But if you’re an IT service provider, we have narrowed down the parts of HIPAA that matter to you. You can see them in this document:
The text in this PDF comes straight from the Code of Federal Regulations, the only official source of the HIPAA guidelines.
The PDF includes the regulations found in the Security Rule and the Privacy Rule, minus the section known as the Enforcement Rule and the preemption of state law (we explain why below). Out of hundreds of pages of requirements, these are the ones you must follow to maintain HIPAA compliance for IT.
How did we pick these regulations from the thousands of others? Where did they come from? Read on.
What is HIPAA, really?
“HIPAA” refers to two things.
First, HIPAA refers to an act passed by Congress in 1996 called the Health Insurance Portability and Accountability Act (full text).
The act had five major sections. One of them, known as Title II or the Administrative Simplification provisions, required the Department of Health and Human Services to create a set of regulations to protect healthcare data.
Second, HIPAA also refers to the regulations themselves. Today, this is how the term is more commonly used. Even though the regulations have been updated by later acts, such as the HITECH Act of 2009, everyone still calls them HIPAA.
To be clear: the term “HIPAA” typically refers to a set of federal regulations intended to protect health data.
What are the HIPAA regulations?
The HIPAA regulations are listed in the Code of Federal Regulations (CFR) under Title 45 – Parts 160, 162, and 164.
You can get the full set of regulations from a secondary source, but why bother?
You can view them from several primary sources:
- Government Publishing Office – a PDF from the only official legal source. It is from 2014.
- Department of Health and Human Services – a PDF that is conveniently organized with a table of contents. It is from 2013.
- Electronic Code of Federal Regulations – the best source for the most up-to-date information, but you have to look up the sections yourself.
The HIPAA regulations are a whopping 115 pages long. Thankfully, IT providers only have to follow a portion of the rules (which we explain below).
What are the HIPAA regulations for IT?
The HIPAA regulations are often grouped into different “rules” or “standards” and some of these groups overlap.
- Privacy Rule – Sets standards for the protection of medical records and other health information.
- Security Rule – Sets standards to protect electronic personal health information that is created, received, used, or maintained.
- Enforcement Rule – Includes provisions related to investigations, sets the procedures for hearings, and addresses civil penalties for HIPAA violations.
- Breach Notification Rule – Requires covered entities and their business associates to provide notifications following a breach of healthcare data.
- Transactions and Code Set Standards – Sets standards for certain healthcare transactions and requires the use of standard codes for diagnoses and procedures.
- Identifier Standards – Requires employers and healthcare providers to have unique identification numbers on standard transactions.
The Security Rule and the Privacy Rule are the only regulations that apply directly to IT. However, we can trim them down even further.
For example, these sections include what’s known as the Enforcement Rule. It has guidelines for compliance investigations, civil penalties, and hearings. This is not vital to HIPAA compliance for IT, so we took it out. We also took out the section the preemption of state law.
When we combine the Security Rule and the Privacy Rule and take out the extra information, we are left with these sections:
- CFR Title 45 – Part 160 – Subpart A
- CFR Title 45 – Part 164 – Subparts A, C, and E
So that’s it! These sections contain the rules for HIPAA IT compliance. We put them in a PDF for you.
The text comes straight from the CFR.
Further reading on HIPAA for IT
If you want a more well-rounded understanding of HIPAA, you should review the full set of regulations.
Two sections you should pay close attention to are the Breach Notification Rule and the Enforcement Rule. These sections will apply if you or a client is ever investigated, penalized, or forced to disclose a healthcare data breach.
To be clear: these sections do not contain regulations for HIPAA IT compliance. But they are important if you get into trouble. You can find them in the CFR:
- Enforcement Rule: CFR Title 45 – Part 160 – Subparts C, D, and E
- Breach Notification Rule: CFR Title 45 – Part 164 – Subpart D
If you’d like to see the rules straight from the source, you can look them up in the electronic CFR in the sections listed above.