plans, clearinghouses, and providers.

Finding CMS materials fast

• Search for “CMS Administrative Simplification” or “HIPAA transactions and code sets.”
• Use citation-based searches like “45 CFR Part 162” to jump to the relevant regulation pages.
• Look for sections labeled “Regulations & Guidance,” “Standards,” or “NPI.”

Indian Health Service Standards

The Indian Health Service (IHS) implements HIPAA requirements across federal, tribal, and urban Indian health programs. IHS publishes policy manuals, procedural standards, and training materials that align with the HIPAA Privacy Rule and HIPAA Security Rule to meet the needs of the communities it serves.

What IHS publishes

• Policy chapters and circulars mapping HIPAA requirements to IHS operations.
• Workforce training resources on privacy practices, safeguarding ePHI, and breach response.
• Templates and forms (such as Notices of Privacy Practices) adapted for IHS facilities.

How to get to IHS HIPAA content

• Search the IHS site for “HIPAA,” “Privacy,” or “Information Security.”
• Open “Policy & Guidance” or “Manuals” sections to locate current standards and procedures.
• Use your citation knowledge (for example, “45 CFR 164.308”) when reviewing IHS security procedures.

Combined Regulation Text Explanation

The Combined Regulation Text is an HHS OCR-compiled, single-document version of the HIPAA rules. It brings together relevant sections of 45 CFR Parts 160-164 so you can read the Privacy, Security, Breach Notification, and Enforcement provisions without switching among multiple pages.

What the compilation covers

• Privacy Rule: Part 160 (general provisions) and Part 164, Subpart E (uses and disclosures, individual rights, minimum necessary).
• Security Rule: Part 164, Subpart C (administrative, physical, and technical safeguards, plus documentation).
• Breach Notification Rule: Part 164, Subpart D (definitions, risk assessment, and notification duties).
• Enforcement Rule: Part 160, Subparts C–E (investigations, civil money penalties, and hearing procedures).
• Key definitions and preemption provisions from Part 160 to interpret the rules consistently.

Tips for using the compilation

• Navigate by citation (for example, jump to 45 CFR 164.502 for permitted uses and disclosures).
• Use it to confirm cross-references between subparts before pulling the codified text in the eCFR.
• Check the update notes and then verify the current codified language in the eCFR when needed.

Accessing Privacy and Security Rules

If you know the core citations, you can go straight to the HIPAA Privacy Rule and HIPAA Security Rule. Both sit within 45 CFR Parts 160-164, and each rule has predictable section numbers that speed up searching and bookmarking.

HIPAA Privacy Rule (45 CFR Parts 160 and 164 Subpart E)

• General rules and permitted uses/disclosures: 164.502.
• Specific permissions (public health, law enforcement, etc.): 164.512.
• Minimum necessary standard: 164.502(b) and related guidance.
• Notices of Privacy Practices: 164.520.
• Individual rights—access, amendment, accounting: 164.524, 164.526, 164.528.
• De-identification and limited data sets: 164.514.

HIPAA Security Rule (45 CFR Parts 160 and 164 Subpart C)

• General requirements and flexibility of approach: 164.306.
• Administrative safeguards (risk analysis, BAAs, workforce training): 164.308.
• Physical safeguards (facility, device, and media controls): 164.310.
• Technical safeguards (access, integrity, transmission security): 164.312.
• Policies, procedures, and documentation: 164.316.

Understanding Enforcement and Breach Notification

The Enforcement Rule explains how HHS OCR investigates complaints, conducts compliance reviews, and applies civil money penalties when necessary. The Breach Notification Rule sets out when and how you must notify individuals, HHS, and in certain cases the media after a breach of unsecured protected health information.

Enforcement Rule (45 CFR Part 160, Subparts C–E)

• Complaint handling, compliance reviews, and information gathering.
• Violation categories and civil money penalty processes.
• Administrative hearings and appeals procedures.

Breach Notification Rule (45 CFR Part 164, Subpart D)

• Definitions of “breach” and “unsecured PHI,” plus the risk assessment factors.
• Notification content and recipients (individuals, HHS, and sometimes media).
• Timelines that require notice without unreasonable delay and within set outer limits.

Navigating Official HIPAA Websites

Use a citation-first approach and the agencies’ built-in navigation to get reliable, current text. This method keeps you in official sources and minimizes guesswork.

Step-by-step navigation

1. Start at HHS OCR and open the HIPAA section; look for “Combined Regulation Text” and “HIPAA for Professionals.”
2. Search the eCFR for Title 45 and jump directly to Part 160, Part 162, or Part 164 by number.
3. For Administrative Simplification and Identifier Standards, open CMS materials labeled “Administrative Simplification,” “Transactions and Code Sets,” or “NPI.”
4. For IHS-specific standards, search the IHS site for “HIPAA” under “Policy & Guidance” or “Manuals.”
5. Confirm you are viewing the most recent codified language by checking revision notes and cross-referencing the citation (for example, 45 CFR 164.312).

Conclusion

To find HIPAA regulations fast, rely on HHS OCR for the Privacy, Security, Breach Notification, and Enforcement Rules; use CMS for Administrative Simplification and Identifier Standards; and consult IHS for operational standards in tribal and federal programs. Navigating by 45 CFR Parts 160-164 will take you straight to the authoritative text every time.

FAQs.

Where can I access the official HIPAA Privacy Rule?

Look to 45 CFR Part 160 and Part 164, Subpart E. You can read it via the eCFR and also within HHS OCR’s Combined Regulation Text, which compiles the HIPAA rules for convenient reference.

How do the CMS regulations relate to HIPAA?

CMS administers HIPAA Administrative Simplification, including standard transactions, code sets, operating rules, and Identifier Standards under 45 CFR Part 162. These requirements work alongside OCR’s Privacy, Security, Breach Notification, and Enforcement Rules.

What is included in the combined HIPAA regulation text?

It compiles the HIPAA Privacy Rule, HIPAA Security Rule, Breach Notification Rule, and Enforcement Rule—plus key definitions and cross-references from 45 CFR Parts 160-164—into one searchable document for ease of use.

Where can I find guidance on HIPAA Security Standards?

Use HHS OCR’s “HIPAA for Professionals” resources and read the Security Rule at 45 CFR 164 Subpart C, especially 164.306, 164.308, 164.310, 164.312, and 164.316 for the core safeguard requirements and documentation duties.