The ACP has put together the following resources to help members understand and comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification rules, including the Omnibus, Breach Notification, and the Enforcement Rules. Manuals can be used for practice assessments, as a framework for staff training, customizable forms and checklists, as well as for background information and reference. This guidance remains in effect only to the extent that it is consistent with the court鈥檚 in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020). Should you have any questions regarding the applicability of the court鈥檚 order to your practice, please consult an attorney to obtain advice. The below guidance is also subject to change in anticipation of proposed modifications to the HIPAA Privacy Rule being finalized. See additional information on the .
HIPAA and Administrative Simplification Overview
- HIPAA Summary
-
- In the published January 2013, HHS implemented a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA.
-
Privacy Rule
The HIPAA Privacy Rule requires safeguards to protect the privacy of personal health information. These resources help physician practices comply with the rules.
- The Office of Civil Rights has issued revised guidance on how HIPAA permits covered entities (and their business associates) to use HIEs to disclose PHI for public health purposes. These address HIPAA Privacy Rule issues related to use of HIEs.
- Privacy manual (September 2013) (members only)
- - This model NPP, developed collaboratively by the Office of the National Coordinator of HIT (ONC) and the Office of Civil Rights (OCR), is customizable in three different formats.
- Business Associate Agreements
-
- - This series of short videos explains patients' rights to access their health record, and to have that information sent to others (including family members or a mobile device application).
Security Rule
Security Rules require practices to protect all patient information that is stored, received, or transmitted electronically.
- Security Manual (September 2013) (members only)
- Security Risk Assessment
- - These security training videos were developed by HHS Office of Civil Rights with small practices in mind.
- - This tool is meant to assist practices perform a risk assessment.
- . These two security training modules use an interactive game format to understand privacy and security challenges often faced in a typical small medical practice. The games address Cybersecurity and Contingency Planning.
Breach Notification
The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information.
- - The Office of Civil Rights is responsible for enforcing this rule.
- Breach Notification Guide (members only) - This guide provides everything you need to do in the event of a breach of unsecured protected health information (PHI) within your practice.
- - This online portal allows users to submit a notice of breach of unsecured protected health information to the Secretary of HHS.
Identifiers
Links to other HIPAA and Administrative Simplification Resources
The following resources offered by other reputable organizations offer some additional information and alternatives to those included above.
-
-
- - Resources related to Administrative Simplification, including the published rules themselves.
- - Resources related to enforcement of Privacy, Security, and Breach Notification as well as complaint processes.
Government Links
These information pages from the Office of Civil Rights (OCR) and the Centers for Medicare and Medicaid Services (CMS) offer well organized web pages, including easily searchable FAQs, regarding all parts of HIPAA.
- Privacy Rule
-
- - Office of Civil Rights, in charge of enforcement of privacy. You can read all the Rules and proposed rules, as well as some FAQ's from the source.