Privacy & Security

Clinical Data Privacy and Security Laws

Every state has its own scheme of data protection and privacy laws by now, in addition to federal data privacy legislation… 

Data Privacy and Security Laws

HIPAA.  The federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is the granddaddy of data privacy & security laws.  The Office for Civil Rights within HHS enforces the HIPAA Privacy Rule, which protects individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

Charged with enforcing the HIPAA privacy and security rules, the HHS Office of Civil Rights has a summary of the Privacy Rule at: and a summary of the Security Rule at:

OCR has vast amounts of HIPAA informational, training and compliance materials on their website at: and at

ARRA/HITECH Act.  The American Recovery and Reinvestment Act of 2009 (ARRA) is a 1073-page piece of legislation, commonly referred to as the Stimulus or the Recovery Act.  It was an economic stimulus package enacted by Congress in February 2009 and was intended to spend $787 billion to create jobs and promote investment and consumer spending during the recession.

ARRA significantly expanded the privacy and security requirements imposed by HIPAA.  The new statutory provisions were included in two divisions of ARRA referred to collectively as the “Health Information Technology for Economic and Clinical Health Act” or the HITECH Act.

Training Materials on HIPAA.  Available at:

Guidance for Covered Entities.  Available at:

Guidance on Business Associates.  Available at:

Guidance on Minimum Necessary Rule.  Available at:

Guidance on use of PHI in Research.  Available at:

Guidance on HIPAA & Cloud Computing.Available at:

HIPAA Wall of Shame.  Under the HITECH Act, the Secretary of HHS must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are posted online at the HHS’ website for the world to see. This list is known in HIPAA circles as the “Wall of Shame.” Available at: