Skip to main content
U.S. flag

An official website of the United States government

Return to Search

HIPAA Guidance Materials Landing Page

This is the HIPAA guidance main page.


Issued by: Office for Civil Rights (OCR)

HIPAA Guidance Materials

Updated Joint Guidance on Application of HIPAA and FERPA to Student Health Records

This joint guidance - PDF with the Department of Education provides clear explanations and examples of when students’ health information can be shared under the HIPAA Privacy Rule and the Family Educational Rights and Privacy Act (FERPA) statute and implementing regulations.

  • People using assistive technology may not be able to fully access information in this file. For assistance, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing

Small Providers, Small Health Plans, and other Small Businesses

View materials about the Privacy Rule for small providers, small health plans and other small businesses.

HIPAA and Health Plans - Care Coordination and Continuity of Care

View frequently asked questions that clarify how the HIPAA Privacy Rule permits health plans to share protected health information (PHI) in a manner that furthers the HHS Secretary’s goal of promoting coordinated care.

Access Right, Apps and APIs

View frequently asked questions about how the HIPAA Rules apply to covered entities and their business associates with respect to the right of access, apps and APIs.

Covered Entities

Understanding Some of HIPAA’s Permitted Uses and Disclosures - Topical fact sheets that provide examples of when PHI can be exchanged under HIPAA without first requiring a specific authorization from the patient, so long as other protections or conditions are met.

Guidance on Significant Aspects of the Privacy Rule - A collection of documents explaining many provisions of the Privacy Rule including business associates, special topics such as disclosures for public health and research, and incidental uses and disclosures.

Guidance on Individuals' Right to Access Health Information - This guidance explains the importance of providing individuals with the ability to access and obtain a copy of their health information.

Guidance on HIPAA and Workplace Wellness Programs - This guidance explains the ways in which health information collected from or created about participants in a wellness program offered as part of a group health plan is protected by HIPAA.

Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

Workshop on the HIPAA Privacy Rule's De-Identification Standard - Washington, DC - March 8th & 9th, 2010

Fast Facts for Covered Entities - Answers to many common questions and misconceptions about patient consent, incidental disclosures, child abuse reporting, electronic media, and other disclosures.

Provider Guide: Communicating With a Patient's Family, Friends, or Other Persons Identified by the Patient - PDF - This is a guide for health care providers to help them determine when they can disclose a patient's health information to the patient's family, friends, or other identified by the patient.

Guidance on Sharing Information Related to Mental Health - This guide addresses questions about when it is appropriate under the Privacy Rule for a health care provider to share information about a patient who is being treated for a mental health condition.

Frequently Asked Questions About Family Medical History Information - PDF - These frequently asked questions and answers address how the Privacy Rule permits the use and disclosure of family medical history information.

Frequently Asked Questions About the Disposal of Protected Health Information - PDF - These frequently asked questions and answers address how covered entities should dispose of protected health information pursuant to the Privacy and Security Rules.

Misleading Marketing Claims - This notice addresses marketing claims that suggest compliance programs may be endorsed by HHS. HHS and OCR do not endorse any private consultants' or education providers' seminars, materials or systems, and do not certify any persons or products as Privacy Rule compliant.

Designation of Regional Privacy Advisors - The HITECH Act requires the Secretary to designate an individual in each regional office of HHS to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules. 

Sign Up for the OCR Privacy Listserv - OCR has established a listserv to inform the public about Privacy and Security Rule FAQs, guidance, and technical assistance materials as they are released.

Related Links

See HIPAA related links.


Back to Top

Frequently Asked Questions for Professionals - Please see the HIPAA FAQs for additional guidance on health information privacy topics.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.