Resources: Regulations, Standards, and Laws

Click to return to the main Resources page

HIPAA Guidance and Tools

Guidance from NIST

Document Retention Guidelines

Information Security Guidance

HIPAA Laws and Regulations

• The HIPAA Privacy, Security, Breach Notification, and Enforcement Rules are available from HHS Office for Civil Rights in a combined form including integrated amendments through the January 25, 2013 Omnibus Update (including the HITECH amendments and the Genetic Information Nondisclosure Act), at: 

• On January 6, 2016, a new rule was published in the Federal Register to modify HIPAA §164.512, adding a new section (k)(7) to allow use or disclosure of PHI for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm.  Disclosures may include only the limited demographic and certain other information needed for purposes of reporting to the NICS, and may not include diagnostic or clinical information.  The new rule is available at:  This change to HIPAA has been made since the publication of the OCR combined rule identified above.

• The amendments to CLIA and HIPAA, effective April 7, 2014, allow patients to access their laboratory test results directly from the laboratory.  The HIPAA change consists of removing the exception to access, at 45 CFR 164.524(a)(1), section (iii), and making minor modifications to (i) and (ii) to accommodate the removal of (iii).  The final rule is available at:  This change to HIPAA has been made since the publication of the OCR combined rule identified in the item above.

ARRA, HITECH, Meaningful Use, and the Omnibus Update

• The Final HITECH Amendments to HIPAA including the Breach Notification Rule and Enforcement Rule, published January 25, 2013, are available at: and the PDF version of the rule in the Federal Register is at:    

• The Technical Corrections to the Omnibus HIPAA update, published June 7, 2013, are at:  These corrections, in combination with the January 25 Omnibus Update are the current complete resource for the HIPAA regulations in affect as of March 26, 2013 and enforceable September 23, 2013, as of June 7, 2013.

• The American Recovery and Reinvestment Act of 2009, including Title XIII on Health Information Technology, with major HIPAA changes, is available at  or .  

See sections in the 13400s, starting on page 144 of the bill, for the HIPAA-related requirements, some in effect upon signing, February 17, 2009.

• The HITECH Act within ARRA is available separately from HHS at:   

• The final regulations on Meaningful Use and Standards/Certification Criteria for EHR incentives were published in the Federal Register July 28, 2010. 
 - The Meaningful Use Rule (14MB file) is available at:   
 - Standards/Certification Criteria (400K file) for EHR Technology (45 CFR Part 170) are available at:   See especially § 170.302 (o) through (w), on page 44652, for the areas that would be subject to a Security Risk Analysis, such as that required for Meaningful Use and HIPAA Security Rule requirements.
 - CMS has set up a useful site on the EHR Incentive Programs, available at:   

• The Genetic Information Nondiscrimination Act (GINA) requires the release of rules pertaining to prohibition of the use of genetic information for employment or insurance underwriting purposes under several regulatory agencies.  See the HHS OCR final rule, incorporated in the 2013 Omnibus Update, as well as companion rules from EEOC and DOL/CMS/Treasury and the source legislation on the OCR site at  The Department of Labor fact sheet including a good overview is available at:  

HIPAA Audit Protocol

• The US Department of Health and Human Services Office for Civil Rights audit protocol for the 2016 round of random HIPAA Privacy, Security, and Breach Notification compliance audits has been updated for 2018 and is available at   The 2018 protocol has 180 questions (13 of which have been updated for 2018), most with several sub-questions, and is very difficult to use in the format provided.  It is best to copy the information into a word processor or spreadsheet document, correct the formatting, and then use it as a compliance management tool.  You can also ask Jim Sheldon-Dean for a properly formatted copy in Excel format.  Complete information on the HIPAA Audit program is at 

HIPAA Breach Notification

• Breach Notification Guidance from HHS OCR for safe-harbor encryption and destruction of information is at:   and the original Federal Register entry is available at  

• HHS Office of Civil Rights HIPAA Breach Notification Rule information and electronic reporting forms for all breaches are at:   

• To report a breach of protected health information to HHS, go to:     

• HHS OCR has published a HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework relating the NIST framework and its security controls to each safeguard identified in the HIPAA Security Rule.  The HHS Web page on the topic is at:  and the crosswalk is available at:  

• On July 28, 2016, the US Department of Homeland Security released Cyber Incident Reporting:  A Unified Message for Reporting to the Federal Government, providing guidance on to which Federal agencies and departments certain Cyber Incidents should be reported.  Best to pay attention to this, if you suffer some kind of Cyber Incident!  The DHS page hosting the guidance is at:  and the guidance document is available at:  

HIPAA Penalty Amounts

Based on the April 26, 2019 notice of enforcement discretion by HHS, and the October 2018 Cost-Of-Living-Adjustment, the maximum penalties under HIPAA are currently set at the following levels in order to reflect the culpability of an organization in the circumstances of a violation:  

• Tier 1 (no knowledge): $114-$57,051 per violation, capped at $28,525 per year the issue persisted
• Tier 2 (reasonable cause): $1,141-$57,051 per violation, capped at $114,102 per year the issue persisted
• Tier 3 (willful neglect, corrected): $11,182-$57,051 per violation, capped at $285,255 per year the issue persisted
• Tier 4 (willful neglect, not corrected): $57,051 per violation, capped at $1,711,522 per year the issue persisted

The April 26, 2019 notice of enforcement discretion is available in the Federal Register of April 30, at:  

For an excellent summary of the implications of the 2019 changes, see Kim Stanger’s article at:  

State and International Breach Notification

• On July 25, 2019, New York Governor Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the "SHIELD Act”), which amends New York State's current data breach notification law, and imposes substantive data security requirements on businesses that own or lease the Private Information of New York residents, regardless of whether the businesses otherwise conduct business in New York State.  In addition, the SHIELD Act requires HIPAA covered entities to report to the New York State Attorney General any breaches that must be reported to HHS.  The SHIELD Act's breach notification provisions take effect on October 23, 2019, and the new data security requirements take effect on March 21, 2020.  The Act is available at and an article discussing the act by the firm Proskauer Rose is available at  

• An excellent reference point for the various State Data Security Breach Laws is the National Conference of State Legislatures via their Web page at:  NCSL also provides a list of State Identity Theft Laws via their Web page dedicated to that topic at:  

• An interactive map of data breach notification laws as of July 28, 2008, with highlights of each state's laws such as timeframes, penalties, exemptions, and private rights to action, is provided by CSO magazine's web site at:  

• The International Security Breach Notification Survey, prepared by Foley & Lardner LLP and Eversheds LLP in November 2009, is a comprehensive guide to state, national, and international security breach notification laws, useful as a guide to any business that may suffer a breach of information security.  The report is available at:  

The European Union General Data Protection Regulation

The new European Union General Data Protection Regulation goes into effect May 25, 2018, and it requires the protection of the identifiable personal information of any EU subject no matter where that information may be, even in the US.  The GDPR is far from trivial, and could be expected to become the de facto international standard for protection merely because of its widespread applicability.  If you serve any patients or customers who reside in the EU, you need to be aware of this.  

• See great overview articles at and and the EU GDPR Web page at   

Substance Use Disorder Information under 42 CFR Part 2

Below are several resources to help with organizations that deal with addiction and substance use disorders, about those regulations, how they work, and how they are changing today.

• On August 22, 2019, the US Department of Health and Human Services announced proposed changes to the rules under 42 CFR Part 2, including changes for clarification of when the rules apply, the definition of “records”, access of central registries (such as prescription drug monitoring programs), generalization of some consents, clarification of allowable disclosures for payment and operational purposes, better research alignment with HIPAA and the Common Rule, and rules on how Part 2 program staff’s personally owned devices must be cleared of any Part 2 data, including texts and e-mail messages.  The NPRM is available at now, and will be published in the Federal Register on August 26, where it will be available at  The HHS 42 CFR Part 2 Proposed Rule Fact Sheet outlining the details is available at

• Substance Abuse and Mental Health Administration (SAMHSA) and 42 CFR Part 2 overview:  

• A very nice overview of the rules is available from the Mental Health and Recovery Board of Erie and Ottawa Counties (, at:

• SAMHSA FAQs updated May 1, 2018: 
  — with links to new fact sheets as of May 1, 2018, Disclosure of Substance Use Disorder Patient Records: Does Part 2 Apply to Me? (available at and Disclosure of Substance Use Disorder Patient Records: How Do I Exchange Part 2 Data? (

• The 2017 version of 42 CFR Part 2, effective March 21, 2017:  

American Society of Addiction Medicine articles, information, and several valuable resources regarding confidentiality and substance use disorders at:  

American Psychiatric Association article on the 2017 version of 42 CFR Part 2:    

• From the APA article above, how the 2017 version of 42 CFR Part 2 compares to the old, pre-2017 version, and to HIPAA:

Announcement of the 2018 Final Rule for 42 CFR Part 2, effective Feb. 2, 2018:  

• Link to the 2018 Final Rule for 42 CFR Part 2:

Legal Action Center page on the 2018 Final Rule changes from 2017, at:  

• HHS page with multiple fact sheets, resources, and FAQ pages on HIPAA and Information Related to Mental and Behavioral Health, including Opioid Overdose, at:  

• HHS Additional FAQs on Sharing Information Related to Treatment for Mental Health or Substance Use Disorder—Including Opioid Abuse 

PCI Data Security Standard

• The PCI Data Security Standard for payment card information is available at:  and a PCI Quick Reference Guide, including an overview and compliance information is at:  

• The PCI Self-Assessment Questionnaire and numerous other documents, guides, and templates useful to PCI DSS compliance are available at:    

Electronic Discovery and Identity Theft Red Flags

• The Federal Rules of Civil Procedure for Electronic Discovery are available at:

• The Federal Register publication of the Identity Theft Red Flags Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule (effective January 1, 2008, enforceable January 1, 2011, a.k.a. the Red Flags Rule) is available at:  The Red Flag Program Clarification Act exempting many professional offices is available at:  The Federal Trade Commission's Web site on the Red Flags Rule is at:  

State Laws on Information Security

• The current Nevada law requiring encryption of personal information in transit or transmission (except fax-to-fax), Nev. Rev. Stat. § 597.970(1) (2005), is available at:  NRS 597.970 will be replaced by SB 227, which requires compliance with NIST-FIPS Federal standards, as of January 1, 2010.  SB 227 is available at:   The Nevada laws apply to all businesses with customers in Nevada.

• The Massachusetts business regulation requiring the security of personal information and encryption of personal information in transmission or on laptops and portable media, effective March 1, 2010, is available at:  and the table of contents for General Laws of Massachusetts Chapter 93H - Security Breaches is available at  The Massachusetts laws apply to all businesses with customers in Massachusetts.

TCPA, Texting, and Calling to Mobile Phones

The Telephone Consumer Protection Act places limits on calling to telephones and mobile phones for various purposes.  In the July 10, 2015 FCC Declaratory Ruling/Order on TCPA, rules were clarified on several topics including healthcare-related exemptions.  If you plan to call or send messages to mobile phones, there are limits.  Getting consent for healthcare and financial purposes in advance is a great idea.  The order is available at:  and for the PDF version.  See pages 68 (starting at paragraph 140) through 72 of the PDF for the details.

Be sure to see  for a legal firm’s very useful summary of the order as it relates to healthcare.

A more recent ruling (Latner v. Mt. Sinai Health System, Inc., No. 17-99-cv (2d Cir. Jan. 9, 2018)) indicated that if the Notice of Privacy Practices includes mention of such use, and the individual acknowledges that the NPP has been received, that counts as the necessary consent.  So, to comply with TCPA, make sure your NPP includes the necessary statements about contacting the individual, and make sure the individual acknowledges receipt of the NPP.  There’s an informative March 27, 2018 posting on the Journal of AHIMA Blog pages, available at:  

NOTE! This does not address HIPAA Security Rule requirements for security, so you’ll still need your patients to express a preference to receive any plain text messages that may imply a healthcare connection, depending on the message.  The “everyone should get a flu shot” message sent to all recent patients  in the case cited probably would not count as a breach without consent, but an individualized message with personal details could.  Your mileage may vary.

ACA Section 1557 on Language Access Requirements 

• In 2016, HHS OCR finalized the rule implementing Section 1557 of the Affordable Care Act (ACA) of 2010, the nondiscrimination provision of the ACA that states that individuals cannot be subject to discrimination based on their race, color, national origin, sex, age or disability.  Beginning on October 17, 2016, covered entities will be required to post Notices of Nondiscrimination and Taglines that alert individuals with limited English proficiency (LEP) to the availability of language assistance services.  

• HHS OCR has issued Frequently Asked Questions on the language access requirements under Section 1557.  

• HHS OCR has made available a table displaying the top 15 languages spoken by individuals with limited English proficiency (LEP) in each State, the District of Columbia, Puerto Rico and each U.S. Territory based on OCR’s research.  

• HHS OCR’s website has sample documents of a Notice of Nondiscrimination, Statement of Nondiscrimination and Taglines available for download in 64 languages and in two file formats.  

More information about Section 1557, including fact sheets and training materials, is available on the HHS website.  


Click to return to the main Resources page

HIPAA Guidance and Tools

Guidance from NIST

Document Retention Guidelines

Information Security Guidance

              Copyright © 2002-2023 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us