The following resources can help physicians understand and comply with various Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements. Manuals can be used for practice assessments, as a framework for staff training, customizable forms and checklists, as well as for background information and reference.
What’s New
HIPAA and Administrative Simplification Overview
Privacy Rule
The HIPAA Privacy Rule requires safeguards to protect the privacy of personal health information (PHI). These resources help physician practices comply with the rules.
- The HHS Office for Civil Rights (OCR) has issued revised guidance on how HIPAA permits covered entities (and their business associates) to use health information exchanges (HIEs) to disclose PHI for public health purposes. These address HIPAA Privacy Rule issues related to use of HIEs.
- Reproductive Health Care Privacy–What You Need to Know
- Reproductive Health Care Definition–UPDATED
- Privacy Manual (September 2013) (members only)
-
- - This series of short videos explains patients' rights to access their health record, and to have that information sent to others (including family members or a mobile device application).
Security Rule
Security Rules require practices to protect all patient information that is stored, received, or transmitted electronically.
- Security Manual (September 2013) (members only)
-
- Security Risk Assessment
- - These security training videos were developed by OCR with small practices in mind.
- - This tool is meant to assist practices perform a risk assessment.
- - This video from OCR describes patterns the office sees in its investigations of ransomware attacks against HIPAA regulated entities and explains how complying with the Security Rule can help regulated entities prevent, detect, respond to, and recover from ransomware attacks.
Breach Notification
The Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured PHI.
- - OCR is responsible for enforcing this rule.
- Breach Notification Guide (members only) - This guide provides everything you need to do in the event of a breach of unsecured PHI within your practice.
-
-
- - This online portal allows users to submit a notice of breach of unsecured PHI to the Secretary of HHS.
-
Identifiers
Links to Other HIPAA and Administrative Simplification Resources
The following resources offered by other reputable organizations offer some additional information and alternatives to those included above.
-
-
-
- - Resources related to enforcement of Privacy, Security, and Breach Notification Rules as well as complaint processes.
Advocacy
ACP has submitted comment letters and developed policies to support internal medicine physicians in complying with HIPAA regulations and protecting patient data, including:
- ACP Comments on HIPAA Security Proposed Rule To Strengthen the Cybersecurity of Electronic Protected Health Information
- ACP Cybersecurity Policy Statement
- ACP Support Letter for the Healthcare Cybersecurity Act
- Joint Letter to the Office of Civil Rights Regarding Breach Reporting Responsibilities
- Health Information Privacy, Protection, and Use in the Expanding Digital Health Ecosystem