The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.
Visit the Health Information Technology web site for guidance, tools, and educational materials designed to help you better integrate HIPAA privacy and security into your practice. You may also find this Guide to the Privacy and Security of Health Information helpful.
Government Updates
The U.S. Department of Health and Human Services (HHS) issued a final rule implementing changes to the Health Information Portability and Accountability Act (HIPAA), including a requirement for physicians to update their patient Notice of Privacy Practices. View copy of the rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules
HIPAA Protocols and Requirements
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued two reports to Congress in June 2014 about breaches of protected health information and violations of the HIPAA privacy and security rules. Additionally, these reports provide examples to Academy and AAOE members of things to be aware of and the importance of compliance with HIPAA rules.
OCR Announces HIPAA Guide for Law Enforcement
The HIPAA Guide for Law Enforcement describes the HIPAA Privacy Rule and identifies entities that are and are not required to comply. The guide also outlines several disclosure permissions that allow the disclosure of health information to law enforcement in common law enforcement situations, such as during an emergency response. OCR worked with the HHS Assistant Secretary for Preparedness and Response and the Federal Bureau of Investigation to develop the guide.
OCR Issues Guidance on Refill Reminders and Other Medication Adherence Communications under the HITECH Act Omnibus Rule
The HHS Office for Civil Rights (OCR) issued guidance on how the changes to the HIPAA Privacy Rule’s marketing provisions under the Health Information Technology for Economic and Clinical Health (HITECH) Act and Omnibus Rule apply to refill reminders and other communications about drugs or biologics currently being prescribed for patients, as well as decedent information and disclosures of proof of student immunizations to schools.
Model Notices of Privacy Practices
The HIPAA Privacy Rule gives individuals a right to be informed of the privacy practices of health plans and health care providers and of their privacy rights regarding their personal health information. Health plans and covered health care providers (covered entities) are required by HIPAA to develop and distribute a notice that provides a clear, user-friendly explanation of these rights and practices.
The model Notices of Privacy Practices, released by the ONC and the HHS Office for Civil Rights (OCR), can help providers and plans by
- reflecting the regulatory changes of the Omnibus Rule
- serving as the baseline for covered entities working to come into compliance with the new requirements.
Find more information about the HIPAA Privacy Rule and the Notice requirements on the OCR webpage.
Additional Resources