HIPAA is huge and confusing. The regulations are so massive that few people can point to a document and say “this is HIPAA.”
But if you’re an IT service provider, we have narrowed down the parts of HIPAA that matter to you. You can see them in this document:
Download HIPAA Regulations for IT Compliance
The text in this PDF comes straight from the Code of Federal Regulations, the only official source of the HIPAA guidelines.
The PDF includes the regulations found in the Security Rule and the Privacy Rule, minus the section known as the Enforcement Rule and the preemption of state law (we explain why below). Out of hundreds of pages of requirements, these are the ones you must follow to maintain HIPAA compliance for IT.
How did we pick these regulations from the thousands of others? Where did they come from? Read on.
“HIPAA” refers to two things.
First, HIPAA refers to an act passed by Congress in 1996 called the Health Insurance Portability and Accountability Act (full text).
The act had five major sections. One of them, known as Title II or the Administrative Simplification provisions, required the Department of Health and Human Services to create a set of regulations to protect healthcare data.
Second, HIPAA also refers to the regulations themselves. Today, this is how the term is more commonly used. Even though the regulations have been updated by later acts, such as the HITECH Act of 2009, everyone still calls them HIPAA.
To be clear: the term “HIPAA” typically refers to a set of federal regulations intended to protect health data.
The HIPAA regulations are listed in the Code of Federal Regulations (CFR) under Title 45 – Parts 160, 162, and 164.
You can get the full set of regulations from a secondary source, but why bother?
You can view them from several primary sources:
The HIPAA regulations are a whopping 115 pages long. Thankfully, IT providers only have to follow a portion of the rules (which we explain below).
Download HIPAA Regulations for IT Compliance
The HIPAA regulations are often grouped into different “rules” or “standards” and some of these groups overlap.
The Security Rule and the Privacy Rule are the only regulations that apply directly to IT. However, we can trim them down even further.
For example, these sections include what’s known as the Enforcement Rule. It has guidelines for compliance investigations, civil penalties, and hearings. This is not vital to HIPAA compliance for IT, so we took it out. We also took out the section the preemption of state law.
When we combine the Security Rule and the Privacy Rule and take out the extra information, we are left with these sections:
So that’s it! These sections contain the rules for HIPAA IT compliance. We put them in a PDF for you.
Download HIPAA Regulations for IT Compliance
The text comes straight from the CFR.
If you want a more well-rounded understanding of HIPAA, you should review the full set of regulations.
Two sections you should pay close attention to are the Breach Notification Rule and the Enforcement Rule. These sections will apply if you or a client is ever investigated, penalized, or forced to disclose a healthcare data breach.
To be clear: these sections do not contain regulations for HIPAA IT compliance. But they are important if you get into trouble. You can find them in the CFR:
If you’d like to see the rules straight from the source, you can look them up in the electronic CFR in the sections listed above.
HIPAA Regulations for IT Compliance: The guidelines straight from the federal register
HIPAA Security Rules for IT: What are they?
HIPAA Breach Notifications: Anti-marketing in healthcare