StacksVerified U.S. regulatory reference

45 CFR §164.500

Verified against eCFR.gov as of June 20, 2026View official text on eCFR.gov
  1. (a)Except as otherwise provided herein, the standards, requirements, and implementation specifications of this subpart apply to covered entities with respect to protected health information.
  2. (b)Health care clearinghouses must comply with the standards, requirements, and implementation specifications as follows:
    1. (1)When a health care clearinghouse creates or receives protected health information as a business associate of another covered entity, the clearinghouse must comply with:
      1. (i)Section 164.500 relating to applicability;
      2. (ii)Section 164.501 relating to definitions;
      3. (iii)Section 164.502 relating to uses and disclosures of protected health information, except that a clearinghouse is prohibited from using or disclosing protected health information other than as permitted in the business associate contract under which it created or received the protected health information;
      4. (iv)Section 164.504 relating to the organizational requirements for covered entities;
      5. (v)Section 164.512 relating to uses and disclosures for which individual authorization or an opportunity to agree or object is not required, except that a clearinghouse is prohibited from using or disclosing protected health information other than as permitted in the business associate contract under which it created or received the protected health information;
      6. (vi)Section 164.532 relating to transition requirements; and
      7. (vii)Section 164.534 relating to compliance dates for initial implementation of the privacy standards.
    2. (2)When a health care clearinghouse creates or receives protected health information other than as a business associate of a covered entity, the clearinghouse must comply with all of the standards, requirements, and implementation specifications of this subpart.
  3. (c)Where provided, the standards, requirements, and implementation specifications adopted under this subpart apply to a business associate with respect to the protected health information of a covered entity.
  4. (d)The standards, requirements, and implementation specifications of this subpart do not apply to the Department of Defense or to any other federal agency, or non-governmental organization acting on its behalf, when providing health care to overseas foreign national beneficiaries.