Click to return to the main Resources page
PLEASE NOTE! HHS has recently been removing and rearranging some of its Web-based information. Please let us know if you find a broken link, and thanks for your patience.
• The HIPAA Privacy and Security Rules are available in a combined form including integrated amendments to the Privacy Rule through 2006 at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf
• The July 2010 Notice of Proposed Rule Making for Changes to HIPAA is available at http://edocket.access.gpo.gov/2010/pdf/2010-16718.pdf and http://edocket.access.gpo.gov/2010/2010-16718.htm
• The HIPAA Breach Notification Rule (effective September 23, 2009) is available at: http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf ; HIPAA Breach Notification Guidance for encryption and destruction of information is at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/guidance_breachnotice.html or http://tinyurl.com/d9yug8 ; HHS Office of Civil Rights HIPAA Breach Notification Rule information and electronic reporting forms for breaches are at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html or http://tinyurl.com/yemwev8
• The HIPAA Enforcement Interim Final Rule prompted by ARRA is available at: http://www.regulations.gov/search/Regs/home.html#documentDetail?R=0900006480a4e565 and http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf
• Details on the HIPAA Compliance Audit Program introduced November 8, 2011 are at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html and describe the process and timetable involved. Phase 1 runs through the end of 2012 and will include up to 150 random audits of HIPAA Covered Entities.
• The American Recovery and Reinvestment Act of 2009, including Title XIII on Health Information Technology, with major HIPAA changes, is available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.pdf or http://www.opencongress.org/bill/111-h1/text . See sections in the 13400s, starting on page 144 of the bill, for the HIPAA-related requirements, some in effect upon signing, February 17, 2009.
• The final regulations on Meaningful Use and Standards/Certification Criteria for EHR incentives were published in the Federal Register July 28, 2010.
- The Meaningful Use Rule (14MB file) is available at: http://edocket.access.gpo.gov/2010/pdf/2010-17207.pdf
- Standards/Certification Criteria (400K file) for EHR Technology (45 CFR Part 170) are available at: http://edocket.access.gpo.gov/2010/pdf/2010-17210.pdf See especially § 170.302 (o) through (w), on page 44652, for the areas that would be subject to a Security Risk Analysis, such as that required for Meaningful Use and HIPAA Security Rule requirements.
- CMS has set up a useful site on the EHR Incentive Programs, available at: http://www.cms.gov/EHRIncentiveprograms/.
• The Genetic Information Nondiscrimination Act (GINA) has required the release of rules pertaining to prohibition of the use of genetic information for employment or insurance underwriting purposes under several regulatory agencies. See the HHS OCR proposed rule as well as companion rules from EEOC and DOL/CMS/Treasury and the source legislation are all available on the OCR site at http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/genetic/index.html The Department of Labor fact sheet including a good overview is available at: http://www.dol.gov/ebsa/newsroom/fsGINA.html#
• The PCI Data Security Standard for payment card information is available at: https://www.pcisecuritystandards.org/security_standards/index.php and a PCI Quick Reference Guide, including an overview and compliance information is at: https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
• The PCI Self-Assessment Questionnaire and numerous other documents, guides, and templates useful to PCI DSS compliance are available at: https://www.pcisecuritystandards.org/security_standards/documents.php
• The Federal Rules of Civil Procedure for Electronic Discovery are available at: http://www.uscourts.gov/rules/EDiscovery_w_Notes.pdf
• An excellent reference point for the various State Data Security Breach Laws is the National Conference of State Legislatures via their Web page at: http://www.ncsl.org/programs/lis/cip/priv/breach.htm NCSL also provides a list of State Identity Theft Laws via their Web page dedicated to that topic at: http://www.ncsl.org/programs/lis/privacy/idt-statutes.htm
• The International Security Breach Notification Survey, prepared by Foley & Lardner LLP and Eversheds LLP in November 2009, is a comprehensive guide to state, national, and international security breach notification laws, useful as a guide to any business that may suffer a breach of information security. The report is available at: http://www.mekabay.com/infosecmgmt/security_breach_laws.pdf
• An interactive map of data breach notification laws as of July 28, 2008, with highlights of each state's laws such as timeframes, penalties, exemptions, and private rights to action, is provided by CSO magazine's web site at: http://www.csoonline.com/read/020108/ammap/ammap.html
• The Federal Register publication of the Identity Theft Red Flags Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule (effective January 1, 2008, enforceable January 1, 2011, a.k.a. the Red Flags Rule) is available at: http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. The Red Flag Program Clarification Act exempting many professional offices is available at: http://www.gpo.gov/fdsys/pkg/BILLS-111s3987enr/pdf/BILLS-111s3987enr.pdf. The Federal Trade Commission's Web site on the Red Flags Rule is at: http://www.ftc.gov/redflagsrule.
• The current Nevada law requiring encryption of personal information in transit or transmission (except fax-to-fax), Nev. Rev. Stat. § 597.970(1) (2005), is available at: http://www.leg.state.nv.us/Nrs/NRS-597.html#NRS597Sec970. NRS 597.970 will be replaced by SB 227, which requires compliance with NIST-FIPS Federal standards, as of January 1, 2010. SB 227 is available at: https://www.leg.state.nv.us/75th2009/Bills/SB/SB227_EN.pdf. The Nevada laws apply to all businesses with customers in Nevada.
• The Massachusetts business regulation requiring the security of personal information and encryption of personal information in transmission or on laptops and portable media, effective March 1, 2010, is available at: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf and the table of contents for General Laws of Massachusetts Chapter 93H - Security Breaches is available at http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm. The Massachusetts laws apply to all businesses with customers in Massachusetts.