In this section, you will find educational materials to help you learn more about the HIPAA Security Rule and other sources of standards for safeguarding electronic protected health information (e-PHI).
The HHS Office for Civil Rights (OCR) has produced a pre-recorded video presentation for HIPAA covered entities and business associates (regulated entities) on “recognized security practices,” as set forth in Public Law 116-321 (Section 13412 of the Health Information Technology for Economic and Clinical Health Act (HITECH). The statute requires OCR to take into consideration in certain Security Rule enforcement and audit activities whether a regulated entity has adequately demonstrated that recognized security practices were “in place” for the prior 12 months.
This presentation is intended to educate regulated entities on the categories of recognized security practices and how entities may demonstrate implementation. Topics include:
The video presentation may be found on OCR’s YouTube channel at: https://youtu.be/e2wG7jUiRjE
The HIPAA Security Information Series is a group of educational papers which are designed to give HIPAA covered entities insight into the Security Rule and assistance with implementation of the security standards.
HHS has developed guidance and tools to assist HIPAA covered entities in identifying and implementing the most cost effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of e-PHI and comply with the risk analysis requirements of the Security Rule.
HHS has also developed guidance to provide HIPAA covered entities with general information on the risks and possible mitigation strategies for remote use of and access to e-PHI.
HHS has gathered tips and information to help you protect and secure health information patients entrust to you when using mobile devices.
HHS has developed guidance to help covered entities and business associates better understand and respond to the threat of ransomware.
NIST is a federal agency that sets computer security standards for the federal government and publishes reports on topics related to IT security. The following special publications are provided as an informational resource and are not legally binding guidance for covered entities.
Security Risks to Electronic Health Information from Peer-to-Peer File Sharing Applications-The Federal Trade Commission (FTC) has developed a guide to Peer-to-Peer (P2P) security issues for businesses that collect and store sensitive information.
Safeguarding Electronic Protected Health Information on Digital Copiers-The Federal Trade Commission (FTC) has tips on how to safeguard sensitive data stored on the hard drives of digital copiers.
Medical Identity Theft: FAQs for Health Care Providers and Health Plans-The Federal Trade Commission (FTC) has tips on how to minimize the risk of medical identity theft and how to help patients if they’re victimized.
In 2019, OCR moved to quarterly cybersecurity newsletters. The purpose of the newsletters remains unchanged: to help HIPAA covered entities and business associates remain in compliance with the HIPAA Security Rule by identifying emerging or prevalent issues, and highlighting best practices to safeguard PHI. Visit our Cybersecurity Newsletter Archive page to view previous newsletters from 2016.
Sign up for the OCR Security Listserv to receive the OCR Cyber Awareness Newsletters in your email inbox.
Frequently Asked Questions for Professionals - Please see the HIPAA FAQs for additional guidance on health information privacy topics.