Return to the main Resources page
Regulations, Standards, and Laws
Guidance from NIST
Document Retention Guidelines
Information Security Guidance
PLEASE NOTE! These resources, especially those on HHS Web sites, are subject to change. Please let us know if you find a broken link, and thanks for your patience.
• The HHS Office for Civil Rights Health Information Privacy site is the place to find answers to many HIPAA questions. Check the yellow What's New sidebar on the right regularly for new guidance and resources. Describes HHS OCR activities in enforcing the Privacy and Security Rules, the results of those activities, and statistics on types of complaints and types of entities most often required to take corrective action. Includes some guidance for entities who must comply with the HIPAA Privacy and Security Rules. See: http://www.hhs.gov/ocr/privacy/. The HIPAA FAQ page is available at http://www.hhs.gov/ocr/privacy/hipaa/faq/
• The extremely useful, though out of date, two-page 2008 CMS Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews is no longer available on the CMS Web site, as CMS has been replaced by the HHS Office for Civil Rights for HIPAA Security enforcement. You may download a copy from us, although it does not represent current requirements. We hope this document will be replaced by an updated version from HHS OCR in the future.
• HHS OCR HIPAA Breach Notification Rule information and electronic reporting forms are available on the HHS OCR Web site at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.htmlor http://tinyurl.com/yemwev8
• Breach Notification Guidance for encryption or destruction of information is at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/guidance_breachnotice.html or http://tinyurl.com/d9yug8
• A great tool for looking at data breach causes is the Privacy Rights Clearinghouse page with a chronology of data beaches, sortable by breach type, organization type, and year. If you are looking at risks for breaches, look here to see what happens to others like you -- if they can get hurt, so can you. See: http://www.privacyrights.org/data-breach/new
• The questions asked by HHS OCR of a small medical practice that suffered a breach because of the theft of a laptop and a server give insight into how much preparation is necessary for HIPAA compliance and to respond to OCR inquiries following a breach. Be ready to answer at least these questions! The questions are available at: https://www.infosecisland.com/blogview/13745-HIPAA-HITECH-Breach-by-a-Small-Practice-Actual-Experience.html
• HHS OCR has released final guidance on performing Risk Analysis at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf Also see #6 in the HHS HIPAA Security Series, updated March 2007, on Basics of Risk Analysis and Risk Management, available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskassessment.pdf
• Healthcare IT News published on September 30, 2011 an article with a good list of the 6 best ways to protect against health data breaches, available here: http://www.healthcareitnews.com/news/6-best-ways-protect-against-health-data-breaches
• The AMA has issued a very useful set of frequently asked questions about encryption of PHI including descriptions of how encryption works and links to useful resources. I don't necessarily agree with all of their conclusions, but you won't go wrong in following their recommendations. The guidance is available at: http://www.ama-assn.org/ama1/pub/upload/mm/368/hipaa-phi-encryption.pdf
• HHS OCR has posted FAQs that address the HIPAA Privacy Rule requirements for disposal of protected health information, available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.
• HHS OCR guidance on the Electronic Exchange of Health Information is available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/. Of particular interest is very helpful Privacy Rule guidance on using e-mail to communicate with patients, on pages 3 and 4 of http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf. For more information, see http://www.hhs.gov/healthit/privacy/framework.html.
• HHS and the U.S. Department of Education provide joint guidance on the application of HIPAA and FERPAto student health records, available at:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf
• The CMS Medicare Business Partners Systems Security Manual is to be used by CMS's business associates, but it is also a useful guide for HIPAA business associates of all kinds. The August 17, 2009 version (published July 17, 2009) is available at: http://www.cms.hhs.gov/transmittals/downloads/R10SS.pdf
• HHS OIG HIPAA Security Rule Compliance Questions – The 42 questions asked of Piedmont Hospital in Atlanta, GA by the Office of the Inspector General of the Department of Health and Human Services, as reported in Computerworld: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025253 or http://tinyurl.com/2ac9jm
• The HIPAA Collaborative of Wisconsin (HIPAA COW) provides a number of useful training, business associate agreement, and breach notification resources on their web site at: http://www.hipaacow.org
• Social Media are a growing part of the communication landscape and must be considered in policies and procedures to protect patients, staff, and organizations from harm. A good overview article in HealthLeaders Media May 4, 2010 is at http://www.healthleadersmedia.com/content/TEC-250519/Four-Steps-to-the-Next-Step-in-Your-Social-Media-Evolution and a May 11, 2919 HealthLeaders Media article on social media policies is at http://www.healthleadersmedia.com/content/TEC-250829/Five-Tips-to-Guide-Your-Hospitals-Social-Media-Policy.html . A set of links to publicly available social media policies at a number of facilities is provided by Ed Bennett in his blog at: http://ebennett.org/hsnl/hsmp/#ixzz0nYPOlVNj
• NYS Office for Technology – New York State HIPAA Security Matrix – this document appears to be no longer available elsewhere on the Web, so I have published it here in both .doc and .pdf formats.
• American Mental Health Alliance has an informative page discussing the issues surrounding Psychotherapy Notes under the HIPAA Privacy Rule, available at: http://membership.americanmentalhealth.com/index.tpl?page=3234983890680447&target=contFrame or http://tinyurl.com/6bg672
Return to the main Resources page
Regulations, Standards, and Laws
Guidance from NIST
Document Retention Guidelines
Information Security Guidance