Resources: Regulations, Standards, and Laws

Click to return to the main Resources page

HIPAA Guidance and Tools

Guidance from NIST

Document Retention Guidelines

Information Security Guidance

HIPAA Laws and Regulations

• The HIPAA Privacy, Security, Breach Notification, and Enforcement Rules are available from HHS Office for Civil Rights in a combined form including integrated amendments through the January 25, 2013 Omnibus Update (including the HITECH amendments and the Genetic Information Nondisclosure Act), at: http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/index.html 

• On January 6, 2016, a new rule was published in the Federal Register to modify HIPAA §164.512, adding a new section (k)(7) to allow use or disclosure of PHI for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm.  Disclosures may include only the limited demographic and certain other information needed for purposes of reporting to the NICS, and may not include diagnostic or clinical information.  The new rule is available at:  https://www.federalregister.gov/articles/2016/01/06/2015-33181/health-insurance-portability-and-accountability-act-hipaa-privacy-rule-and-the-national-instant  This change to HIPAA has been made since the publication of the OCR combined rule identified above.

• The amendments to CLIA and HIPAA, effective April 7, 2014, allow patients to access their laboratory test results directly from the laboratory.  The HIPAA change consists of removing the exception to access, at 45 CFR 164.524(a)(1), section (iii), and making minor modifications to (i) and (ii) to accommodate the removal of (iii).  The final rule is available at:  http://www.gpo.gov/fdsys/pkg/FR-2014-02-06/pdf/2014-02280.pdf  This change to HIPAA has been made since the publication of the OCR combined rule identified in the item above.

ARRA, HITECH, Meaningful Use, and the Omnibus Update

• The Final HITECH Amendments to HIPAA including the Breach Notification Rule and Enforcement Rule, published January 25, 2013, are available at:  https://www.federalregister.gov/articles/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the and the PDF version of the rule in the Federal Register is at:   http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf    

• The Technical Corrections to the Omnibus HIPAA update, published June 7, 2013, are at: http://www.gpo.gov/fdsys/pkg/FR-2013-06-07/pdf/2013-13472.pdf  These corrections, in combination with the January 25 Omnibus Update are the current complete resource for the HIPAA regulations in affect as of March 26, 2013 and enforceable September 23, 2013, as of June 7, 2013.

• The American Recovery and Reinvestment Act of 2009, including Title XIII on Health Information Technology, with major HIPAA changes, is available at  http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.pdf  or http://www.opencongress.org/bill/111-h1/text .  

See sections in the 13400s, starting on page 144 of the bill, for the HIPAA-related requirements, some in effect upon signing, February 17, 2009.

• The HITECH Act within ARRA is available separately from HHS at:  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf   

• The final regulations on Meaningful Use and Standards/Certification Criteria for EHR incentives were published in the Federal Register July 28, 2010. 
 - The Meaningful Use Rule (14MB file) is available at:   http://edocket.access.gpo.gov/2010/pdf/2010-17207.pdf   
 - Standards/Certification Criteria (400K file) for EHR Technology (45 CFR Part 170) are available at:   http://edocket.access.gpo.gov/2010/pdf/2010-17210.pdf   See especially § 170.302 (o) through (w), on page 44652, for the areas that would be subject to a Security Risk Analysis, such as that required for Meaningful Use and HIPAA Security Rule requirements.
 - CMS has set up a useful site on the EHR Incentive Programs, available at:   http://www.cms.gov/EHRIncentiveprograms/.   

• The Genetic Information Nondiscrimination Act (GINA) requires the release of rules pertaining to prohibition of the use of genetic information for employment or insurance underwriting purposes under several regulatory agencies.  See the HHS OCR final rule, incorporated in the 2013 Omnibus Update, as well as companion rules from EEOC and DOL/CMS/Treasury and the source legislation on the OCR site at  http://www.hhs.gov/hipaa/for-professionals/special-topics/genetic-information/index.html  The Department of Labor fact sheet including a good overview is available at:  http://www.dol.gov/ebsa/newsroom/fsGINA.html#  

HIPAA Audit Protocol

• The US Department of Health and Human Services Office for Civil Rights audit protocol for the 2016 round of random HIPAA Privacy, Security, and Breach Notification compliance audits is available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html   The 2016 protocol has 180 questions, most with several sub-questions, and is very difficult to use in the format provided.  It is best to copy the information into a word processor or spreadsheet document, correct the formatting, and then use it as a compliance management tool.  Complete information on the 2016 Audit program is at  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html 

HIPAA Breach Notification

• Breach Notification Guidance from HHS OCR for safe-harbor encryption and destruction of information is at:  http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html   and the original Federal Register entry is available at  http://www.hhs.gov/hipaa/for-professionals/security/guidance/HITECH-act-breach-notification-guidance/index.html  

• HHS Office of Civil Rights HIPAA Breach Notification Rule information and electronic reporting forms for all breaches are at:  http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html   

• To report a breach of protected health information to HHS, go to:  http://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html     

• HHS OCR has published a HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework relating the NIST framework and its security controls to each safeguard identified in the HIPAA Security Rule.  The HHS Web page on the topic is at:  http://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/  and the crosswalk is available at:  http://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf  

• On July 28, 2016, the US Department of Homeland Security released Cyber Incident Reporting:  A Unified Message for Reporting to the Federal Government, providing guidance on to which Federal agencies and departments certain Cyber Incidents should be reported.  Best to pay attention to this, if you suffer some kind of Cyber Incident!  The DHS page hosting the guidance is at:  https://www.dhs.gov/publication/cyber-incident-reporting-unified-message-reporting-federal-government  and the guidance document is available at:  https://www.dhs.gov/sites/default/files/publications/Cyber%20Incident%20Reporting%20United%20Message.pdf  

State and International Breach Notification

• An excellent reference point for the various State Data Security Breach Laws is the National Conference of State Legislatures via their Web page at:  http://www.ncsl.org/issues-research/telecom/overview-security-breaches.aspx  NCSL also provides a list of State Identity Theft Laws via their Web page dedicated to that topic at:  http://www.ncsl.org/issues-research/banking/identity-theft-state-statutes.aspx  

• An interactive map of data breach notification laws as of July 28, 2008, with highlights of each state's laws such as timeframes, penalties, exemptions, and private rights to action, is provided by CSO magazine's web site at:  http://www.csoonline.com/read/020108/ammap/ammap.html  

• The International Security Breach Notification Survey, prepared by Foley & Lardner LLP and Eversheds LLP in November 2009, is a comprehensive guide to state, national, and international security breach notification laws, useful as a guide to any business that may suffer a breach of information security.  The report is available at: http://www.mekabay.com/infosecmgmt/security_breach_laws.pdf  

The European Union General Data Protection Regulation

The new European Union General Data Protection Regulation goes into effect May 25, 2018, and it requires the protection of the identifiable personal information of any EU subject no matter where that information may be, even in the US.  The GDPR is far from trivial, and could be expected to become the de facto international standard for protection merely because of its widespread applicability.  If you serve any patients or customers who reside in the EU, you need to be aware of this.  

• See great overview articles at http://www.bio-itworld.com/2017/10/10/what-the-eu-general-data-protection-regulation-means-for-you.aspx and http://www.healthcareitnews.com/news/europes-gdpr-privacy-law-coming-heres-what-us-health-orgs-need-know and the EU GDPR Web page at https://www.eugdpr.org   

Substance Use Disorder Information under 42 CFR Part 2

Below are several resources to help with organizations that deal with addiction and substance use disorders, about those regulations, how they work, and how they are changing today.

• Substance Abuse and Mental Health Administration (SAMHSA) and 24 CFR Part 2 overview:  https://www.samhsa.gov/health-information-technology/laws-regulations-guidelines  

• SAMHSA FAQs updated May 1, 2018:  https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs 
  — with links to new fact sheets as of May 1, 2018, Disclosure of Substance Use Disorder Patient Records: Does Part 2 Apply to Me? (available at https://www.samhsa.gov/sites/default/files/does-part2-apply.pdf) and Disclosure of Substance Use Disorder Patient Records: How Do I Exchange Part 2 Data? (https://www.samhsa.gov/sites/default/files/how-do-i-exchange-part2.pdf)

• The 2017 version of 42 CFR Part 2, effective March 21, 2017:  https://federalregister.gov/d/2017-00719.pdf  

American Society of Addiction Medicine articles, information, and several valuable resources regarding confidentiality and substance use disorders at:  https://www.asam.org/advocacy/issues/confidentiality-(42-cfr-part-2)  

American Psychiatric Association article on the 2017 version of 42 CFR Part 2:  https://www.psychiatry.org/psychiatrists/practice/practice-management/hipaa/42-cfr-part-2    

• From the APA article above, how the 2017 version of 42 CFR Part 2 compares to the old, pre-2017 version, and to HIPAA:  https://www.psychiatry.org/File%20Library/Psychiatrists/Practice/Practice-Management/42-CFR-Part-Standards-Comparison.pdf

Announcement of the 2018 Final Rule for 42 CFR Part 2, effective Feb. 2, 2018:  https://www.samhsa.gov/newsroom/press-announcements/201801021100  

• Link to the 2018 Final Rule for 42 CFR Part 2: https://www.federalregister.gov/documents/2018/01/03/2017-28400/confidentiality-of-substance-use-disorder-patient-records

Legal Action Center page on the 2018 Final Rule changes from 2017, at:  https://lac.org/samhsa-revises-42-cfr-part-2-new-final-rule-confidentiality-substance-use-disorder-treatment-information/  

• HHS page with multiple fact sheets, resources, and FAQ pages on HIPAA and Information Related to Mental and Behavioral Health, including Opioid Overdose, at:  https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html  

• HHS Additional FAQs on Sharing Information Related to Treatment for Mental Health or Substance Use Disorder—Including Opioid Abuse    https://www.hhs.gov/sites/default/files/new-faqs-on-sharing-information.pdf 

• Old news: On February 5, 2016, the US Department of Health and Human Services announced new proposed regulations for Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2. The goal of the proposed changes is to facilitate information exchange within new health care models while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder.  The press release is available at:  http://www.hhs.gov/about/news/2016/02/05/hhs-proposes-changes-to-rules-governing-confidentiality-substance-use-disorder-records.html  
The Proposed rules published in the Federal Register February 9, 2016 are at:  
https://www.federalregister.gov/articles/2016/02/09/2016-01841/confidentiality-of-substance-use-disorder-patient-records

PCI Data Security Standard

• The PCI Data Security Standard for payment card information is available at: https://www.pcisecuritystandards.org/security_standards/index.php  and a PCI Quick Reference Guide, including an overview and compliance information is at:  https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf  

• The PCI Self-Assessment Questionnaire and numerous other documents, guides, and templates useful to PCI DSS compliance are available at: https://www.pcisecuritystandards.org/security_standards/documents.php    

Electronic Discovery and Identity Theft Red Flags

• The Federal Rules of Civil Procedure for Electronic Discovery are available at: http://www.uscourts.gov/rules/EDiscovery_w_Notes.pdf

• The Federal Register publication of the Identity Theft Red Flags Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule (effective January 1, 2008, enforceable January 1, 2011, a.k.a. the Red Flags Rule) is available at:  http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf.  The Red Flag Program Clarification Act exempting many professional offices is available at:  http://www.gpo.gov/fdsys/pkg/BILLS-111s3987enr/pdf/BILLS-111s3987enr.pdf.  The Federal Trade Commission's Web site on the Red Flags Rule is at: http://www.ftc.gov/redflagsrule.  

State Laws on Information Security

• The current Nevada law requiring encryption of personal information in transit or transmission (except fax-to-fax), Nev. Rev. Stat. § 597.970(1) (2005), is available at:  http://www.leg.state.nv.us/Nrs/NRS-597.html#NRS597Sec970.  NRS 597.970 will be replaced by SB 227, which requires compliance with NIST-FIPS Federal standards, as of January 1, 2010.  SB 227 is available at:  https://www.leg.state.nv.us/75th2009/Bills/SB/SB227_EN.pdf.   The Nevada laws apply to all businesses with customers in Nevada.

• The Massachusetts business regulation requiring the security of personal information and encryption of personal information in transmission or on laptops and portable media, effective March 1, 2010, is available at: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf  and the table of contents for General Laws of Massachusetts Chapter 93H - Security Breaches is available at  http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm.  The Massachusetts laws apply to all businesses with customers in Massachusetts.

TCPA, Texting, and Calling to Mobile Phones

The Telephone Consumer Protection Act places limits on calling to telephones and mobile phones for various purposes.  In the July 10, 2015 FCC Declaratory Ruling/Order on TCPA, rules were clarified on several topics including healthcare-related exemptions.  If you plan to call or send messages to mobile phones, there are limits.  Getting consent for healthcare and financial purposes in advance is a great idea.  The order is available at:  https://www.fcc.gov/document/tcpa-omnibus-declaratory-ruling-and-order  and  https://apps.fcc.gov/edocs_public/attachmatch/FCC-15-72A1.pdf for the PDF version.  See pages 68 (starting at paragraph 140) through 72 of the PDF for the details.

Be sure to see  https://www.mrllp.com/blog-FCC-Clarifies-TCPA-Exemptions-for-Health-Care-Calls  for a legal firm’s very useful summary of the order as it relates to healthcare.

A more recent ruling (Latner v. Mt. Sinai Health System, Inc., No. 17-99-cv (2d Cir. Jan. 9, 2018)) indicated that if the Notice of Privacy Practices includes mention of such use, and the individual acknowledges that the NPP has been received, that counts as the necessary consent.  So, to comply with TCPA, make sure your NPP includes the necessary statements about contacting the individual, and make sure the individual acknowledges receipt of the NPP.  There’s an informative March 27, 2018 posting on the Journal of AHIMA Blog pages, available at:  http://journal.ahima.org/2018/03/27/can-texting-get-a-healthcare-provider-in-trouble/  

NOTE! This does not address HIPAA Security Rule requirements for security, so you’ll still need your patients to express a preference to receive any plain text messages that may imply a healthcare connection, depending on the message.  The “everyone should get a flu shot” message sent to all recent patients  in the case cited probably would not count as a breach without consent, but an individualized message with personal details could.  Your mileage may vary.

ACA Section 1557 on Language Access Requirements 

• In 2016, HHS OCR finalized the rule implementing Section 1557 of the Affordable Care Act (ACA) of 2010, the nondiscrimination provision of the ACA that states that individuals cannot be subject to discrimination based on their race, color, national origin, sex, age or disability.  Beginning on October 17, 2016, covered entities will be required to post Notices of Nondiscrimination and Taglines that alert individuals with limited English proficiency (LEP) to the availability of language assistance services.  

• HHS OCR has issued Frequently Asked Questions on the language access requirements under Section 1557.  http://www.hhs.gov/civil-rights/for-individuals/section-1557/1557faqs/top15-languages/index.html  

• HHS OCR has made available a table displaying the top 15 languages spoken by individuals with limited English proficiency (LEP) in each State, the District of Columbia, Puerto Rico and each U.S. Territory based on OCR’s research.  http://www.hhs.gov/sites/default/files/resources-for-covered-entities-top-15-languages-list.pdf  

• HHS OCR’s website has sample documents of a Notice of Nondiscrimination, Statement of Nondiscrimination and Taglines available for download in 64 languages and in two file formats.  http://www.hhs.gov/civil-rights/for-individuals/section-1557/translated-resources/index.html  

More information about Section 1557, including fact sheets and training materials, is available on the HHS website.  http://www.hhs.gov/civil-rights/for-individuals/section-1557/index.html  

  



Click to return to the main Resources page

HIPAA Guidance and Tools

Guidance from NIST

Document Retention Guidelines

Information Security Guidance

              Copyright © 2002-2017 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us