Data Storyteller

HHS Office of Civil Rights (OCR), the entity responsible for enforcing regulations under HIPAA, stated, effective immediately, it will exercise enforcement discretion and will not impose penalties for HIPAA violations against covered healthcare providers if patients are served on a good faith basis during the COVID-19 nationwide public health emergency. Find out what this means in implementation by accessing this issue brief.

The HIPAA Security Rule establishes the requirements for protection of electronic patient health information. The safeguards identified are made up of three domains that include administrative, physical, and technical safeguards that need to be addressed. The technical safeguards as defined within 45 CFR §164.312 of the HIPAA Security Rule can be some of the most difficult to comprehend and implement for smaller Health Centers with lower levels of IT and security staffing. Resources and tools that help Health Centers better process and implement these security requirements are much needed and require well-documented methods for planning and maintaining critical security controls.

To successfully attest, providers must conduct a security risk assessment (SRA), implement updates as needed, and correctly identify security deficiencies. By conducting an SRA regularly, providers can identify and document potential threats and vulnerabilities related to data security, and develop a plan of action to mitigate them.

Frequently Asked Questions (FAQs) and Fact Sheets regarding the Substance Abuse Confidentiality Regulations. 

Two fact sheets include: 

• Disclosure of Substance Use Disorder Patient Records: Does Part 2 Apply to Me?
  • This fact sheet explains a 42 CFR Part 2 Program and how healthcare providers can determine how Part 2 applies to them.
• Disclosure of Substance Use Disorder Patient Records: How Do I Exchange Part 2 Data?
  • This fact sheet describes how 42 CFR Part 2 applies to the electronic exchange of healthcare records with a Part 2 Program.

FAQs about Applying the Substance Abuse Confidentiality Regulations, answers provided by Substance Abuse and Mental Health Services Administration (SAMHSA)

From the OCR: The Privacy Rule protects individually identifiable health information from unauthorized or impermissible uses and disclosures. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur. These pages address the release of protected health information for planning or response activities in emergency situations.  In addition, please view the Civil Rights Emergency Preparedness page to learn how nondiscrimination laws apply during an emergency.