HIPAA

The following resources can help physicians understand and comply with various Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements. Manuals can be used for practice assessments, as a framework for staff training, customizable forms and checklists, as well as for background information and reference.

HIPAA and Administrative Simplification Overview

• HIPAA Summary
• HIPAA for Professionals
• CMS HIPAA and Administrative Simplification
  • Administrative Simplification Resources Toolkit (ZIP)
• Are You a Covered Entity?
  • Covered Entity Decision Tool
• HIPAA Basics for Health Care Practitioners: HIPAA Privacy, Security, and Breach Notification Rules
• HIPAA and Interoperability
  • Permitted Uses and Disclosures: Exchange for Health Care Operations
  • Permitted Uses and Disclosures: Exchange for Treatment

Privacy Rule

The HIPAA Privacy Rule requires safeguards to protect the privacy of personal health information (PHI). These resources help physician practices comply with the rules.

• The HHS Office for Civil Rights (OCR) has issued revised guidance on how HIPAA permits covered entities (and their business associates) to use health information exchanges (HIEs) to disclose PHI for public health purposes. These FAQs address HIPAA Privacy Rule issues related to use of HIEs.
• Reproductive Health Care Privacy–What You Need to Know
• Reproductive Health Care Definition–UPDATED
• Privacy Manual (September 2013) (members only)
• Fast Facts for Covered Entities
• Guidance on Significant Aspects of the Privacy Rule
• Guide to Privacy and Security of Electronic Health Information
• Privacy Rule Guidance
  • Summary of the Privacy Rule
• ASTP Health IT Playbook: Section 7 - Privacy & Security
• Guidance for Small Practices, Small Health Plans, and other Small Businesses
• Communicating with a Patient’s Family, Friends, or Others Involved in the Patient’s Care
• Sample Business Associate Agreement Provisions
• Individual Right to Access Health Information
• Patient Access to Records - This series of short videos explains patients' rights to access their health record, and to have that information sent to others (including family members or a mobile device application).

Security Rule

Security Rules require practices to protect all patient information that is stored, received, or transmitted electronically.

• Security Manual (September 2013) (members only)
• Security Rule Guidance
  • Summary of the Security Rule
  • Cyber Security Guidance
• ASTP Health IT Playbook: Section 7 - Privacy & Security
• Security Risk Assessment
  • Videos - These security training videos were developed by OCR with small practices in mind.
  • Tool - This tool is meant to assist practices perform a risk assessment.
• Top 10 Myths of Security Risk Analysis
• Ransomware and HIPAA Fact Sheet
• Ransomware and the HIPAA Security Rule Video - This video from OCR describes patterns the office sees in its investigations of ransomware attacks against HIPAA regulated entities and explains how complying with the Security Rule can help regulated entities prevent, detect, respond to, and recover from ransomware attacks.

Breach Notification

The Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured PHI.

• Breach Notification Regulations - OCR is responsible for enforcing this rule.
• Breach Notification Guide (members only) - This guide provides everything you need to do in the event of a breach of unsecured PHI within your practice.
• Breach and Notification Rules
• Breach Notification Rule Guidance
  • Breach Reporting
    • Breach Report Portal - This online portal allows users to submit a notice of breach of unsecured PHI to the Secretary of HHS.

Identifiers

• Unique Identifiers
  • Medicare Beneficiary Identifier
    • Three Ways for Health Care Professionals to Get Patients’ MBIs
• Employer Identifier
• National Provider Identifier

Links to Other HIPAA and Administrative Simplification Resources

The following resources offered by other reputable organizations offer some additional information and alternatives to those included above.

• Health Care Payment and Remittance Advice and Electronic Funds Transfer (EFT)
  • Operating Rules EFT and Remittance Advice
  • EFT and Electronic Remittance Advice (ERA) Transactions Basics
• EFT and ERA: Payment Remittance Reassociation Basics
  • EFT General Information
• Adopted Standards and Operating Rules
• AMA HIPAA Privacy & Security Resources
  • HIPAA: Top Tips for Physicians
• Office for Civil Rights - Resources related to enforcement of Privacy, Security, and Breach Notification Rules as well as complaint processes.

Advocacy

ACP has submitted comment letters and developed policies to support internal medicine physicians in complying with HIPAA regulations and protecting patient data, including:

• ACP Comments on HIPAA Security Proposed Rule To Strengthen the Cybersecurity of Electronic Protected Health Information
• ACP Cybersecurity Policy Statement
• ACP Support Letter for the Healthcare Cybersecurity Act
• Joint Letter to the Office of Civil Rights Regarding Breach Reporting Responsibilities
• Health Information Privacy, Protection, and Use in the Expanding Digital Health Ecosystem