Skip to main content
U.S. flag

An official website of the United States government

HHS Guidance Submissions

Search HHS Guidance Documents


Filter Guidance Documents by ...

Title OpDiv/StaffDiv Sort descending Guidance Status Issue Date
FAQ 189 What does the HIPAA Privacy Rule require the average provider to do?  Office for Civil Rights (OCR) Final
FAQ 467 Must a covered entity provide an accounting for disclosures if the only information disclosed to a public health authority is in the form of a limited data set?   Office for Civil Rights (OCR) Final
FAQ 484 Does the HIPAA Privacy Rule permit a hospital to inform callers or visitors of a patient’s location and general condition in the emergency room, even if the patient’s information would not normally be included in the main hospital directory of adm  Office for Civil Rights (OCR) Final
FAQ 468 May a covered entity hire a business associate to create a limited data set, and may the public health authority be a business associate for that purpose, even if the public health authority is also the intended recipient of the limited data set?   Office for Civil Rights (OCR) Final
FAQ 487 May a hospital or other covered entity notify a patient's family member or other person that the patient is at their facility?  Office for Civil Rights (OCR) Final
FAQ 294 Must a health care provider or other covered entity obtain permission from a patient prior to notifying public health authorities of the occurrence of a reportable disease?   Office for Civil Rights (OCR) Final
FAQ 3009 Does a HIPAA covered entity that fulfills an individual’s request to transmit electronic protected health information (ePHI) to an application or other software (collectively “app”) bear liability under the HIPAA Privacy, Security, or Breach Noti  Office for Civil Rights (OCR) Final
FAQ 309 Is documentation of Institutional Review Boards (IRB) and Privacy Board approval required by the HIPAA Privacy Rule before a covered entity would be permitted to disclose protected health information for research purposes without an individual's a  Office for Civil Rights (OCR) Final
FAQ 2077 Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?  Office for Civil Rights (OCR) Final
FAQ 2090 When does mental illness or another mental condition constitute incapacity under the Privacy Rule?  Office for Civil Rights (OCR) Final
This Guidance Portal contains 48118 documents.

Petition Submissions

To submit a petition to HHS, please send your petition to



* This PDF is not Section 508 compliant. Assistive Technology users should contact if they experience any difficulties.