Skip Navigation

HIPAA Information

Health Information Portability and Accountability Act (HIPAA).

HIPAA Compliance Essentials — Recorded Webinar

The U.S. Department of Health and Human Services (HHS) issued a final rule implementing changes to the Health Information Portability and Accountability Act (HIPAA), including a requirement for physicians to update their patient Notice of Privacy Practices. View copy of the rule.

On this page:

NEW ARTICLE! Have You Performed an Appropriate Security Risk Analysis? — Ron Sterling, Principal Consultant, Sterling Solutions, Ltd.

NEW ARTICLE! Does Running Windows XP Violate HIPAA Privacy Rules? Jeffery Daigrepont, Senior VP, Coker Group


HIPAA Compliance Essentials: What You Need to Know to Prepare for an Audit — Recorded Webinar

The federal government has stepped up enforcement of HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Find out if your practice meets HIPAA requirements for privacy, security and breach notification with this webinar. Expert instructors will show you what you need to know to evaluate your risk of noncompliance and identify areas to improve. Register today to learn how to be proactive and better prepared for a HIPAA audit or investigation. Compared to the cost of fines and civil penalties for noncompliance, audit prevention costs far less.
Learn more & order the recording.

OCR Reports Outline New HIPPA Protocols and Requirements

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued two reports to Congress last week (June 2014). These reports provide information about breaches of protected health information and violations of the HIPAA privacy and security rules. Additionally, these reports provide examples to Academy and AAOE members of things to be aware of and the importance of compliance with HIPAA rules.

According to the reports, 115 HIPAA audits continue to show deficiencies with regard to the privacy, security and breach notification rules because covered entities are unaware of the requirements. OCR plans to integrate the next round of audits into its program during 2014 and is updating protocols and new requirements. Covered entities and business associates can use the updated protocol, which will be posted to the OCR website, for their own internal compliance assessments.

What must be updated or developed by Sept. 21, 2013?

  • New provisions on the use of patient information for marketing purposes
  • Limited right of patients to control the release of records about their treatment to their insurance company if the patient pays for that treatment out of pocket
  • Update of business agreements with electronic health record vendors and other business associates
  • Assurance that your networks are secure. Is antivirus software in place? Are passwords secure? Are they changed on a regular basis? Is data on laptops or mobile devices secure?
  • Process for patient notification in the event of a breach of their health information

OCR Announces HIPAA Guide for Law Enforcement

The Office for Civil Rights (OCR) of the Department of Health and Human Services added a planning resource to its website to assist law enforcement and emergency planners when addressing information sharing situations where the HIPAA Privacy Rule may be at issue. The HIPAA Guide for Law Enforcement describes the HIPAA Privacy Rule and identifies entities that are and are not required to comply. The guide also outlines several disclosure permissions that allow the disclosure of health information to law enforcement in common law enforcement situations, such as during an emergency response. OCR worked with the HHS Assistant Secretary for Preparedness and Response and the Federal Bureau of Investigation to develop the guide. You may access the new materials here.

OCR Issues Guidance on Refill Reminders and Other Medication Adherence Communications under the HITECH Act Omnibus Rule

On Sept. 19, the HHS Office for Civil Rights (OCR) issued guidance on how the changes to the HIPAA Privacy Rule’s marketing provisions under the Health Information Technology for Economic and Clinical Health (HITECH) Act and Omnibus Rule apply to refill reminders and other communications about drugs or biologics currently being prescribed for individuals. The new Fact Sheet and corresponding Frequently Asked Questions (FAQs) explain how the refill reminder exception to the marketing rule works, and address both the scope of communications that fall within the exception, as well as the types of third party payments that are considered “reasonable” under the statute and regulations for making such communications. In addition, the Secretary has decided, as an exercise of her discretion, not to enforce the restrictions on remunerated refill reminders and other communications about drugs and biologics for a period of 45 days following the Sept. 23, 2013, compliance date, or until Nov. 7, 2013.

Also released are new fact sheets and FAQs that provide guidance on the Omnibus Rule changes to how the HIPAA Privacy Rule applies to decedent information and disclosures of proof of student immunizations to schools.

You can access the new guidance materials at

Model Notices of Privacy Practices Released on Sept. 16, 2013

The HIPAA Privacy Rule gives individuals a right to be informed of the privacy practices of health plans and health care providers and of their privacy rights regarding their personal health information. Health plans and covered health care providers (covered entities) are required by HIPAA to develop and distribute a notice that provides a clear, user-friendly explanation of these rights and practices.

The model Notices of Privacy Practices, released on Sept. 16 by the ONC and the HHS Office for Civil Rights (OCR), can help providers and plans by

  • reflecting the regulatory changes of the Omnibus Rule
  • serving as the baseline for covered entities working to come into compliance with the new requirements.

Find more information about the HIPAA Privacy Rule and the Notice requirements on the OCR webpage.

Additionally, you can access the notices on the Health Information Privacy section of the OCR.

Additional Resources

NEW!  Business Associate Agreement Template [DOC 79K] — AAOE member login required.