Resources: HIPAA Guidance and Tools 

Return to the main Resources page
Regulations, Standards, and Laws
Guidance from NIST
Document Retention Guidelines
Information Security Guidance

PLEASE NOTE!  These resources, especially those on HHS Web sites, are subject to change.  Please let us know if you find a broken link, and thanks for your patience.

Guidance from HHS Office for Civil Rights

• The HHS Office for Civil Rights Health Information Privacy site is the place to find answers to many HIPAA questions.  Check the yellow What's New sidebar on the right regularly for new guidance and resources.  Describes HHS OCR activities in enforcing the Privacy and Security Rules, the results of those activities, and statistics on types of complaints and types of entities most often required to take corrective action.  Includes some guidance for entities who must comply with the HIPAA Privacy and Security Rules.  See: http://www.hhs.gov/ocr/privacy/.  The HIPAA FAQ page is available at http://www.hhs.gov/ocr/privacy/hipaa/faq/  

• OCR has created a handy guide, HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules, that is a nice summary of how HIPAA applies and what is necessary for compliance at a basic level, and also includes a number of very useful links to other guidance.  This is a good way to get a basic understanding of HIPAA and then look at the linked guidance for more.  The document is available at:  http://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf 

• On January 7, 2016 and updated twice since then, HHS issued new guidance on individuals’ right to access their health information, including general information and specifics about the details of proper implementation, and also includes an extensive Q&A section providing additional information.  The February 25 update included additional Q&As regarding fees for providing copies of records.  If you have questions on providing access under HIPAA, look here first.  http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html 

• On February 20, 2014, HHS announced new guidance explaining how the HIPAA Privacy Rule operates to protect individuals' privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients' family members and others to enhance treatment and assure safety.  This important guidance is available at:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html  

• Additional information on Sharing Information with Family and Friends of Patients is available at https://www.hhs.gov/hipaa/for-professionals/special-topics/same-sex-marriage/index.html with FAQs available at https://www.hhs.gov/hipaa/for-professionals/faq/2086/does-hipaa-privacy-rule-permit-doctor-discuss-patient-s-health-status.html.  An excellent overview of the topic is available at https://www.hhs.gov/sites/default/files/provider_ffg.pdf 

• On October 27, 2017, HHS announced new guidance on How HIPAA Allows Doctors to Respond to the Opioid Crisis, discussing when and how healthcare providers can share a patient’s health information with his or her family members, friends, and legal personal representatives when that patient may be in crisis and incapacitated, such as during an opioid overdose.  Note: These are allowable disclosures, not required disclosures, and it is important to note that other privacy laws (such as 42 CFR Part 2 regarding drug and alcohol abuse treatment) may also apply.  It would appear that in most real situations, 42 CFR Part 2 would control the release of information, not HIPAA.  HIPAA does not interfere with state laws or medical ethics rules that are more protective of patient privacy.  The guidance is available at:  https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf  

• HHS has also prepared a set of helpful YouTube videos for individuals in 2016 on patient rights and access of PHI.  See:  http://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html   

• OCR has posted a series of fact sheets for consumers, available in eight languages, about cpmsumer rights under the HIPAA Privacy Rule,on OCR’s website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers   The fact sheets compliment seven videos on OCR’s YouTube channel.  A video on The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule’s requirements. The videos are available on the HHS OCR YouTube Channel at http://www.youtube.com/user/USGovHHSOCR

• OCR released in February of 2016 two fact sheets concerning Permitted Uses and Disclosures for the Exchange of Protected Health Information for purposes of Treatment and for purposes of Health Care Operations, in order to clarify HIPAA regulations and help enable permissible uses and disclosures under the rules.  
• The blog entry announcing the release is at:  https://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/interoperability-electronic-health-and-medical-records/the-real-hipaa-supports-interoperability/  
• The fact sheet on
Exchange for Treatment is at:  https://www.healthit.gov/sites/default/files/exchange_treatment.pdf  
• The fact sheet on Exchange for Health Care Operations is at:  https://www.healthit.gov/sites/default/files/exchange_health_care_ops.pdf  

• OCR provides modules for health care providers that offer free Continuing Medical Education (CME) credits for physicians and Continuing Education (CE) credits for health care professionals, on compliance with various aspects of the HIPAA Privacy and Security Rules, available at Medscape.org:
• Protecting Patients’ Rights
http://www.medscape.org/sites/advances/patients-rights  
• Patient Privacy: A Guide for Providers
http://www.medscape.org/viewarticle/781892?src=ocr
• HIPAA and You: Building a Culture of Compliance
http://www.medscape.org/viewarticle/762170?src=ocr
• Examining Compliance with the HIPAA Privacy Rule
http://www.medscape.org/viewarticle/763251?src=ocr

• HHS OCR and the Office of the National Coordinator for Health IT released a new Fact Sheet on HIPAA and Public Health Permitted Uses and Disclosures on December 20, 2016 that explains how the HIPAA Rules permit disclosures of PHI to support public health activities conducted by public health agencies, as authorized by state or federal law, with some helpful examples. See:    https://www.healthit.gov/sites/default/files/12072016_hipaa_and_public_health_fact_sheet.pdf  

• HHS OCR has released final guidance on performing Risk Analysis at: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf   Also see #6 in the HHS HIPAA Security Series, updated March 2007, on Basics of Risk Analysis and Risk Management, available at:  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf  

• HHS has released a guide: Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices, to assist small practices in updating and keeping current their risk analyses.  See:  http://www.hhs.gov/sites/default/files/small-practice-security-guide-1.pdf  

• The December 2006 HHS Guidance on Remote Access and Use of PHI is still valid and provides excellent information on the considerations of using portable devices and remote access. In general, it points to the HIPAA security practices you should have in place to help you understand the risks and plan for their mitigation.  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf   

 The HHS October 2017 Cybersecurity Newsletter: Mobile Devices and Protected Health Information (PHI) provides a great summary of considerations to include when mobile devices are used with PHI.  See:  https://www.hhs.gov/sites/default/files/october-2017-ocr-cybersecurity-newsletter.pdf  

• HHS OCR has posted FAQs that address the HIPAA Privacy Rule requirements for disposal of protected health information, available at:  http://www.hhs.gov/hipaa/for-professionals/faq/disposal-of-protected-health-information  

• HHS OCR guidance on the Electronic Exchange of Health Information is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/.  Of particular interest is very helpful Privacy Rule guidance on using e-mail to communicate with patients, on pages 3 and 4 of  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf     

• On May 3, 2016, the HHS OCR issued a Cyber-Awareness Monthly Update regarding the topic, Is Your Business Associate Prepared for a Security Incident?  The guidance indicates that entities should consider:
  • Ensuring that agreements define appropriate uses and disclosures and include requirements to report any other use or disclosure including breaches
  • Including in agreements the timeframe for reporting any incidents
  • Identifying what must be included in any breach or incident reports
  • Ensuring all workforce members are trained and Business Associate privacy and security practices are adequate

Additional details are provided.  The update is available at a number of locations, including:  http://www.inspn.org/wp-content/uploads/2016/05/OCR-CyberAwareness-Monthly-Update.pdf  

Guidance from the Office of the National Coordinator

The Office of the National Coordinator for Health IT, in collaboration with HHS OCR and HHS Office of the General Counsel, released in March, 2014 and updated in September, 2016 a Risk Assessment tool for small and medium sized organizations that assists in the collection and analysis of data, and comes in iPad and Windows 7 versions.  In many ways, the tool is an evolution of the NIST HIPAA Security Rule Toolkit released in 2011.  It doesn’t make the work any easier, but it makes organizing the information and producing reports a little easier if you’re new to Risk Analysis.  Used well, it could help; used poorly, it could provide a false sense of security.   The Tool, the user guide, and related videos are all available at:  http://www.healthit.gov/providers-professionals/security-risk-assessment    

• HHS CMS, under the auspices of the EHR Incentive Program, has released in a number of useful tools relating to Risk Analysis and the Privacy and Security Objective for Meaningful Use.  

 - FAQ published October 6, 2014: https://questions.cms.gov/faq.php?faqId=10754  
 - Security Risk Analysis Tipsheet including an overview of the HIPAA Security Rule Risk Analysis requirement, a table of risk and  safeguard examples, and a table of Myths vs. Facts about Security Risk Analysis:  http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/SecurityRiskAssessment_FactSheet_Updated20131122.pdf 
 - Guide to CMS EHR Incentive Program educational resources:  http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/EducationalMaterials.html  

• In April 2015, the Office of the National Coordinator for Health Information Technology released version 2 of its Guide to Privacy and Security of Electronic Health Information, providing a concise summary of the processes and requirements involved in assuring adequate privacy and security of electronic Protected Health Information.  The guide is available at:  http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf  and Chapter 6, a Sample Seven Step Approach for Implementing a Security Management Process, is available separately at:  http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide-chapter-6.pdf   

• The Office of the National Coordinator for Health IT released a 47-page 10-step plan for protecting the privacy and security of health data, developed in conjunction with the American Health Information Management Association.  Any entity that wishes to attest to the meaningful use of their EHR so that they can receive Federal funding should be sure they've covered these bases.  The list of steps itself echoes many of the same themes we've been espousing for years, but makes it clear that if you want to attest to meaningful use, you need to take privacy and security seriously.  The guide is available at: http://www.healthit.gov/providers-professionals/ehr-privacy-security/10-step-plan  (Last updated January 19, 2013)

• The Office of the National Coordinator for Health Information Technology has released Cybersecure: Your Medical Practice, a game developed to teach good basic privacy and security principles for health care offices, by requiring users to respond to privacy and security challenges.  Users choosing the right response earn points and see their virtual medical practices flourish, and vise versa. The game is available at no cost at:  http://www.healthit.gov/providers-professionals/privacy-security-training-games  and additional resources from ONC are available at  http://www.healthit.gov/providers-professionals/ehr-privacy-security  

• On July 11, 2017, the HHS Office of the National Coordinator for Health IT released a report on patient experiences in the access of medical records, and it’s a pretty sorry looking picture, frankly.  In the examples shown, there is a remarkable lack of understanding of basic HIPAA Access requirements by the involved providers.  The report shows the alarming, life threatening hurdles in the process and offers some ideas what must be done, and NOW.  See the announcement at:  https://www.healthit.gov/buzz-blog/consumer/understanding-patient-experience-improve-patient-access-medical-records/  and the report at:  https://www.healthit.gov/sites/default/files/onc_records-request-research-report_2017-06-01.pdf  

Ransomware Guidance

• On July 11, 2016, the HHS Office for Civil Rights released Fact Sheet: Ransomware and HIPAA, providing guidance to health care entities about what ransomware is and how good HIPAA compliance helps you deal with it, and indicates that a ransomware attack should be considered a breach, because control of the PHI has been compromised.  The fact sheet is available at:  http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf  

• In June, 2016, HHS issued guidance on the protection of healthcare organizations from Ransomware attacks.  The guidance explains what Ransomware is, how to protect your networks from it, and how to respond to it.  An article on the guidance is available in Becker’s Hospital Review, at  http://www.beckershospitalreview.com/healthcare-information-technology/hhs-issues-ransomware-guidance-to-healthcare-organizations.html  and the guidance is available at  http://www.aha.org/content/16/160620cybersecransomware.pdf  

• On May 26, 2017, Healthcare Informatics reported that the ECRI Institute has released a new guidance article, Ransomware Attacks: How to Protect Your Medical Device Systems, with recommendations to help hospitals identify and protect against ransomware attacks.  The report provides recommendations for adapting general cybersecurity principles to the particular requirements of medical device systems, including a list of immediate do's and don'ts for quickly responding to emerging threats.  The Healthcare Informatics article is available at:  https://www.healthcare-informatics.com/news-item/cybersecurity/ecri-institute-publishes-guidance-protecting-medical-devices-ransomware  and the ECRI guidance, published May 18, 2017 is available at:  https://www.ecri.org/components/HDJournal/Pages/Ransomware-Attacks-How-to-Protect-Your-Systems.aspx  

HIPAA Audit and Enforcement Questions

• On July 27, 2016, the HHS Office for Civil Rights provided new HIPAA Audit Guidance & FAQ.  Covered entities received notification of their selection as the subjects of an Office for Civil Rights (OCR) desk audit of compliance with the HIPAA Security, Privacy and Breach Notification Rules on July 11, and were invited to participate in a webinar held on Wednesday, July 13, where OCR staff walked through the processes for the audit and expectations for their participation.  To respond to questions, OCR developed three targeted guidance documents, available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.  
 — One is a 
comprehensive question and answer listing.  
 — The second puts the 
specific audit document submission requests in context with the rule requirements and associated protocol audit inquiries, as well as the related questions asked by selected entities.  The entire protocols are available on the OCR website; for this guidance we extracted from those protocols the specific desk audit provisions, and added the audit inquiries and Q&A.  
 — Finally, OCR has posted 
the slides used in the webinar.  The guidance should be helpful to audited entities as well as other covered entities and business associates seeking assistance with improving their compliance with these important requirements of the HIPAA Rules.  

• The US Department of Health and Human Services Office for Civil Rights audit protocol for the 2016 round of random HIPAA Privacy, Security, and Breach Notification compliance audits is available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html   The 2016 protocol has 180 questions, most with several sub-questions, and is very difficult to use in the format provided.  It is best to copy the information into a word processor or spreadsheet document, correct the formatting, and then use it as a compliance management tool.  Complete information on the 2016 Audit program is at  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html 

• A list of Questions Used in Random HIPAA Privacy and Security Audits of Q1 2012 has been released by The Malvern Group's Sue Miller, who has published a briefing with a list of information requests submitted to one of the audited covered entities.  The two-page list covers the basics – make sure you have policies and procedures and can show you've been using them.  For a copy of Sue Miller's briefing including the two-page questionnaire, please see:  OCR_Audit_Document_Request_Brief_20120424_v_2.pdf  

• The extremely useful, two-page 2008 CMS Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews is no longer available on the CMS Web site, as CMS has been replaced by the HHS Office for Civil Rights for HIPAA Security enforcement, but you may download a copy from us.  

• The questions asked by HHS OCR of a small medical practice that suffered a breach because of the theft of a laptop and a server give insight into how much preparation is necessary for HIPAA compliance and to respond to OCR inquiries following a breach.  Be ready to answer at least these questions!  The questions are available at: https://www.infosecisland.com/blogview/13745-HIPAA-HITECH-Breach-by-a-Small-Practice-Actual-Experience.html

• HHS OIG HIPAA Security Rule Compliance Questions – The 42 questions asked of Piedmont Hospital in Atlanta, GA by the Office of the Inspector General of the Department of Health and Human Services, as reported in Computerworldhttp://www.computerworld.com/article/2541971/security0/hipaa-audit--the-42-questions-hhs-might-ask.html  or  http://tinyurl.com/meupq8t  

HIPAA Breach Notification Guidance

• The HHS overview page on HIPAA Breach Notification clearly lays out the requirements and includes links to other essential pages, such as guidance on securing PHI, forms for reporting breaches, the “wall of shame” of large breaches, and the FTC, for reporting non-HIPAA breaches.  See:  http://www.hhs.gov/hipaa/for-professionals/breach-notification/  

• Breach Notification Guidance from HHS OCR for safe-harbor encryption and destruction of information is at:  http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html   and the original Federal Register entry is available at  http://www.hhs.gov/hipaa/for-professionals/security/guidance/HITECH-act-breach-notification-guidance/index.html  

• The list of healthcare information breaches affecting more than 500 individuals reported to HHS (a.k.a. the "Wall of Shame") was updated in early 2015 and is available at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf   The new format is much easier to read and search, with easy export of the data in multiple formats.  See what happens to others -- make sure it doesn't happen to you!

• A great tool for looking at data breach causes is the Privacy Rights Clearinghouse page with a chronology of data beaches, sortable by breach type, organization type, and year.  If you are looking at risks for breaches, look here to see what happens to others like you -- if they can get hurt, so can you.  See:  http://www.privacyrights.org/data-breach/new  

Templates

Notice of Privacy Practices Templates including the HIPAA Omnibus changes of 2013, in four formats tested for consumer usability, for both providers and health plans, in both English and Spanish, are provided by the HHS Office for Civil Rights at:  http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html  

Sample language for HIPAA Business Associate Agreements meeting requirements the final HITECH Amendments to HIPAA is available from HHS at:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html  It is important to note that this language only identifies the required elements and any legal agreement should be reviewed by your attorney.

• The Office of the National Coordinator for Health Information Technology released on June 25, 2013 a guide, EHR Contracts: Key Contract Terms for Users to Understand that provides insights into key clauses in contracts that must be properly considered during negotiations for the procurement of Electronic Health Record systems.  It does comment on the impact of standard limitation of liability and exclusion of consequential damages language on HIPAA issues.  See:  http://www.healthit.gov/sites/default/files/ehr_contracting_terms_final_508_compliant.pdf  

• The AMA released in September 2013 updated tools for HIPAA Privacy and Security Compliance, including new sample Notice of Privacy Practices and Business Associate Agreement templates, as well as toolkits and FAQs.  See:  http://www.ama-assn.org/go/hipaa  

• On July 6, 2017, AHIMA released a model form for Patient Requests for Access to their PHI that meets the requirements of the HHS Office of the National Coordinator for Health IT and Office for Civil Rights.  While the form is hospital-centric in some of the details, it can be the basis for forms used by other providers.  Remember: An access request is NOT the same as a release under Authorization, and you should not use the same forms or processes for both.  This form is very simple, as it should be according to HHS guidance.  See the announcement at  http://www.ahima.org/modelform  and download the form at: https://engage.ahima.org/viewdocument/patient-request-model-form  

Guidance on De-identification of Personal Information

• NIST IR 8053, released December 17, 2015, is a report on De-Identification of Personal Information.  The report document summarizes two decades of de-identification research, discusses current practices, and presents opportunities for future research, including discussion of HIPAA methods for de-identification, and the effectiveness of the HIPAA Safe Harbor method.  The report is available at http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf  If you are dealing with any issues of de-identifying PHI, READ THIS REPORT!

Also, see HHS’s guidance from 2012 on De-identification of PHI, available at:  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf  

Guidance on HIPAA in Emergencies and Disasters

• Fact sheets and decision-making tools from HHS concerning Emergency Preparedness and Disclosures to Public Officials in response to bioterrorism threats or public health emergencies are available at:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/decisiontoolintro.html  and  http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_for_law_enforcement_purposes/397.html  

• On November 10, 2014, the US Department of Health and Human Services (HHS) published new guidance on HIPAA Privacy Rule protections in emergency situations, such as an Ebola outbreak, to ensure that HIPAA-regulated entities are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.  OCR's bulletin on HIPAA Privacy in Emergency Situations may be found at:  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf

• Guidance from HHS on HIPAA in Emergency Situations: Preparedness, Planning, and Response can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/index.html

Additional HIPAA Guidance

• On October 21, 2016 HHS announced joint guidance with the Federal Trade Commission (FTC) about how HIPAA and FTC rules interact and relate to consumer health information, reminding those in health care that if they’re not covered under HIPAA, the FTC has a role to play in privacy and security.   If you share health information, it’s not enough to simply consider the HIPAA Privacy Rule.  You also must make sure your disclosure statements are not deceptive under the FTC Act.  The guidance is at  https://www.ftc.gov/tips-advice/business-center/guidance/sharing-consumer-health-information-look-hipaa-ftc-act  

• In July, 2016, HHS OCR posted FAQ on HIPAA and Unique Device Identifiers (UDI), which clarifies that the device identifier (DI) portion of a UDI can be part of a limited or de-identified data set as defined under HIPAA.  While the HIPAA Privacy Rule prohibits the inclusion of “device identifiers and serial numbers” in both limited data sets and data sets that are de-identified in accordance with the “de-identification safe harbor” provisions, the guidance explains that the DI portion of the UDI is not the type of “device identifier” to which these HIPAA Privacy Rule provisions refer.  See:  http://www.hhs.gov/hipaa/for-professionals/faq/2071/can-device-identifier-di-portion-unique-device-identifier-udi-be-part-limited-or-de-identified

• In February, 2016 the HHS Office for Civil Rights announced new guidance on the application of HIPAA rules to App Developers, and describes the typical circumstances when one may or may not be considered a HIPAA Business Associate.  The guidance is available at:  http://hipaaqsportal.hhs.gov/community-library/accounts/92/925889/OCR-health-app-developer-scenarios-2-2016.pdf  

In March, 2016, the HHS Office for Civil Rights announced new guidance on HIPAA and Workplace Wellness Programs, and describes the typical activities and circumstances that may or may not determine whether a Workplace Wellness Program is covered under HIPAA or not.  A blog announcement and summary by the head of HHS OCR is available at:  http://www.hhs.gov/blog/2016/03/14/how-hipaa-applies-certain-workplace-wellness-programs.html  The guidance is available at:  http://www.hhs.gov/hipaa/for-professionals/privacy/workplace-wellness/  

• The Federal Trade Commission has a great guide published in January of 2011: Medical Identity Theft — FAQs for Health Care Providers and Health Plans that covers a lot of access questions in the event of identity theft.  One major point: If an individual’s records get contaminated with information of an identity thief, the individual has a right to see all of their record, including an identity thief’s information, in order to have it corrected.  See:  https://www.ftc.gov/system/files/documents/plain-language/bus75-medical-identity-theft-faq-health-care-health-plan.pdf  

For those working in Long Term Care and Assisted Living facilities, the American Health Care Association and the National Center for Assisted Living have created a HIPAA Privacy Reference Manual that is available for sale for a reasonable fee.  These tools are tailored to this kind of entity and should be a great starting point for many organizations of this type.  The AHCA-NCAL HIPAA Privacy Reference Manual is available at:  http://www.ahcapublications.org/ProductDetails.asp?ProductCode=8282A  

HHS OCR has made HIPAA Enforcement training materials designed for State Attorneys General and their staffs available on the OCR Web site.  The materials consist of links to videos ranging from 10 to 109 minutes as well as a giant 417 MB ZIP file of training modules you can download.  The materials are designed for the State AGs, but are useful for anyone looking for a solid set of training materials designed for the enforcer's viewpoint, especially internal auditors. See:  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/state-attorneys-general/    

Healthcare IT News published on September 30, 2011 an article with a good list of the 6 best ways to protect against health data breaches, available here:  http://www.healthcareitnews.com/news/6-best-ways-protect-against-health-data-breaches  

• The AMA has issued a very useful set of frequently asked questions about encryption of PHI including descriptions of how encryption works and links to useful resources.  I don't necessarily agree with all of their conclusions, but you won't go wrong in following their recommendations.  The guidance is available at:   http://www.ama-assn.org/ama1/pub/upload/mm/368/hipaa-phi-encryption.pdf

• HHS and the U.S. Department of Education provide joint guidance on the application of HIPAA and FERPA to student health records, available at:  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf 

The CMS Medicare Business Partners Systems Security Manual is to be used by CMS's business associates, but it is also a useful guide for HIPAA business associates of all kinds.  The August 17, 2009 version (published July 17, 2009) is available at: http://www.cms.hhs.gov/transmittals/downloads/R10SS.pdf

• The HIPAA Collaborative of Wisconsin (HIPAA COW) provides a number of useful training, business associate agreement, and breach notification resources on their web site at: http://www.hipaacow.org

• NYS Office for Technology – New York State HIPAA Security Matrix – this document appears to be no longer available elsewhere on the Web, so I have published it here in both .doc and .pdf formats. 

• American Mental Health Alliance has an informative page discussing the issues surrounding Psychotherapy Notes under the HIPAA Privacy Rule, available at:  http://membership.americanmentalhealth.com/index.tpl?page=3234983890680447&target=contFrame   or http://tinyurl.com/6bg672

• The Vermont Medical Society has published a useful, extensive page on questions pertaining to Consent, Privacy, and Medical Records.  The page, written by Anne Cramer of Primmer, Piper, Eggleston & Cramer, P.C., includes a discussion covering both HIPAA and Vermont considerations, as well as minors, substance abuse, and mental health considerations.  Even if you are not practicing in Vermont, it is interesting to see how the laws intersect and where VT law or 42 CFR Part 2 prevails over HIPAA; this page can be very useful for people from any state.  See:  http://www.vtmd.org/consent-privacy-and-medical-records  

Return to the main Resources page
Regulations, Standards, and Laws
Guidance from NIST
Document Retention Guidelines
Information Security Guidance


              Copyright © 2002-2017 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us