Resource<< Return to Previous Page

Return to HIPAA Home Page

HIPAA Statutes, Regulations and Guidance

The HIPAA privacy regulations are administered by the Office For Civil Rights of the U.S. Department of Health and Human Services. The security regulations are administered by the U.S. Department of Health and Human Services.

INDEX
The Statutes
Final Regulations
Proposed Regulations
Enforcement
Guidance and Interpretation


The Statutes

The Health Insurance Portability and Accountability Act of 1996
Relevant Portions

The HITECH Act of 2009
Includes the conference committee report on the HIPAA provisions and the full text of the legislative changes

The Stimulus Bill Amends HIPAA
March 2009
Bricker & Eckler bulletin on the substantive changes to the HIPAA privacy and security laws that will affect health plans, health insurers, long-term care insurers and their business associates.

What is in the Stimulus Bill for Hospitals? Major HIPAA Changes
February 2009
Bricker & Eckler bulletin on the substantive changes to the HIPAA privacy and security laws that will affect hospitals, long-term care facilities, and other health facilities and business associates.


Final Regulations

The HIPAA Regulations Section-By-Section
Index to and text of the privacy and security regulations by section with commentary from the Federal Register. Updated to include all additions and amendments through January 2013.

Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules
Omnibus final regulations published in the January 25, 2013 Federal Register.

Analysis of Final HIPAA Omnibus Rule: Notice of Privacy Practices
February 2013
Eighth and last in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.

Analysis of Final HIPAA Omnibus Rule: Research, GINA, Hybrid Entities and Other Miscellaneous Provisions
February 2013
Seventh in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.

Analysis of Final HIPAA Omnibus Rule: Enforcement Provisions
February 2013
Sixth in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.

Analysis of the Final HIPAA Omnibus Rule: Individual Rights Regarding Restrictions and Access
February 2013
Fifth in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.

Analysis of Final HIPAA Omnibus Rule: Business Associates and Business Associate Agreements
February 2013
Fourth in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.

Analysis of the Final HIPAA Omnibus Rule: Changes to Marketing, Sale of PHI and Fundraising Requirements
January 2013
Third in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.

Once More Into the Breach: Major Changes to the HIPAA Breach Notification Requirements
January 2013
Bulletin on the significant changes to the breach notification rule in the January 2013 HIPAA amendments.

What You Will and Won’t Find in the Final Omnibus HIPAA Rule
January 2013
Bulletin on the newly released omnibus HIPAA privacy, security and breach regulations.

CLIA: Patients’ Access to Test Reports
Final rule published in the February 6, 2014 Federal Register to amend the Privacy Rule to provide individuals the right to receive their test reports directly from laboratories by removing the exceptions for CLIA-certified laboratories and CLIA-exempt laboratories from the provision that provides individuals with the right of access to their protected health information.

Enforcement Regulations
Interim final rule on the HIPAA enforcement regulations to provide for the increased penalties based on the four tiers of culpability, published by HHS on October 30, 2009.

Complete Text of the Breach Notification for Unsecured Protected Health Information Regulations
Interim final rules from HHS published in the Federal Register on August 24, 2009.

Complete Text of the HIPAA Privacy Regulations
This full text version from the HHS Office of Civil Rights includes the complete text of the regulation, including the August 2002 revisions. Note that these regulations DO NOT include changes made in the HITECH Act of 2009.

HIPAA Security Regulations
Full text of the security regulations published February 20, 2003. Note that these regulations DO NOT include changes made in the HITECH Act of 2009.

Summary of the Security Rule
Section-by-section summaries from HHS; includes the changes made in the HITECH Act of 2009.


Pending Proposed Regulations

Proposed Rulemaking -- For publication in the May 31, 2011 Federal Register, CMS proposed rules on accounting. The proposed rule adopts the statutory requirement that covered entities and business associates account for disclosures of information in electronic health records made for treatment, payment and health care operations. The rule also proposes to provide the right of individuals to receive an access report that indicates who has accessed their electronic PHI. CMS invited comments on the proposed rule, which comments were due by the end of July.

Full Text of the Proposed Rule
As published in the May 31, 2011 Federal Register

Proposed Rule Modifies HIPAA's Accounting of Disclosures Requirements
June 2011
Bricker & Eckler bulletin on the new proposed rules on accounting and access reports.



Enforcement

HHS Enforcement Data
Includes enforcement results by state and by year, annual number of complaints and top complaint issues

Case Examples and Resolution Agreements
HHS Office of Civil Rights examples of how covered entities can effectively comply with the requirements of the privacy rule, with case examples of the corrective actions that OCR obtains from covered entities through enforcement actions.


Guidance and Interpretation

Sharing Information Related to Mental Health
February 2014 guidance from HHS regarding the HIPAA Privacy Rule operates with respect to protecting and sharing individual information related to mental health. The guidance addresses some of the most frequently asked questions regarding when it is appropriate under the Privacy Rule for a health care provider to share the protected health information of a patient who is being treated for a mental health condition.

New HIPAA Tools For Mobile Devices
December 2012 HHS HIPAA privacy and security initiative providing practical tips on ways to safeguard protected health information when using mobile devices such as laptops, tablets and smartphones.

Instructions for Submitting Notice of a Breach to the Secretary
The U.S. Department of Health and Human Services has added to its website "Instructions for Submitting Notice of a Breach to the Secretary", including instructions and template notice for when the breach involves over 500 individuals and the annual reporting for breaches involving less than 500 individuals.

Frequently Asked Questions About the Disposal of Protected Health Information
HHS Office of Civil Rights guidance on disposal of PHI.

Frequently Asked Questions About Family Medical History Information
HHS Office of Civil Rights guidance on the sharing of family medical information

Joint Guidance on the Application of the Family Educational Rights and Privacy Act and HIPAA To Student Health Records
November 2008 guidance from HHS and the Department of Education

Frequently Asked Questions and Answers
Guidance from HHS in the form of frequently asked questions and answers released December 3, 2002.

Business Associate Agreements and Surveys and Accreditation
March 2003 letter from CMS to state survey agencies regarding business associate agreements and their relationship to state surveys and accreditation.

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
April 2003 release from U.S. Department of Health and Human Services providing general background information on HIPAA privacy and specific and detailed information on research studies under HIPAA.

Additional Guidance on Research
April 2003 letter from the Director of the Office of Civil Rights to Eli Lily & Company, offering additional guidance on research and the privacy regulations.

Guidance on Risk Analysis
A series of guidance documents from HHS' Office of Civil Rights to assist organizations in identifying and implementing the administrative, physical, and technical safeguards required by the HIPAA security rules.

 

Show Me More Like This

RSS

Events

More