HIPAA Guidance Materials

Small Providers, Small Health Plans, and other Small Businesses

View materials about the Privacy Rule for small providers, small health plans and other small businesses.

Covered Entities and Business Associates

Updated Model Notices of Privacy Practices

Joint OCR and FTC Publish Letters Sent to Hospital Systems and Telehealth Providers Warning about Privacy and Security Risks from Online Tracking Technologies*

Bulletin on Online Tracking Technologies – This bulletin highlights the obligations of covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies.

Guidance on HIPAA and Audio-Only Telehealth -This guidance explains how covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services when such communications are conducted in a manner that is consistent with the applicable requirements of the HIPAA Privacy, Security, and Breach Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth is no longer in effect.

Care Coordination and Continuity of Care – Frequently asked questions that clarify how the HIPAA Privacy Rule permits health plans to share protected health information (PHI) in a manner that furthers the HHS Secretary's goal of promoting coordinated care.

Understanding Some of HIPAA's Permitted Uses and Disclosures - Topical fact sheets that provide examples of when PHI can be exchanged under HIPAA without first requiring a specific authorization from the patient, so long as other protections or conditions are met.

Guidance on Significant Aspects of the Privacy Rule - A collection of documents explaining many provisions of the Privacy Rule including business associates, special topics such as disclosures for public health and research, and incidental uses and disclosures.

Guidance on HIPAA and Workplace Wellness Programs - This guidance explains the ways in which health information collected from or created about participants in a wellness program offered as part of a group health plan is protected by HIPAA.

Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule - This page provides guidance about methods and approaches to achieve de-identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The guidance explains and answers questions regarding the two methods that can be used to satisfy the Privacy Rule’s de-identification standard: Expert Determination and Safe Harbor. This guidance is intended to assist covered entities to understand what is de-identification, the general process by which de-identified information is created, and the options available for performing de-identification.

Workshop on the HIPAA Privacy Rule's De-Identification Standard - Washington, DC - March 8th & 9th, 2010

Fast Facts for Covered Entities - Answers to many common questions and misconceptions about patient consent, incidental disclosures, child abuse reporting, electronic media, and other disclosures.

Provider Guide: Communicating With a Patient's Family, Friends, or Other Persons Identified by the Patient - This is a guide for health care providers to help them determine when they can disclose a patient's health information to the patient's family, friends, or other identified by the patient.

Understanding Spouse, Family Member, Marriage, and Personal Representatives in the Privacy Rule - The HIPAA Privacy Rule recognizes the integral role that a spouse often plays in a patient's health and health care. Consistent with the Supreme Court decision in Obergefell v. Hodges, OCR has issued guidance that makes clear that the terms marriage, spouse, and family member include, respectively, all lawful marriages (whether same-sex or opposite-sex), lawfully married spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule.

HIPAA Privacy Rule and Disclosures of Protected Health Information for Extreme Risk Protection Orders – This guidance helps clarify how the HIPAA Privacy Rule permits covered health care providers to disclose protected health information to support applications for extreme risk protection orders that temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms. This guidance helps implement the U.S. Department of Justice’s model extreme risk protection order legislation that provides a framework for states to consider in creating laws allowing law enforcement, concerned family members, or others to seek these orders and to intervene in an effort to save lives. These orders can be an important step toward improving the public’s safety by helping to prevent firearm injuries and deaths.

Frequently Asked Questions About Family Medical History Information - These frequently asked questions and answers address how the Privacy Rule permits the use and disclosure of family medical history information.

Frequently Asked Questions About the Disposal of Protected Health Information - These frequently asked questions and answers address how covered entities should dispose of protected health information pursuant to the Privacy and Security Rules.

HIPAA and the FTC Act - Does your organization collect and share consumer health information? When it comes to privacy, you've probably thought about the Health Insurance Portability and Accountability Act (HIPAA). But did you know that you also need to comply with the Federal Trade Commission (FTC) Act? This means if you share health information, it's not enough to simply consider the HIPAA Privacy Rule. You also must make sure your disclosure statements are not deceptive under the FTC Act.

Misleading Marketing Claims - This notice addresses marketing claims that suggest compliance programs may be endorsed by HHS. HHS and OCR do not endorse any private consultants' or education providers' seminars, materials or systems, and do not certify any persons or products as Privacy Rule compliant.

Designation of Regional Privacy Advisors - The HITECH Act requires the Secretary to designate an individual in each regional office of HHS to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules.

Sign Up for the OCR Privacy Listserv - OCR has established a listserv to inform the public about Privacy and Security Rule FAQs, guidance, and technical assistance materials as they are released.

HIPAA Guidance Materials

Small Providers, Small Health Plans, and other Small Businesses

Covered Entities and Business Associates

Related Links

HHS Email updates