Tools and Resources

OCR and ONC have released a new Fact Sheet that explains how the HIPAA Rules permit disclosures of Protected Health Information (PHI) to support public health activities conducted by public health agencies, as authorized by state or federal law. It also gives a few helpful examples of sharing PHI in support of other important public health policies. HIPPA and Public Health Fact Sheet


OCR Issued Additional FAQs re: HIPAA & Patient Right of Access to Health Information.  According to OCR, this additional set of FAQs addresses  a number of access rights issues, including the fees individuals may be charged for copies of their health information and the right of individuals to have their health information sent directly to a third party if they so choose.
The FAQs are available at: Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524

OCR released a document,  “Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework”.   According to the OCR, the sensitive health information maintained by health care providers and health plans has become an increasingly attractive target for cyberattacks. To help health care organizations covered by HIPAA to bolster their security posture, the OCR has released a crosswalk developed with the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC) that identifies “mappings” between the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) and the HIPAA Security Rule.  The crosswalk also includes mappings to other commonly used security frameworks.
The crosswalk is available at: “Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework”

How is your HIPAA auditing and compliance government entity doing? - Phyllis A. Patrick
Written for the Briefings on HIPAA monthly newsletter, this article offers a review of auditing and compliance.

Developing and Implementing Effective Policies, Part 1 - Phyllis A. Patrick
Developing and Implementing Effective Policies, Part 2 - Phyllis A. Patrick
This two-part article, written for the Briefings on HIPAA monthly newsletter, offers guidance and terminology for creating effective policies.

NEHIA Fall Conference – Dec 2015
Phyllis A. Patrick & Associate, Patricia Koziol gave the following presentation at the New England Healthcare Internal Auditors, Inc. fall conference.
The Auditor’s Guide to Information Security in the Galaxy

Quiz the Regulator – Linda Sanches, MPH, Senior Advisor for HIT and Privacy Policy, Office for Civil Rights.
Academic Medical Center Conference, “Securely Connecting Communities for Improved Health”, June 23, 2015.

November 2014 OCR BulletinNovember 2014 OCR Bulletin HIPAA Privacy in Emergency Situations
A bulletin to ensure that HIPAA covered entities and their business associates are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation.

Security and Privacy Program Governance Guidelines
Guidelines for Structuring your Security and Privacy Program


HIPAA Omnibus (Final) Rule*

Policy Roadmap: Meeting HIPAA Final Rule Requirements
Includes key provisions for HIPAA Privacy, Security, and Breach Notification Rules

HIM Checklist
A guide for Health Information Management (HIM) professionals to use to assure compliance

Patient Accounts/Admitting Checklist
A Guide for Managers in Patient Accounting and Admitting departments

Compliance Checklist for Business Associates
A high-level list of activities Business Associates should consider to meet requirements of the Security Rule and relevant requirements of the Privacy and Breach Rules

Managing Business Associate Relationships
A list of key activities for consideration by Covered Entities in managing their relationships with Business Associates to protect patients’ health information

Compliance Checklist for Meeting the Final Rule
12 Steps to Achieve Compliance with the Final Rule


Other Checklists and Tools

HIPAA Privacy Rule: A Guide for Law Enforcement
HIPAA and Law Enforcement

Checklist for Managing and Securing Research Data
A one-page checklist for managers of clinical research data


OCR Checklists and Tools

OCR Audit Protocol—Security

OCR Audit Protocol—Privacy and Breach

OCR Disclosures for Emergency Preparedness



* The HIPAA checklists are based on the Final Omnibus Rule – 78 FR 5564-5702, 45 CFR 160, 164; HIPAA Privacy and Security: 45 CFR 164 Subpart E; Breach Reporting Rule 45 CFR Part 164 Subpart D; and the HITECH Act, Subtitle D, Improved Privacy Provisions and Security Provisions.