Skip to Main Content

Privacy and Security Standards

For information related to the HIPAA Privacy and Security Rules, please check the Office for Civil Rights (OCR) website in the "Related Links Outside CMS" section below.  There you will be able to find information about the protection of patient records (whether paper or electronic), guidance for Business Associate agreements, specific requirements for the administrative, physical or technical safeguards of protected health information, and how to file privacy and security complaints. You will also be able to download the Privacy and Security Rules from this site.

HHS Secretary Delegates HIPAA Security to OCR

On July 27, 2009, the Secretary of Health and Human Services (HHS) delegated to the Director of OCR the authority to administer and enforce the HIPAA Security Rule.  This action by Secretary Sebelius was expected to improve HHS' ability to protect individuals' health information by combining the authority for administration and enforcement of the Federal standards for health information privacy and security called for in the HIPAA legislation. The transition of authority for the administration and enforcement of the Security Rule from the Centers for Medicare & Medicaid Services  (CMS) was seamless with no interruption in the management or processing of any complaints filed prior to the transition. New security complaints should be sent directly to the Office for Civil Rights. For more information and detailed instructions on how to submit a privacy or security compliant to OCR, visit the OCR website link located in the "Related Links Outside CMS" section below. The transition of security complaints from CMS to OCR has no impact on how complaints about Transactions and Code Sets or Unique Identifiers are filed or processed, and such complaints should be submitted through the Administrative Simplification Enforcement Tool (ASET), which can be accessed in the "Related Links Outside CMS" section below.  CMS retains its enforcement authority for these other HIPAA rules.

  • To view the Federal Register Register notice of the Delegation Authority and the Secretary's press release, please see the "Related Links Outside CMS" section below. 
  • For Security Education and Guidance Materials, please see the "Related Links Outside CMS" section below.
  • For HIPAA Compliance Review Information and Examples, please see the “Related Links Outside CMS” section below.

New OCR Guidance on the HIPAA Privacy Rule and the Electronic Exchange of Health Information

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published new HIPAA Privacy Rule guidance as part of the Department's Privacy and Security Toolkit to implement The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (Privacy and Security Framework). The Privacy and Security Framework and Toolkit is designed to establish privacy and security principles for health care stakeholders engaged in the electronic exchange of health information and includes tangible tools to facilitate implementation of these principles. The new HIPAA Privacy Rule guidance in the Toolkit discusses how the Privacy Rule supports and can facilitate electronic health information exchange in a networked environment. In addition, the guidance includes documents that address electronic access by an individual to his or her protected health information and how the Privacy Rule may apply to and supports the use of Personal Health Records.

To view these HIPAA guidance documents please visit the OCR Privacy Rule website, see the link in the "Related Links Outside CMS" section below.  For more information on the Privacy and Security Framework and to view other documents in the Privacy and Security Toolkit, see the "Related Links Outside CMS" section below.

Updated Unofficial Version of HIPAA Administrative Simplification Regulation Text

The Office for Civil Rights (OCR) posted the updated Unofficial Version of the HIPAA Administrative Simplification Regulation Text, as amended, on February 16, 2006.  This document includes the final "HIPAA Administrative Simplification Enforcement Rule" that was published at 71 Federal Register 8389 (February 16, 2006).  This document includes the HIPAA Administrative Simplification rules at 45 CFR Part 162 administered by the Centers for Medicare & Medicaid Services.  Thus, this version now includes all of the final HIPAA Administrative Simplification regulations. To view this document, see the link in the "Related Links Outside CMS" section below.