Insights & Resources

HIPAA Resource Center

    Back To HIPAA Resource Center

    HIPAA Statutes, Regulations & Guidance

    The HIPAA privacy regulations are administered by the Office For Civil Rights of the U.S. Department of Health and Human Services. The security regulations are administered by the U.S. Department of Health and Human Services.

    INDEX
    The Statutes
    Final Regulations
    Proposed Regulations
    Enforcement
    Guidance and Interpretation
    Articles by the Bricker & Eckler Health Law Lawyers

     


    The Statutes

    The Health Insurance Portability and Accountability Act of 1996
    Summary of the privacy provisions

    The HITECH Act of 2009
    Includes the conference committee report on the HIPAA provisions and the full text of the legislative changes


    Final Regulations

    The HIPAA Regulations Section-By-Section
    Index to and text of the privacy and security regulations by section with commentary from the Federal Register. Updated to include all additions and amendments through January 2013.

    Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules
    Omnibus final regulations published in the January 25, 2013 Federal Register.

    Analysis of Final HIPAA Omnibus Rule: Notice of Privacy Practices
    February 2013
    Eighth and last in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.

    Analysis of Final HIPAA Omnibus Rule: Research, GINA, Hybrid Entities and Other Miscellaneous Provisions
    February 2013
    Seventh in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.

    Analysis of Final HIPAA Omnibus Rule: Enforcement Provisions
    February 2013
    Sixth in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.

    Analysis of the Final HIPAA Omnibus Rule: Individual Rights Regarding Restrictions and Access
    February 2013
    Fifth in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.

    Analysis of Final HIPAA Omnibus Rule: Business Associates and Business Associate Agreements
    February 2013
    Fourth in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.

    Analysis of the Final HIPAA Omnibus Rule: Changes to Marketing, Sale of PHI and Fundraising Requirements
    January 2013
    Third in a series of bulletins detailing various provisions of the January 2013 omnibus HIPAA privacy, security and breach regulations.

    Once More Into the Breach: Major Changes to the HIPAA Breach Notification Requirements
    January 2013
    Bulletin on the significant changes to the breach notification rule in the January 2013 HIPAA amendments.

    What You Will and Won’t Find in the Final Omnibus HIPAA Rule
    January 2013
    Bulletin on the newly released omnibus HIPAA privacy, security and breach regulations.

    CLIA: Patients’ Access to Test Reports
    Final rule published in the February 6, 2014 Federal Register to amend the Privacy Rule to provide individuals the right to receive their test reports directly from laboratories by removing the exceptions for CLIA-certified laboratories and CLIA-exempt laboratories from the provision that provides individuals with the right of access to their protected health information.

    Enforcement Regulations
    Interim final rule on the HIPAA enforcement regulations to provide for the increased penalties based on the four tiers of culpability, published by HHS on October 30, 2009.

    Complete Text of the Breach Notification for Unsecured Protected Health Information Regulations
    Interim final rules from HHS published in the Federal Register on August 24, 2009.

    Complete Text of the HIPAA Privacy Regulations
    This full text version from the HHS Office of Civil Rights includes the complete text of the regulation, including the August 2002 revisions. Note that these regulations DO NOT include changes made in the HITECH Act of 2009.

    HIPAA Security Regulations
    Full text of the security regulations published February 20, 2003. Note that these regulations DO NOT include changes made in the HITECH Act of 2009.

    Summary of the Security Rule
    Section-by-section summaries from HHS; includes the changes made in the HITECH Act of 2009.

     


    Pending Proposed Regulations

    Proposed Rulemaking -- For publication in the May 31, 2011 Federal Register, CMS proposed rules on accounting. The proposed rule adopts the statutory requirement that covered entities and business associates account for disclosures of information in electronic health records made for treatment, payment and health care operations. The rule also proposes to provide the right of individuals to receive an access report that indicates who has accessed their electronic PHI. CMS invited comments on the proposed rule, which comments were due by the end of July.

    Full Text of the Proposed Rule
    As published in the May 31, 2011 Federal Register

    Proposed Rule Modifies HIPAA's Accounting of Disclosures Requirements
    June 2011
    Bricker & Eckler bulletin on the new proposed rules on accounting and access reports.



    Enforcement

    HHS Enforcement Data
    Includes enforcement results by state and by year, annual number of complaints and top complaint issues

    Case Examples
    HHS Office of Civil Rights examples of how covered entities can effectively comply with the requirements of the privacy rule, with case examples of the corrective actions that OCR obtains from covered entities through enforcement actions.


    Guidance and Interpretation

    Sharing Information Related to Mental Health
    February 2014 guidance from HHS regarding the HIPAA Privacy Rule operates with respect to protecting and sharing individual information related to mental health. The guidance addresses some of the most frequently asked questions regarding when it is appropriate under the Privacy Rule for a health care provider to share the protected health information of a patient who is being treated for a mental health condition.

    Instructions for Submitting Notice of a Breach to the Secretary
    The U.S. Department of Health and Human Services has added to its website "Instructions for Submitting Notice of a Breach to the Secretary", including instructions and template notice for when the breach involves over 500 individuals and the annual reporting for breaches involving less than 500 individuals.

    Frequently Asked Questions About the Disposal of Protected Health Information
    HHS Office of Civil Rights guidance on disposal of PHI.

    Frequently Asked Questions About Family Medical History Information
    HHS Office of Civil Rights guidance on the sharing of family medical information

    Joint Guidance on the Application of the Family Educational Rights and Privacy Act and HIPAA To Student Health Records
    November 2008 guidance from HHS and the Department of Education

    Frequently Asked Questions and Answers
    Guidance from HHS in the form of frequently asked questions and answers released December 3, 2002.

    Business Associate Agreements and Surveys and Accreditation
    March 2003 letter from CMS to state survey agencies regarding business associate agreements and their relationship to state surveys and accreditation.

    Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
    April 2003 release from U.S. Department of Health and Human Services providing general background information on HIPAA privacy and specific and detailed information on research studies under HIPAA.

    Additional Guidance on Research
    April 2003 letter from the Director of the Office of Civil Rights to Eli Lily & Company, offering additional guidance on research and the privacy regulations.

    Guidance on Risk Analysis
    A series of guidance documents from HHS' Office of Civil Rights to assist organizations in identifying and implementing the administrative, physical, and technical safeguards required by the HIPAA security rules.