Resources: Regulations, Standards, and Laws

Click to return to the main Resources page

HIPAA Guidance and Tools

Guidance from NIST

Document Retention Guidelines

Information Security Guidance

HIPAA Laws and Regulations

• The HIPAA Privacy, Security, Breach Notification, and Enforcement Rules are available from HHS Office for Civil Rights in a combined form including integrated amendments through the January 25, 2013 Omnibus Update (including the HITECH amendments and the Genetic Information Nondisclosure Act), at: http://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/index.html 

• On January 6, 2016, a new rule was published in the Federal Register to modify HIPAA §164.512, adding a new section (k)(7) to allow use or disclosure of PHI for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm.  Disclosures may include only the limited demographic and certain other information needed for purposes of reporting to the NICS, and may not include diagnostic or clinical information.  The new rule is available at:  https://www.federalregister.gov/articles/2016/01/06/2015-33181/health-insurance-portability-and-accountability-act-hipaa-privacy-rule-and-the-national-instant  This change to HIPAA has been made since the publication of the OCR combined rule identified above.

• On February 5, 2016, the US Department of Health and Human Services announced new proposed regulations for Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2. The goal of the proposed changes is to facilitate information exchange within new health care models while addressing the legitimate privacy concerns of patients seeking treatment for a substance use disorder.  The press release is available at:  http://www.hhs.gov/about/news/2016/02/05/hhs-proposes-changes-to-rules-governing-confidentiality-substance-use-disorder-records.html  
The Proposed rules published in the Federal Register February 9, 2016 are at:  
https://www.federalregister.gov/articles/2016/02/09/2016-01841/confidentiality-of-substance-use-disorder-patient-records

• The amendments to CLIA and HIPAA, effective April 7, 2014, allow patients to access their laboratory test results directly from the laboratory.  The HIPAA change consists of removing the exception to access, at 45 CFR 164.524(a)(1), section (iii), and making minor modifications to (i) and (ii) to accommodate the removal of (iii).  The final rule is available at:  http://www.gpo.gov/fdsys/pkg/FR-2014-02-06/pdf/2014-02280.pdf  This change to HIPAA has been made since the publication of the OCR combined rule identified in the item above.

ARRA, HITECH, Meaningful Use, and the Omnibus Update

• The Final HITECH Amendments to HIPAA including the Breach Notification Rule and Enforcement Rule, published January 25, 2013, are available at:  https://www.federalregister.gov/articles/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the and the PDF version of the rule in the Federal Register is at:   http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf    

• The Technical Corrections to the Omnibus HIPAA update, published June 7, 2013, are at: http://www.gpo.gov/fdsys/pkg/FR-2013-06-07/pdf/2013-13472.pdf  These corrections, in combination with the January 25 Omnibus Update are the current complete resource for the HIPAA regulations in affect as of March 26, 2013 and enforceable September 23, 2013, as of June 7, 2013.

• The American Recovery and Reinvestment Act of 2009, including Title XIII on Health Information Technology, with major HIPAA changes, is available at  http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.pdf  or http://www.opencongress.org/bill/111-h1/text .  

See sections in the 13400s, starting on page 144 of the bill, for the HIPAA-related requirements, some in effect upon signing, February 17, 2009.

• The HITECH Act within ARRA is available separately from HHS at:  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf   

• The final regulations on Meaningful Use and Standards/Certification Criteria for EHR incentives were published in the Federal Register July 28, 2010. 
 - The Meaningful Use Rule (14MB file) is available at:   http://edocket.access.gpo.gov/2010/pdf/2010-17207.pdf   
 - Standards/Certification Criteria (400K file) for EHR Technology (45 CFR Part 170) are available at:   http://edocket.access.gpo.gov/2010/pdf/2010-17210.pdf   See especially § 170.302 (o) through (w), on page 44652, for the areas that would be subject to a Security Risk Analysis, such as that required for Meaningful Use and HIPAA Security Rule requirements.
 - CMS has set up a useful site on the EHR Incentive Programs, available at:   http://www.cms.gov/EHRIncentiveprograms/.   

• The Genetic Information Nondiscrimination Act (GINA) requires the release of rules pertaining to prohibition of the use of genetic information for employment or insurance underwriting purposes under several regulatory agencies.  See the HHS OCR final rule, incorporated in the 2013 Omnibus Update, as well as companion rules from EEOC and DOL/CMS/Treasury and the source legislation on the OCR site at  http://www.hhs.gov/hipaa/for-professionals/special-topics/genetic-information/index.html  The Department of Labor fact sheet including a good overview is available at:  http://www.dol.gov/ebsa/newsroom/fsGINA.html#  

HIPAA Audit Protocol

• The US Department of Health and Human Services Office for Civil Rights audit protocol for the 2016 round of random HIPAA Privacy, Security, and Breach Notification compliance audits is available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html   The 2016 protocol has 180 questions, most with several sub-questions, and is very difficult to use in the format provided.  It is best to copy the information into a word processor or spreadsheet document, correct the formatting, and then use it as a compliance management tool.  Complete information on the 2016 Audit program is at  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html 

HIPAA Breach Notification

• Breach Notification Guidance from HHS OCR for safe-harbor encryption and destruction of information is at:  http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html   and the original Federal Register entry is available at  http://www.hhs.gov/hipaa/for-professionals/security/guidance/HITECH-act-breach-notification-guidance/index.html  

• HHS Office of Civil Rights HIPAA Breach Notification Rule information and electronic reporting forms for all breaches are at:  http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html   

• To report a breach of protected health information to HHS, go to:  http://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html     

• HHS OCR has published a HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework relating the NIST framework and its security controls to each safeguard identified in the HIPAA Security Rule.  The HHS Web page on the topic is at:  http://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/  and the crosswalk is available at:  http://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf  

• On July 28, 2016, the US Department of Homeland Security released Cyber Incident Reporting:  A Unified Message for Reporting to the Federal Government, providing guidance on to which Federal agencies and departments certain Cyber Incidents should be reported.  Best to pay attention to this, if you suffer some kind of Cyber Incident!  The DHS page hosting the guidance is at:  https://www.dhs.gov/publication/cyber-incident-reporting-unified-message-reporting-federal-government  and the guidance document is available at:  https://www.dhs.gov/sites/default/files/publications/Cyber%20Incident%20Reporting%20United%20Message.pdf  

State and International Breach Notification

• An excellent reference point for the various State Data Security Breach Laws is the National Conference of State Legislatures via their Web page at:  http://www.ncsl.org/issues-research/telecom/overview-security-breaches.aspx  NCSL also provides a list of State Identity Theft Laws via their Web page dedicated to that topic at:  http://www.ncsl.org/issues-research/banking/identity-theft-state-statutes.aspx  

• An interactive map of data breach notification laws as of July 28, 2008, with highlights of each state's laws such as timeframes, penalties, exemptions, and private rights to action, is provided by CSO magazine's web site at:  http://www.csoonline.com/read/020108/ammap/ammap.html  

• The International Security Breach Notification Survey, prepared by Foley & Lardner LLP and Eversheds LLP in November 2009, is a comprehensive guide to state, national, and international security breach notification laws, useful as a guide to any business that may suffer a breach of information security.  The report is available at: http://www.mekabay.com/infosecmgmt/security_breach_laws.pdf  

PCI Data Security Standard

• The PCI Data Security Standard for payment card information is available at: https://www.pcisecuritystandards.org/security_standards/index.php  and a PCI Quick Reference Guide, including an overview and compliance information is at:  https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf  

• The PCI Self-Assessment Questionnaire and numerous other documents, guides, and templates useful to PCI DSS compliance are available at: https://www.pcisecuritystandards.org/security_standards/documents.php    

Electronic Discovery and Identity Theft Red Flags

• The Federal Rules of Civil Procedure for Electronic Discovery are available at: http://www.uscourts.gov/rules/EDiscovery_w_Notes.pdf

• The Federal Register publication of the Identity Theft Red Flags Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule (effective January 1, 2008, enforceable January 1, 2011, a.k.a. the Red Flags Rule) is available at:  http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf.  The Red Flag Program Clarification Act exempting many professional offices is available at:  http://www.gpo.gov/fdsys/pkg/BILLS-111s3987enr/pdf/BILLS-111s3987enr.pdf.  The Federal Trade Commission's Web site on the Red Flags Rule is at: http://www.ftc.gov/redflagsrule.  

State Laws on Information Security

• The current Nevada law requiring encryption of personal information in transit or transmission (except fax-to-fax), Nev. Rev. Stat. § 597.970(1) (2005), is available at:  http://www.leg.state.nv.us/Nrs/NRS-597.html#NRS597Sec970.  NRS 597.970 will be replaced by SB 227, which requires compliance with NIST-FIPS Federal standards, as of January 1, 2010.  SB 227 is available at:  https://www.leg.state.nv.us/75th2009/Bills/SB/SB227_EN.pdf.   The Nevada laws apply to all businesses with customers in Nevada.

• The Massachusetts business regulation requiring the security of personal information and encryption of personal information in transmission or on laptops and portable media, effective March 1, 2010, is available at: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf  and the table of contents for General Laws of Massachusetts Chapter 93H - Security Breaches is available at  http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm.  The Massachusetts laws apply to all businesses with customers in Massachusetts.

TCPA, Texting, and Calling to Mobile Phones

The Telephone Consumer Protection Act places limits on calling to telephones and mobile phones for various purposes.  In the July 10, 2015 FCC Declaratory Ruling/Order on TCPA, rules were clarified on several topics including healthcare-related exemptions.  If you plan to call or send messages to mobile phones, there are limits.  Getting consent for healthcare and financial purposes in advance is a great idea.  The order is available at:  https://www.fcc.gov/document/tcpa-omnibus-declaratory-ruling-and-order  and  https://apps.fcc.gov/edocs_public/attachmatch/FCC-15-72A1.pdf for the PDF version.  See pages 68 (starting at paragraph 140) through 72 of the PDF for the details.

Be sure to see  https://www.mrllp.com/blog-FCC-Clarifies-TCPA-Exemptions-for-Health-Care-Calls  for a legal firm’s very useful summary of the order as it relates to healthcare.

ACA Section 1557 on Language Access Requirements 

• In 2016, HHS OCR finalized the rule implementing Section 1557 of the Affordable Care Act (ACA) of 2010, the nondiscrimination provision of the ACA that states that individuals cannot be subject to discrimination based on their race, color, national origin, sex, age or disability.  Beginning on October 17, 2016, covered entities will be required to post Notices of Nondiscrimination and Taglines that alert individuals with limited English proficiency (LEP) to the availability of language assistance services.  

• HHS OCR has issued Frequently Asked Questions on the language access requirements under Section 1557.  http://www.hhs.gov/civil-rights/for-individuals/section-1557/1557faqs/top15-languages/index.html  

• HHS OCR has made available a table displaying the top 15 languages spoken by individuals with limited English proficiency (LEP) in each State, the District of Columbia, Puerto Rico and each U.S. Territory based on OCR’s research.  http://www.hhs.gov/sites/default/files/resources-for-covered-entities-top-15-languages-list.pdf  

• HHS OCR’s website has sample documents of a Notice of Nondiscrimination, Statement of Nondiscrimination and Taglines available for download in 64 languages and in two file formats.  http://www.hhs.gov/civil-rights/for-individuals/section-1557/translated-resources/index.html  

More information about Section 1557, including fact sheets and training materials, is available on the HHS website.  http://www.hhs.gov/civil-rights/for-individuals/section-1557/index.html  

  



Click to return to the main Resources page

HIPAA Guidance and Tools

Guidance from NIST

Document Retention Guidelines

Information Security Guidance

              Copyright © 2002-2017 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us