Resources: HIPAA Guidance and Tools 

Return to the main Resources page
Regulations, Standards, and Laws
Guidance from NIST
Document Retention Guidelines
Information Security Guidance

PLEASE NOTE!  These resources, especially those on HHS Web sites, are subject to change.  Please let us know if you find a broken link, and thanks for your patience.

Guidance from HHS Office for Civil Rights

• The HHS Office for Civil Rights Health Information Privacy site is the place to find answers to many HIPAA questions.  Check the yellow What's New sidebar on the right regularly for new guidance and resources.  Describes HHS OCR activities in enforcing the Privacy and Security Rules, the results of those activities, and statistics on types of complaints and types of entities most often required to take corrective action.  Includes some guidance for entities who must comply with the HIPAA Privacy and Security Rules.  See: http://www.hhs.gov/ocr/privacy/.  The HIPAA FAQ page is available at http://www.hhs.gov/ocr/privacy/hipaa/faq/  

• OCR has created a handy guide, HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules, that is a nice summary of how HIPAA applies and what is necessary for compliance at a basic level, and also includes a number of very useful links to other guidance.  This is a good way to get a basic understanding of HIPAA and then look at the linked guidance for more.  The document is available at:  http://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf 

• On October 31, 2022, HHS OCR announced release of a video for organizations covered under the HIPAA Rules on Recognized Security Practices, to help organizations improve their ability to safeguard patient information from cyberattacks and better safeguard the health care services.   

  • Section 13412 of the HITECH Act requires OCR to take into consideration in certain Security Rule enforcement and audit activities whether a regulated entity has adequately demonstrated that recognized security practices were “in place” for the prior 12 months. 
  • This presentation is intended to educate the health care industry on the categories of recognized security practices and how entities regulated under the HIPAA Rules may demonstrate implementation. Topics include:
    • The 2021 HITECH Amendment regarding recognized security practices
    • How regulated entities can demonstrate that recognized security practices are in place
    • Details the evidence of recognized security practices that may be requested by OCR in the event of a HIPAA Security Rule investigation or audit
    • Where to find more information about recognized security practices
    • Provides answers to a selection of questions submitted to OCR in June 2022 on recognized security practices
  • The video presentation may be found on OCR’s YouTube channel at: https://youtu.be/e2wG7jUiRjE

• On January 7, 2016 and updated twice since then, HHS issued new guidance on individuals’ right to access their health information, including general information and specifics about the details of proper implementation, and also includes an extensive Q&A section providing additional information.  The February 25 update included additional Q&As regarding fees for providing copies of records.  If you have questions on providing access under HIPAA, look here first.  http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html 

• On December 19, 2017 the HHS Office for Civil Rights announced expanded and improved guidance relating to the sharing of information in opioid overdose incidents, including revised guidance, new guidance, and new Frequently Asked Question sets on the topic.  Per former HHS honcho Deven McGraw, this should be required reading for all front line personnel dealing with these emergencies!  See the page with links to the new and updated information at:  https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html  This page replaces and updates guidance originally issued on February 20, 2014, explaining how the HIPAA Privacy Rule operates to protect individuals' privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients' family members and others to enhance treatment and assure safety.  Then guidance is now available at the old link:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html  

• On October 27, 2017, HHS announced guidance on How HIPAA Allows Doctors to Respond to the Opioid Crisis, now integrated into the above page, discussing when and how healthcare providers can share a patient’s health information with his or her family members, friends, and legal personal representatives when that patient may be in crisis and incapacitated, such as during an opioid overdose.  Note: These are allowable disclosures, not required disclosures, and it is important to note that other privacy laws (such as 42 CFR Part 2 regarding drug and alcohol abuse treatment) may also apply.  It would appear that in most real situations, 42 CFR Part 2 would control the release of information, not HIPAA.  HIPAA does not interfere with state laws or medical ethics rules that are more protective of patient privacy.  The guidance is available at:  https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf  

• Additional information on Sharing Information with Family and Friends of Patients is available at https://www.hhs.gov/hipaa/for-professionals/special-topics/same-sex-marriage/index.html with FAQs available at https://www.hhs.gov/hipaa/for-professionals/faq/2086/does-hipaa-privacy-rule-permit-doctor-discuss-patient-s-health-status.html.  An excellent overview of the topic is available at https://www.hhs.gov/sites/default/files/provider_ffg.pdf 

• On December 20, 2021, HHS’s Office for Civil Rights (OCR) released guidance to clarify how HIPAA permits covered healthcare providers to disclose PHI without a patient’s consent to support applications for extreme risk protection orders (ERPOs). ERPOs can temporarily prevent a person in crisis from accessing firearms if they are perceived to pose a danger to themselves or others.  Concerned family members, law enforcement, healthcare providers, and others may seek an ERPO if they are concerned that an individual may be suicidal or may use a firearm to injure themselves or another person.  See the guidance at:  https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/extreme-risk-protection-orders/index.html  

• HHS has also prepared a set of helpful YouTube videos for individuals in 2016 on patient rights and access of PHI.  See:  http://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html   

• OCR has posted a series of fact sheets for consumers, available in eight languages, about cpmsumer rights under the HIPAA Privacy Rule,on OCR’s website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers   The fact sheets compliment seven videos on OCR’s YouTube channel.  A video on The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule’s requirements. The videos are available on the HHS OCR YouTube Channel at http://www.youtube.com/user/USGovHHSOCR

• OCR released in February of 2016 two fact sheets concerning Permitted Uses and Disclosures for the Exchange of Protected Health Information for purposes of Treatment and for purposes of Health Care Operations, in order to clarify HIPAA regulations and help enable permissible uses and disclosures under the rules.  
• The blog entry announcing the release is at:  https://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/interoperability-electronic-health-and-medical-records/the-real-hipaa-supports-interoperability/  
• The fact sheet on
Exchange for Treatment is at:  https://www.healthit.gov/sites/default/files/exchange_treatment.pdf  
• The fact sheet on Exchange for Health Care Operations is at:  https://www.healthit.gov/sites/default/files/exchange_health_care_ops.pdf  

On May 24, 2019, the US Department of Health and Human Services Office for Civil Rights issued a guide to the direct enforcement liabilities of Business Associates under the HIPAA regulations, detailing the specific rules under which Business Associates must operate.  There are no surprises, just a straightforward list of ten categories of things that can land a Business Associate in hot water, including one big category for “Failure to comply with the requirements of the Security Rule” and one for “Impermissible Uses and Disclosures of PHI”.  It’s a handy list to refer to, available at:  https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html  Also see the starting page for Business Associate guidance at:  https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html  

• OCR provides modules for health care providers that offer free Continuing Medical Education (CME) credits for physicians and Continuing Education (CE) credits for health care professionals, on compliance with various aspects of the HIPAA Privacy and Security Rules, available at Medscape.org:
• Protecting Patients’ Rights
http://www.medscape.org/sites/advances/patients-rights  
• Patient Privacy: A Guide for Providers
http://www.medscape.org/viewarticle/781892?src=ocr
• HIPAA and You: Building a Culture of Compliance
http://www.medscape.org/viewarticle/762170?src=ocr
• Examining Compliance with the HIPAA Privacy Rule
http://www.medscape.org/viewarticle/763251?src=ocr

• HHS OCR and the Office of the National Coordinator for Health IT released a new Fact Sheet on HIPAA and Public Health Permitted Uses and Disclosures on December 20, 2016 that explains how the HIPAA Rules permit disclosures of PHI to support public health activities conducted by public health agencies, as authorized by state or federal law, with some helpful examples. See:    https://www.healthit.gov/sites/default/files/12072016_hipaa_and_public_health_fact_sheet.pdf  

• HHS OCR released on June 14, 2018 new Guidance on HIPAA and Individual Authorization of Uses and Disclosures of Protected Health Information for Research, that explains certain requirements for an authorization to use or disclose PHI for research and clarifies aspects of the individual’s right to revoke an authorization.  The guidance implements a mandate in the 21st Century Cures Act of 2016, which is designed to speed up the drug approval process and improve medical research, to streamline authorization under HIPAA for PHI use and disclosure for research.  An article on the guidance is available at:  https://healthitsecurity.com/news/ocr-guidance-tackles-phi-research-use-under-hipaa-privacy-rule and the guidance is at:  https://www.hhs.gov/sites/default/files/hipaa-future-research-authorization-guidance-06122018%20v2.pdf    

• On June 26, 2019, OCR issued a FAQ document that clarifies how the HIPAA Privacy Rule permits health plans to share protected health information (PHI) in a manner that furthers the promoting coordinated care.  The FAQ explains when and how one health plan can share PHI about individuals in common with a second health plan for care coordination purposes under the Privacy Rule.  https://www.hhs.gov/hipaa/for-professionals/faq/3014/uses-and-disclosures-for-care-coordination-and-continuity-of-care/index.html  

• On June 13, 2022, HHS OCR issued Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth addressing questions such as: 

  • Does the HIPAA Privacy Rule permit covered healthcare providers and health plans to use remote communication technologies to provide audio-only telehealth services?
  • Do covered healthcare providers and health plans have to meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services?
  • Do the HIPAA Rules permit a covered healthcare provider or a health plan to conduct audio-only telehealth using remote communication technologies without a business associate agreement in place with the vendor?

The answers to the questions are not obvious but do make sense in the overall view of HIPAA compliance, and are good to review if only to help you understand where the boundaries of the Security Rule are, and how the Privacy Rule may still apply when the Security Rule doesn’t, and what that means for security.  See the guidance at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html  and an article in Healthcare IT News at  https://www.healthcareitnews.com/news/hhs-puts-out-new-notice-audio-only-telehealth-and-hipaa  

• HHS OCR’s guidance on disclosures to film and media, originally released April 2016 in response to an enforcement settlement involving allowing TV film crews into a hospital ED without first obtaining HIPAA Authorizations:  http://www.hhs.gov/hipaa/for-professionals/faq/2023/film-and-media/index.html 

• HHS OCR has released final guidance on performing Risk Analysis at: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf   Also see #6 in the HHS HIPAA Security Series, updated March 2007, on Basics of Risk Analysis and Risk Management, available at:  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf  

• HHS has released a guide: Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices, to assist small practices in updating and keeping current their risk analyses.  See:  http://www.hhs.gov/sites/default/files/small-practice-security-guide-1.pdf  

• The December 2006 HHS Guidance on Remote Access and Use of PHI is still valid and provides excellent information on the considerations of using portable devices and remote access. In general, it points to the HIPAA security practices you should have in place to help you understand the risks and plan for their mitigation.  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf   

 The HHS October 2017 Cybersecurity Newsletter: Mobile Devices and Protected Health Information (PHI) provides a great summary of considerations to include when mobile devices are used with PHI.  See:  https://www.hhs.gov/sites/default/files/october-2017-ocr-cybersecurity-newsletter.pdf  

• On April 22, 2019, HHS posted guidance on the use of 3rd Party Apps and health information under HIPAA.  The guidance clarifies the rules around and provides examples of uses of 3rd party Apps for communications with providers and how HIPAA applies.  It all boils down to understanding on whose behalf the use of the App is taking place.  The guidance is available at:  https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hippa-access-right-health-apps-apis/index.html and an article on the topic in FierceHealthcare is available at:  https://www.fiercehealthcare.com/tech/hhs-guidance-clarifies-hipaa-liability-use-third-party-health-apps  

• HHS OCR has posted FAQs that address the HIPAA Privacy Rule requirements for disposal of protected health information, available at:  http://www.hhs.gov/hipaa/for-professionals/faq/disposal-of-protected-health-information  In addition, the July 2018 OCR Cybersecurity Newsletter provides a nice two-page summary of guidance with links to additional resources:  https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-july-2018-Disposal.pdf  

• HHS OCR guidance on the Electronic Exchange of Health Information is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/.  Of particular interest is very helpful Privacy Rule guidance on using e-mail to communicate with patients, on pages 3 and 4 of  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf     

• On May 3, 2016, the HHS OCR issued a Cyber-Awareness Monthly Update regarding the topic, Is Your Business Associate Prepared for a Security Incident?  The guidance indicates that entities should consider:
  • Ensuring that agreements define appropriate uses and disclosures and include requirements to report any other use or disclosure including breaches
  • Including in agreements the timeframe for reporting any incidents
  • Identifying what must be included in any breach or incident reports
  • Ensuring all workforce members are trained and Business Associate privacy and security practices are adequate

Additional details are provided.  The update is available at a number of locations, including:  http://www.inspn.org/wp-content/uploads/2016/05/OCR-CyberAwareness-Monthly-Update.pdf  

HHS-ONC Blog: 8 Info Blocking Reminders for October 6, 2022

On September 30, 2022, the HHS Office of the National Coordinator (ONC) posted a blog about eight Information Blocking regulatory reminders concerning changes going into effect on October 6, 2022.  The blog discusses the following eight points:

  1. The information blocking definition’s limitation on the scope of electronic health information (EHI) is lifted as of October 6, 2022.
  2. IB actors’ practices include acts and omissions.
  3. The information blocking regulations’ exceptions are not solely “one size fits all” and address the facts and circumstances of the situation at hand.
  4. Not all health information that’s electronic is EHI under the regulatory definition. And if such information is not EHI, then it’s not covered by the information blocking regulations.
  5. How IB actors make EHI available for access, exchange, and use can and will vary based on who the IB actor is, their technological sophistication, and who it is that is seeking to access, exchange or use an IB actor’s EHI.
  6. Information blocking is about “the data” (i.e., EHI) regardless of whether ONC-certified health IT is involved.
  7. Use of certain information blocking exceptions by actors will provide clear notification to requestors whether their request to access, exchange, or use EHI is delayed or denied.
  8. Information blocking claims are confidential and restricted from public disclosure.

Read the blog to get a better understating of how Information Blocking applies to your operations, at:  https://www.healthit.gov/buzz-blog/information-blocking/information-blocking-eight-regulatory-reminders-for-october-6th  

HHS and Dept. of Ed. 2019 Updated Guidance re HIPAA, FERPA

On December 19, 2019, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued Updated Joint Guidance on Privacy and Student Education and Health Recordsaddressing the application of the Family Educational Rights and Privacy Act (FERPA) and the HIPAA Privacy Rule to records maintained on students. 

The guidance, which was first issued in November 2008, clarifies how FERPA and HIPAA apply to education and health records maintained about students.  The revised guidance includes additional frequently asked questions and answers addressing when a student’s health information can be shared without the written consent of the parent or eligible student under FERPA, or without written authorization under the HIPAA Privacy Ruleespecially in connection with health and safety emergency situations.  Topics include:

  • When can protected health information (PHI) or personally identifiable information from an education record (PII) be shared with the parent of an adult student?
  • What options do family members of an adult student have under HIPAA if they are concerned about the student’s mental health and the student does not agree to disclosures of their PHI?
  • Does HIPAA allow a covered health care provider to disclose PHI about a minor with a mental health condition or substance use disorder to the minor’s parents?
  • When can PHI or PII be shared about a student who presents a danger to self or others? 
  • Under FERPA, can an educational agency or institution disclose, without prior written consent, PII from a student’s education records, including health records, to the educational agency’s or institution’s law enforcement officials?
  • Does FERPA permit an educational agency or institution to disclose, without prior written consent, PII from a student’s education records to the National Instant Criminal Background Check System (NICS)?

The joint guidance may be viewed at:  https://www.hhs.gov/sites/default/files/2019-hipaa-ferpa-joint-guidance-508.pdf 

Guidance from the Office of the National Coordinator

• A December 20, 2021 ONC Health IT Buzz blog entry provides an excellent summary of what is Electronic Health Information (EHI) and how it sits within the HIPAA definitions of Protected Health Information (PHI) and the Designated Record Set (DRS).  EHI is all electronic PHI in the DRS (as of October 6, 2022).  (Prior to October 6, 2022, EHI subject to the information blocking definitions is limited to that ePHI in the DRS that is represented in the data elements represented in the USCDI v1.)  See:  https://www.healthit.gov/buzz-blog/information-blocking/say-hi-to-ehi    

• On June 3, 2022, HHS OCR and the Office of the National Coordinator for Health Information Technology (ONC) released an updated SRA Tool version 3.3 as an application for Windows, as well as in an Excel spreadsheet-based version.  The target audience of this tool is medium and small providers and may not be appropriate for larger organizations.

  • The SRA Tool is a desktop application that walks users through the security risk assessment process using a simple, wizard-based approach. Users are guided through multiple-choice questions, threat and vulnerability assessments, and asset and vendor management. References and additional guidance are given along the way. Reports are available to save and print after the assessment is completed.
  • The Excel spreadsheet version of the SRA Tool takes the same content from the Windows desktop application and presents it in a familiar spreadsheet format. The Excel Workbook contains conditional formatting and formulas to calculate and help identify risk in a similar fashion to the SRA Tool application.

See: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

    • HHS CMS, under the auspices of the EHR Incentive Program, has released in a number of useful tools relating to Risk Analysis and the Privacy and Security Objective for Meaningful Use.  

 - FAQ published October 6, 2014: https://questions.cms.gov/faq.php?faqId=10754  
 - Security Risk Analysis Tipsheet including an overview of the HIPAA Security Rule Risk Analysis requirement, a table of risk and  safeguard examples, and a table of Myths vs. Facts about Security Risk Analysis:  http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/SecurityRiskAssessment_FactSheet_Updated20131122.pdf 
 - Guide to CMS EHR Incentive Program educational resources:  http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/EducationalMaterials.html  

• In April 2015, the Office of the National Coordinator for Health Information Technology released version 2 of its Guide to Privacy and Security of Electronic Health Information, providing a concise summary of the processes and requirements involved in assuring adequate privacy and security of electronic Protected Health Information.  The guide is available at:  http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf  and Chapter 6, a Sample Seven Step Approach for Implementing a Security Management Process, is available separately at:  http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide-chapter-6.pdf   

• The Office of the National Coordinator for Health IT released a 47-page 10-step plan for protecting the privacy and security of health data, developed in conjunction with the American Health Information Management Association.  Any entity that wishes to attest to the meaningful use of their EHR so that they can receive Federal funding should be sure they've covered these bases.  The list of steps itself echoes many of the same themes we've been espousing for years, but makes it clear that if you want to attest to meaningful use, you need to take privacy and security seriously.  The guide is available at: http://www.healthit.gov/providers-professionals/ehr-privacy-security/10-step-plan  (Last updated January 19, 2013)

• The Office of the National Coordinator for Health Information Technology has released Cybersecure: Your Medical Practice, a game developed to teach good basic privacy and security principles for health care offices, by requiring users to respond to privacy and security challenges.  Users choosing the right response earn points and see their virtual medical practices flourish, and vise versa. The game is available at no cost at:  http://www.healthit.gov/providers-professionals/privacy-security-training-games  and additional resources from ONC are available at  http://www.healthit.gov/providers-professionals/ehr-privacy-security  

• On July 11, 2017, the HHS Office of the National Coordinator for Health IT released a report on patient experiences in the access of medical records, and it’s a pretty sorry looking picture, frankly.  In the examples shown, there is a remarkable lack of understanding of basic HIPAA Access requirements by the involved providers.  The report shows the alarming, life threatening hurdles in the process and offers some ideas what must be done, and NOW.  See the announcement at:  https://www.healthit.gov/buzz-blog/consumer/understanding-patient-experience-improve-patient-access-medical-records/  and the report at:  https://www.healthit.gov/sites/default/files/onc_records-request-research-report_2017-06-01.pdf  

Section 405d Health Industry Cybersecurity Practices Guide

• On December 28, 2018 the Department of Health and Human Services released a guide to voluntary cybersecurity practices for healthcare organizations ranging in size from local clinics to large hospital systems.  This is an important product of the section 405d requirements under the Cybersecurity Act of 2015.

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients is a four-volume publication, the result of a two-year public-private partnership between HHS and more than 150 healthcare industry professionals, mandated through the Cybersecurity Act of 2015.  This is good stuff!

• The guidance is a mixture of highly technical solutions and common sense practices applicable to a wide range of healthcare facilities. The core of the document explores the five most relevant threats to the healthcare industry and recommends 10 cybersecurity practices to mitigate them.  See:  https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx  

CMS Guidance on Texting PHI

• On December 28, 2017, HHS Center for Medicare and Medicaid Services (CMS) issued a memo to its State Survey Agency Directors to clarify that Texting patient information among members of the health care team is permissible if accomplished through a secure platform, but texting of patient orders is prohibited regardless of the platform utilized.  Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider.  So, Texting PHI among the team?  Yes, but must be secure.  Texting Patient Orders?  No, which is aligned with Joint Commission rules.  The memorandum is available at:  https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-18-10.pdf  and there are articles on the announcement at:  https://www.fiercehealthcare.com/regulatory/cms-texting-physician-orders-joint-commission-regulations-hipaa-security  and at:  http://www.healthcareitnews.com/news/cms-clarifies-policy-texting-patient-info-across-healthcare-teams  

Ransomware Guidance

• On July 11, 2016, the HHS Office for Civil Rights released Fact Sheet: Ransomware and HIPAA, providing guidance to health care entities about what ransomware is and how good HIPAA compliance helps you deal with it, and indicates that a ransomware attack should be considered a breach, because control of the PHI has been compromised.  The fact sheet is available at:  http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf  

• In June, 2016, HHS issued guidance on the protection of healthcare organizations from Ransomware attacks.  The guidance explains what Ransomware is, how to protect your networks from it, and how to respond to it.  An article on the guidance is available in Becker’s Hospital Review, at  http://www.beckershospitalreview.com/healthcare-information-technology/hhs-issues-ransomware-guidance-to-healthcare-organizations.html  and the guidance is available at  http://www.aha.org/content/16/160620cybersecransomware.pdf  

• On May 26, 2017, Healthcare Informatics reported that the ECRI Institute has released a new guidance article, Ransomware Attacks: How to Protect Your Medical Device Systems, with recommendations to help hospitals identify and protect against ransomware attacks.  The report provides recommendations for adapting general cybersecurity principles to the particular requirements of medical device systems, including a list of immediate do's and don'ts for quickly responding to emerging threats.  The Healthcare Informatics article is available at:  https://www.healthcare-informatics.com/news-item/cybersecurity/ecri-institute-publishes-guidance-protecting-medical-devices-ransomware  and the ECRI guidance, published May 18, 2017 is available at:  https://www.ecri.org/components/HDJournal/Pages/Ransomware-Attacks-How-to-Protect-Your-Systems.aspx  

And More on Medical Device Security...

• In September, 2018, NIST presented Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (available at https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8228-draft.pdf ), including IoT devices used in healthcare settings, and is open for comments though October 24, 2018.  See the article in HealthITSecurity at https://healthitsecurity.com/news/nist-warns-about-cybersecurity-vulnerabilities-in-healthcare-iot   

• On October 1, 2018 the FDA released a playbook for medical device security developed by MITRE that can enable healthcare organizations to plan for and respond to cybersecurity incidents involving medical devices.  The MITRE playbook Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook Version 1.0 October 2018 is available through https://www.mitre.org/publications/technical-papers/mitre-creates-playbook-on-medical-device-cybersecurity and an article on the release in HealthITSecurity is at https://healthitsecurity.com/news/fda-unveils-mitres-medical-device-security-playbook  A Statement from FDA Commissioner Scott Gottlieb, M.D. on FDA’s efforts to strengthen the agency’s medical device cybersecurity program as part of its mission to protect patients is available at https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm622074.htm 

• In addition, a KLAS/CHIME survey shows providers lack confidence in medical device cybersecurity — is it any wonder?  See the article in Modern Healthcare (registration required) at http://www.modernhealthcare.com/article/20181005/NEWS/181009942  Results suggest that the majority of surveyed provider groups attributed security problems to the device manufacturers, especially if the devices can’t be updated or patched, and that the problem is widespread.  

Business Continuity Planning

Cyber Insurance usually calls for having a Business Continuity Plan (BCP).  Business Continuity Plans usually include a few scenarios and how you would approach them:

  • Loss of facilities (and systems) through something like a fire, flood, or other physical catastrophe
  • Working under pandemic conditions, including the loss of key personnel and the need to protect systems and data
  • Having your systems or networks compromised by a hack or Ransomware that would prevent you from doing business (and that would presumably trigger your cyber insurance)

For each scenario, you can say what you’d do to respond and recover, which would usually include a backup and recovery component.  You need to describe what you’d do to make sure you had backed up your systems and data, and what you’d need to do to bring it back on line again and get back to “normal” operations.  Each of the three scenarios should consider the details relevant to the scenario for what needs to happen for backups and recovery.

  • For Loss of Facilities, BCP means having good, thorough, usable backups held offsite with the ability to be re-created in a new physical facility (and all that goes with the process of creating that facility, at least in a skeleton form), and getting back to business.
  • For Working Under a Pandemic, it means having good backups of all PHI (including that which may be held remotely), but also having the ability to work remotely as much as possible, with strong security, under a planned technology and process.  Here you can talk about what you have done to deal with the pandemic and say that’s your plan for that scenario.
  • For a Hack or Ransomware Attack, it means taking precautions to apply strong security controls, having good backups that are designed to include steps to help protect backups from being hit with Ransomware (such as manual air gaps and other measures to isolate and protect backups, where reasonable), and the ability to re-create your business from your protected backups after wiping out any infestations in your infrastructure.

For all of these scenarios, there are lots of details you can specify; the links below can help guide your thinking as to what you should consider in each scenario.

Here is one template that shows one approach, with a tech orientationhttps://www.santacruzhealth.org/Portals/7/Pdfs/HPP/CO_%20LTC-SNF_Template.pdf 

AHIA has a very good white paper on the topic that can provide some guidance: https://ahia.org/getattachment/news/White-Papers/AHIA-Crowe-Whitepaper.pdf/?lang=en-US 

A nice short piece on the key components of a BCPhttps://www.stage2data.com/three-key-components-of-a-business-continuity-plan/ 

National Association of Community Health Centers guide on creating a BCPhttps://www.cchn.org/pdf/clinical_quality/ep/creating_a_business_continuity_plan.pdf 

FEMA has a physical facilities-oriented templatehttps://arlingtonva.s3.amazonaws.com/wp-content/uploads/2019/08/COOP-Template-Business-Continuity.pdf 

DHS (Homeland Security) has a BCP Templatehttps://www.ready.gov/sites/default/files/2020-03/business-continuity-plan.pdf 
and a Guide for the Template from DHShttps://www.ready.gov/business-continuity-plan and an article on the template: https://www.shrm.org/resourcesandtools/tools-and-samples/hr-qa/pages/business-continuity-plan-template.aspx 

HIPAA Audit and Enforcement Questions

• On July 27, 2016, the HHS Office for Civil Rights provided new HIPAA Audit Guidance & FAQ.  Covered entities received notification of their selection as the subjects of an Office for Civil Rights (OCR) desk audit of compliance with the HIPAA Security, Privacy and Breach Notification Rules on July 11, and were invited to participate in a webinar held on Wednesday, July 13, where OCR staff walked through the processes for the audit and expectations for their participation.  To respond to questions, OCR developed three targeted guidance documents, available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.  
 — One is a 
comprehensive question and answer listing.  
 — The second puts the 
specific audit document submission requests in context with the rule requirements and associated protocol audit inquiries, as well as the related questions asked by selected entities.  The entire protocols are available on the OCR website; for this guidance we extracted from those protocols the specific desk audit provisions, and added the audit inquiries and Q&A.  
 — Finally, OCR has posted 
the slides used in the webinar.  The guidance should be helpful to audited entities as well as other covered entities and business associates seeking assistance with improving their compliance with these important requirements of the HIPAA Rules.  

• The US Department of Health and Human Services Office for Civil Rights audit protocol for the 2016 round of random HIPAA Privacy, Security, and Breach Notification compliance audits is available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html   The 2016 protocol has 180 questions, most with several sub-questions, and is very difficult to use in the format provided.  It is best to copy the information into a word processor or spreadsheet document, correct the formatting, and then use it as a compliance management tool.  Complete information on the 2016 Audit program is at  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html 

• A list of Questions Used in Random HIPAA Privacy and Security Audits of Q1 2012 has been released by The Malvern Group's Sue Miller, who has published a briefing with a list of information requests submitted to one of the audited covered entities.  The two-page list covers the basics – make sure you have policies and procedures and can show you've been using them.  For a copy of Sue Miller's briefing including the two-page questionnaire, please see:  OCR_Audit_Document_Request_Brief_20120424_v_2.pdf  

• The extremely useful, two-page 2008 CMS Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews is no longer available on the CMS Web site, as CMS has been replaced by the HHS Office for Civil Rights for HIPAA Security enforcement, but you may download a copy from us.  

• The questions asked by HHS OCR of a small medical practice that suffered a breach because of the theft of a laptop and a server give insight into how much preparation is necessary for HIPAA compliance and to respond to OCR inquiries following a breach.  Be ready to answer at least these questions!  The questions are available at: https://www.infosecisland.com/blogview/13745-HIPAA-HITECH-Breach-by-a-Small-Practice-Actual-Experience.html

• HHS OIG HIPAA Security Rule Compliance Questions – The 42 questions asked of Piedmont Hospital in Atlanta, GA by the Office of the Inspector General of the Department of Health and Human Services, as reported in Computerworldhttp://www.computerworld.com/article/2541971/security0/hipaa-audit--the-42-questions-hhs-might-ask.html  or  http://tinyurl.com/meupq8t  

HIPAA Breach Notification Guidance

• The HHS overview page on HIPAA Breach Notification clearly lays out the requirements and includes links to other essential pages, such as guidance on securing PHI, forms for reporting breaches, the “wall of shame” of large breaches, and the FTC, for reporting non-HIPAA breaches.  See:  http://www.hhs.gov/hipaa/for-professionals/breach-notification/  

• Breach Notification Guidance from HHS OCR for safe-harbor encryption and destruction of information is at:  http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html   and the original Federal Register entry is available at  http://www.hhs.gov/hipaa/for-professionals/security/guidance/HITECH-act-breach-notification-guidance/index.html  

• The list of healthcare information breaches affecting more than 500 individuals reported to HHS (a.k.a. the "Wall of Shame") was updated in early 2015 and is available at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf   The new format is much easier to read and search, with easy export of the data in multiple formats.  See what happens to others -- make sure it doesn't happen to you!

• A great tool for looking at data breach causes is the Privacy Rights Clearinghouse page with a chronology of data beaches, sortable by breach type, organization type, and year.  If you are looking at risks for breaches, look here to see what happens to others like you -- if they can get hurt, so can you.  See:  http://www.privacyrights.org/data-breach/new  

Templates

Notice of Privacy Practices Templates including the HIPAA Omnibus changes of 2013, in four formats tested for consumer usability, for both providers and health plans, in both English and Spanish, are provided by the HHS Office for Civil Rights at:  http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html  

Sample language for HIPAA Business Associate Agreements meeting requirements the final HITECH Amendments to HIPAA is available from HHS at:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html  It is important to note that this language only identifies the required elements and any legal agreement should be reviewed by your attorney.

• The Office of the National Coordinator for Health Information Technology released on June 25, 2013 a guide, EHR Contracts: Key Contract Terms for Users to Understand that provides insights into key clauses in contracts that must be properly considered during negotiations for the procurement of Electronic Health Record systems.  It does comment on the impact of standard limitation of liability and exclusion of consequential damages language on HIPAA issues.  See:  http://www.healthit.gov/sites/default/files/ehr_contracting_terms_final_508_compliant.pdf  

• The AMA released in September 2013 updated tools for HIPAA Privacy and Security Compliance, including new sample Notice of Privacy Practices and Business Associate Agreement templates, as well as toolkits and FAQs.  See:  http://www.ama-assn.org/go/hipaa  

• On July 6, 2017, AHIMA released a model form for Patient Requests for Access to their PHI that meets the requirements of the HHS Office of the National Coordinator for Health IT and Office for Civil Rights.  While the form is hospital-centric in some of the details, it can be the basis for forms used by other providers.  Remember: An access request is NOT the same as a release under Authorization, and you should not use the same forms or processes for both.  This form is very simple, as it should be according to HHS guidance.  See the announcement at  http://www.ahima.org/modelform  and download the form at: http://bok.ahima.org/PdfView?oid=302192  

Guidance on De-identification of Personal Information

• NIST IR 8053, released December 17, 2015, is a report on De-Identification of Personal Information.  The report document summarizes two decades of de-identification research, discusses current practices, and presents opportunities for future research, including discussion of HIPAA methods for de-identification, and the effectiveness of the HIPAA Safe Harbor method.  The report is available at http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf  If you are dealing with any issues of de-identifying PHI, READ THIS REPORT!

Also, see HHS’s guidance from 2012 on De-identification of PHI, available at:  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf  

Guidance on HIPAA in Emergencies and Disasters

• Fact sheets and decision-making tools from HHS concerning Emergency Preparedness and Disclosures to Public Officials in response to bioterrorism threats or public health emergencies are available at:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/decisiontoolintro.html  and  http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_for_law_enforcement_purposes/397.html  

• On November 10, 2014, the US Department of Health and Human Services (HHS) published new guidance on HIPAA Privacy Rule protections in emergency situations, such as an Ebola outbreak, to ensure that HIPAA-regulated entities are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.  OCR's bulletin on HIPAA Privacy in Emergency Situations may be found at:  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf

• Guidance from HHS on HIPAA in Emergency Situations: Preparedness, Planning, and Response can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/index.html

Updated FTC-HHS Online Tool for Developers re Rules

• On December 7, 2022, The Federal Trade Commission (FTC) in conjunction with the HHS Office for Civil Rights (OCR), the HHS Office of the National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA) have updated the Mobile Health App Interactive Tool. This tool is designed to help developers of health-related mobile apps understand what federal laws and regulations might apply to them.  The tool is available at: https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool

• The guidance tool asks developers a series of high-level questions about the nature of their app, including about its function, the data it collects, and the services it provides to users. Based on the developer’s answers to those questions, the guidance tool will point the app developer toward detailed information about certain federal laws that might apply to the app. These include the FTC Act, the FTC’s Health Breach Notification Rule, the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug and Cosmetics Act (FD&C Act), and the 21st Century Cures Act and ONC Information Blocking Regulations.

• Developers and others seeking more information about how the HIPAA Rules might apply to their health apps should visit OCR’s HIPAA and Health Apps page, which contains information on how HIPAA applies to a range of example health app scenarios and offers key questions to consider in determining when HIPAA’s regulations cover a particular health app.  The HIPAA and Health Apps page is available at: https://www.hhs.gov/hipaa/for-professionals/special-topics/health-apps/index.html  

Additional HIPAA Guidance

• On March 22, 2022, AHIMA published an article in AHIMA Journal on Lessons to Help Prevent Release of Information Mistakes.  Individual access of information is a key issue with HHS OCR, and if you are investigated by HHS, work with your investigator to respond to any technical assistance and ensure you deal with any issues promptly, or you may suffer significant penalties.  Eight Mistakes to Avoid and Steps to Avoid OCR Violations are included.  See the article at:  https://journal.ahima.org/lessons-to-help-prevent-release-of-information-mistakes/  

• In December 2017, AHIMA announced the availability of guidance: AHIMA Guidelines: The Cybersecurity Plan, presenting a 17-step plan for reducing cybersecurity vulnerabilities and improving your ability to respond to cybersecurity events.  This is a great checklist to make sure you are covering the basics!  See: http://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf   

• On October 21, 2016 HHS announced joint guidance with the Federal Trade Commission (FTC) about how HIPAA and FTC rules interact and relate to consumer health information, reminding those in health care that if they’re not covered under HIPAA, the FTC has a role to play in privacy and security.   If you share health information, it’s not enough to simply consider the HIPAA Privacy Rule.  You also must make sure your disclosure statements are not deceptive under the FTC Act.  The guidance is at  https://www.ftc.gov/tips-advice/business-center/guidance/sharing-consumer-health-information-look-hipaa-ftc-act  

• In July, 2016, HHS OCR posted FAQ on HIPAA and Unique Device Identifiers (UDI), which clarifies that the device identifier (DI) portion of a UDI can be part of a limited or de-identified data set as defined under HIPAA.  While the HIPAA Privacy Rule prohibits the inclusion of “device identifiers and serial numbers” in both limited data sets and data sets that are de-identified in accordance with the “de-identification safe harbor” provisions, the guidance explains that the DI portion of the UDI is not the type of “device identifier” to which these HIPAA Privacy Rule provisions refer.  See:  http://www.hhs.gov/hipaa/for-professionals/faq/2071/can-device-identifier-di-portion-unique-device-identifier-udi-be-part-limited-or-de-identified

• In February, 2016 the HHS Office for Civil Rights announced new guidance on the application of HIPAA rules to App Developers, and describes the typical circumstances when one may or may not be considered a HIPAA Business Associate.  The guidance is available at:  http://hipaaqsportal.hhs.gov/community-library/accounts/92/925889/OCR-health-app-developer-scenarios-2-2016.pdf  

In March, 2016, the HHS Office for Civil Rights announced new guidance on HIPAA and Workplace Wellness Programs, and describes the typical activities and circumstances that may or may not determine whether a Workplace Wellness Program is covered under HIPAA or not.  A blog announcement and summary by the head of HHS OCR is available at:  http://www.hhs.gov/blog/2016/03/14/how-hipaa-applies-certain-workplace-wellness-programs.html  The guidance is available at:  http://www.hhs.gov/hipaa/for-professionals/privacy/workplace-wellness/  

• The Federal Trade Commission has a great guide published in January of 2011: Medical Identity Theft — FAQs for Health Care Providers and Health Plans that covers a lot of access questions in the event of identity theft.  One major point: If an individual’s records get contaminated with information of an identity thief, the individual has a right to see all of their record, including an identity thief’s information, in order to have it corrected.  See:  https://www.ftc.gov/system/files/documents/plain-language/bus75-medical-identity-theft-faq-health-care-health-plan.pdf  

For those working in Long Term Care and Assisted Living facilities, the American Health Care Association and the National Center for Assisted Living have created a HIPAA Privacy Reference Manual that is available for sale for a reasonable fee.  These tools are tailored to this kind of entity and should be a great starting point for many organizations of this type.  The AHCA-NCAL HIPAA Privacy Reference Manual is available at:  http://www.ahcapublications.org/ProductDetails.asp?ProductCode=8282A  

HHS OCR has made HIPAA Enforcement training materials designed for State Attorneys General and their staffs available on the OCR Web site.  The materials consist of links to videos ranging from 10 to 109 minutes as well as a giant 417 MB ZIP file of training modules you can download.  The materials are designed for the State AGs, but are useful for anyone looking for a solid set of training materials designed for the enforcer's viewpoint, especially internal auditors. See:  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/state-attorneys-general/    

Healthcare IT News published on September 30, 2011 an article with a good list of the 6 best ways to protect against health data breaches, available here:  http://www.healthcareitnews.com/news/6-best-ways-protect-against-health-data-breaches  

• The AMA has issued a very useful set of frequently asked questions about encryption of PHI including descriptions of how encryption works and links to useful resources.  I don't necessarily agree with all of their conclusions, but you won't go wrong in following their recommendations.  The guidance is available at:   http://www.ama-assn.org/ama1/pub/upload/mm/368/hipaa-phi-encryption.pdf

• HHS and the U.S. Department of Education provide joint guidance on the application of HIPAA and FERPA to student health records, available at:  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf 

The CMS Medicare Business Partners Systems Security Manual is to be used by CMS's business associates, but it is also a useful guide for HIPAA business associates of all kinds.  The August 17, 2009 version (published July 17, 2009) is available at: http://www.cms.hhs.gov/transmittals/downloads/R10SS.pdf

• The HIPAA Collaborative of Wisconsin (HIPAA COW) provides a number of useful training, business associate agreement, and breach notification resources on their web site at: http://www.hipaacow.org

• NYS Office for Technology – New York State HIPAA Security Matrix – this document appears to be no longer available elsewhere on the Web, so I have published it here in both .doc and .pdf formats. 

• American Mental Health Alliance has an informative page discussing the issues surrounding Psychotherapy Notes under the HIPAA Privacy Rule, available at:  http://membership.americanmentalhealth.com/index.tpl?page=3234983890680447&target=contFrame   or http://tinyurl.com/6bg672

• The Vermont Medical Society has published a useful, extensive page on questions pertaining to Consent, Privacy, and Medical Records.  The page, written by Anne Cramer of Primmer, Piper, Eggleston & Cramer, P.C., includes a discussion covering both HIPAA and Vermont considerations, as well as minors, substance abuse, and mental health considerations.  Even if you are not practicing in Vermont, it is interesting to see how the laws intersect and where VT law or 42 CFR Part 2 prevails over HIPAA; this page can be very useful for people from any state.  See:  http://www.vtmd.org/consent-privacy-and-medical-records  

Return to the main Resources page
Regulations, Standards, and Laws
Guidance from NIST
Document Retention Guidelines
Information Security Guidance


              Copyright © 2002-2023 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us