This guidance remains in effect only to the extent that it is consistent with the court’s order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.
Helping Entities Implement Privacy and Security Protections
The HIPAA Rules are flexible and scalable to accommodate the enormous range in types and sizes of entities that must comply with them. This means that there is no single standardized program that could appropriately train employees of all entities.
HealthIT.gov’s Guide to Privacy and Security of Electronic Health Information provides a beginners overview of what the HIPAA Rules require, and the page has links to security training games, risk assessment tools, and other aids.
State Attorneys General Training materials provide a more comprehensive overview of HIPAA compliance:
CMS’s HIPAA Basics for Providers: HIPAA Privacy, Security, and Breach Notification Rules provides an overview of the HIPAA Privacy, Security, and Breach Notification Rules, and the vital role that health care professionals play in protecting the privacy and security of patient information.
Want to learn more about the HIPAA Privacy & Security Rules? Sign Up for the OCR Privacy & Security Listserv
OCR has established two listservs to inform the public about health information privacy and security FAQs, guidance, and technical assistance materials. We encourage you to sign up and stay informed!