Insights & Resources
HIPAA Resource Center
HIPAA Statutes, Regulations & Guidance
The HIPAA privacy regulations are administered by the Office For Civil Rights of the U.S. Department of Health and Human Services. The security regulations are administered by the U.S. Department of Health and Human Services.
INDEX
The Statutes
Final Regulations
Proposed Regulations
Enforcement
Guidance and Interpretation
Articles by the Bricker & Eckler Health Law Lawyers
The Statutes
The Health Insurance Portability and Accountability Act of 1996
Summary of the privacy provisions
The HITECH Act of 2009
Includes the conference committee report on the HIPAA provisions and the full text of the legislative changes
Final Regulations
The HIPAA Regulations Section-By-Section
Index to and text of the privacy and security regulations by section with commentary from the Federal Register. Updated to include all additions and amendments through January 2013.
Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules
Omnibus final regulations published in the January 25, 2013 Federal Register.
Analysis of Final HIPAA Omnibus Rule: Notice of Privacy Practices
February 2013
Eighth and last in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.
Analysis of Final HIPAA Omnibus Rule: Research, GINA, Hybrid Entities and Other Miscellaneous Provisions
February 2013
Seventh in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.
Analysis of Final HIPAA Omnibus Rule: Enforcement Provisions
February 2013
Sixth in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.
Analysis of the Final HIPAA Omnibus Rule: Individual Rights Regarding Restrictions and Access
February 2013
Fifth in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.
Analysis of Final HIPAA Omnibus Rule: Business Associates and Business Associate Agreements
February 2013
Fourth in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.
Analysis of the Final HIPAA Omnibus Rule: Changes to Marketing, Sale of PHI and Fundraising Requirements
January 2013
Third in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.
Once More Into the Breach: Major Changes to the HIPAA Breach Notification Requirements
January 2013
Bulletin on the significant changes to the breach notification rule in the January 2013 HIPAA amendments.
What You Will and Won’t Find in the Final Omnibus HIPAA Rule
January 2013
Bulletin on the newly released omnibus HIPAA privacy, security and breach regulations.
CLIA: Patients’ Access to Test Reports
Final rule published in the February 6, 2014 Federal Register to amend the Privacy Rule to provide individuals the right to receive their test reports directly from laboratories by removing the exceptions for CLIA-certified laboratories and CLIA-exempt laboratories from the provision that provides individuals with the right of access to their protected health information.
Enforcement Regulations
Interim final rule on the HIPAA enforcement regulations to provide for the increased penalties based on the four tiers of culpability, published by HHS on October 30, 2009.
Complete Text of the Breach Notification for Unsecured Protected Health Information Regulations
Interim final rules from HHS published in the Federal Register on August 24, 2009.
Complete Text of the HIPAA Privacy Regulations
This full text version from the HHS Office of Civil Rights includes the complete text of the regulation, including the August 2002 revisions. Note that these regulations DO NOT include changes made in the HITECH Act of 2009.
HIPAA Security Regulations
Full text of the security regulations published February 20, 2003. Note that these regulations DO NOT include changes made in the HITECH Act of 2009.
Summary of the Security Rule
Section-by-section summaries from HHS; includes the changes made in the HITECH Act of 2009.
Pending Proposed Regulations
Proposed Rulemaking
Confidentiality of Substance Use Disorder (SUD) Patient Records
The Department of Health and Human Services (HHS or ‘‘the Department’’) is issuing this notice of proposed rulemaking (NPRM) to solicit public comment on its proposal to modify its regulations to implement section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
The United States Department of Health and Human Services (HHS or ‘‘the Department’’) is issuing this Notice of Proposed Rulemaking (NPRM) to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications address standards that may impede the transition to value-based health care by limiting or discouraging care coordination and case management communications among individuals and covered entities (including hospitals, physicians, and other health care providers, payors, and insurers) or posing other unnecessary burdens. The proposals in this NPRM address these burdens while continuing to protect the privacy and security of individuals’ protected health information.
Enforcement
HHS Enforcement Data
Includes enforcement results by state and by year, annual number of complaints and top complaint issues
Case Examples
HHS Office of Civil Rights examples of how covered entities can effectively comply with the requirements of the privacy rule, with case examples of the corrective actions that OCR obtains from covered entities through enforcement actions.
Guidance and Interpretation
Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is issuing this Bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates (“regulated entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies (“tracking technologies”).
HIPAA and Health Plans – Uses and Disclosures for Care Coordination and Continuity of Care
This guidance provides answers to FAQs concerning the uses and disclosures of PHI between covered entitied for care coordination and continuity of care purposes.
This guidance is intended to assist covered entities to understand what is de-identification, the general process by which de-identified information is created, and the options available for performing de-identification.
Communicating with a Patient’s Family, Friends, or Others Involved in the Patient’s Care
This guide explains when a health care provider is allowed to share a patient’s health information with the patient’s family members, friends, or others identified by the patient as involved in the patient’s care under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule
In light of the Windsor and Obergefell decisions, this guidance makes clear that the terms marriage, spouse, and family member include, respectively, all lawful marriages, lawfully married spouses, and both the lawful spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule. This guidance also updates and expands on related guidance issued in September 2014.
On June 7, 2021, the United States Department of Justice published model legislation to provide a framework for states to consider as they determine whether and how to implement their own “extreme risk protection order” (ERPO) laws. This guidance addresses the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule for covered health care providers in relation to ERPO laws.
HIPAA Privacy Rule and Disclosures of Information Relating to reproductive Health Care
The Privacy Rule permissions for disclosing PHI without an individual’s authorization for purposes not related to health care, such as disclosures to law enforcement officials, are narrowly tailored to protect the individual’s privacy and support their access to health services. This guidance addresses these types of permitted disclosures and their limitations.
OCR Issues Guidance on HIPAA, COVID-19 Vaccinations, and the Workplace
HHS Office of Civil Rights issued guidance to respond to employers’ concerns and questions surrounding COVID-19 vaccination requirements for employees.
Sample Business Associate Contract
A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.
FAQ on Right to Access
HHS Office of Civil Rights released frequently asked questions about HIPAA's right of access related to apps designated by the individual and application programming interfaces (APIs) used by the provider’s electronic health record system. This release was in conjunction with CMS and ONC announcing that they are extending the public comment period by 30 days for two proposed regulations aimed at promoting the interoperability of health information technology and enabling patients to electronically access their health information.
Guidance on How HIPAA Allows Information Sharing to Address the Opioid Crisis
From October 2017 the HHS Office for Civil Rights has released new guidance on when and how health care providers can share a patient’s health information with his or her family members, friends, and legal personal representatives when that patient may be in crisis and incapacitated, such as during an opioid overdose.
Guidance on HIPAA & Cloud Computing
From October 2016 guidance to assist covered entities and business associates, including cloud services providers (CSPs), in understanding their HIPAA obligations.
Patient Safety Work Product and Providers’ External Obligations
From June 2016 guidance to provide clarity in response to recurring questions about what information a provider creates or assembles that can become patient safety work product.
Privacy and Security and Workplace Wellness Programs
From April 2015 a series of questions and answers on the application of HIPAA to workplace wellness programs.
Sharing Information Related to Mental Health
February 2014 guidance from HHS regarding the HIPAA Privacy Rule operates with respect to protecting and sharing individual information related to mental health. The guidance addresses some of the most frequently asked questions regarding when it is appropriate under the Privacy Rule for a health care provider to share the protected health information of a patient who is being treated for a mental health condition.
Instructions for Submitting Notice of a Breach to the Secretary
The U.S. Department of Health and Human Services has added to its website "Instructions for Submitting Notice of a Breach to the Secretary", including instructions and template notice for when the breach involves over 500 individuals and the annual reporting for breaches involving less than 500 individuals.
Frequently Asked Questions About the Disposal of Protected Health Information
HHS Office of Civil Rights guidance on disposal of PHI.
Frequently Asked Questions About Family Medical History Information
HHS Office of Civil Rights guidance on the sharing of family medical information
Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records
Frequently Asked Questions and Answers
Guidance from HHS in the form of frequently asked questions and answers released December 3, 2002.
Business Associate Agreements and Surveys and Accreditation
March 2003 letter from CMS to state survey agencies regarding business associate agreements and their relationship to state surveys and accreditation.
Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
April 2003 release from U.S. Department of Health and Human Services providing general background information on HIPAA privacy and specific and detailed information on research studies under HIPAA.
Additional Guidance on Research
April 2003 letter from the Director of the Office of Civil Rights to Eli Lily & Company, offering additional guidance on research and the privacy regulations.
Guidance on Risk Analysis
A series of guidance documents from HHS' Office of Civil Rights to assist organizations in identifying and implementing the administrative, physical, and technical safeguards required by the HIPAA security rules.
Telehealth, COVID-19, and HIPAA
OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Under this Notification, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA rules.
FAQs on Telehealth an HIPAA during the COVID-19 nationwide public health emergency
OCR published set of FAQs to support and clarify the Telehealth Notification. The Telehealth Notification will remain in effect until the Secretary of HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever occurs first. OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based upon the latest facts and circumstances.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) developed this guidance to help covered entities understand how they can use remote communication technologies for audio-only telehealth in compliance with the HIPAA Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth Remote Communications (Telehealth Notification) is no longer in effect.