This document provides a summary of the requirements of the HIPAA security and privacy
regulations, with advice to the reader on how to address those requirements. The document's
structure has been designed to make it easy to relate the material in this document to the text of
the HIPAA security and privacy regulations.
Organization of the Guidelines
The document starts with specific information about addressing the detailed requirements of the
HIPAA security and privacy regulations where those regulations are clear and specific. It then
moves on to cover areas in which some interpretation of the regulations' requirements is
necessary. It concludes with a treatment of broader organizational implications of HIPAA
security and privacy compliance; this portion of the document covers issues that the regulations
raise but for which they provide neither specific requirements nor clear guidance.
The Security sections discuss provisions of the HIPAA Security Regulations:
Security Section One discusses what a covered entity needs to do to address the security
Security Section Two discusses what a covered entity needs to do to address the technical
security services and mechanisms requirements.
The Privacy sections discuss provisions of the HIPAA Privacy Regulations:
Privacy Section One discusses the definition of a covered entity and the application of the
regulations to different types of covered entities.
Privacy Section Two discusses consent and authorization requirements.
Privacy Section Three discusses use and disclosure requirements.
Privacy Section Four discusses consumer control requirements.
Privacy Section Five discusses administrative requirements.
The General Section covers areas of the HIPAA regulation that require a covered entity to make
judgments about how the regulations' requirements apply to the organization (for example,
"minimum necessary disclosure," "scalability," and "reasonableness"). This Section also covers
broader organizational implications of compliance with the regulations (for example, how
HIPAA compliance might influence the structure of the organization, how HIPAA compliance
activities might relate to other similar activities, and what time and resources might be required
to achieve and maintain HIPAA compliance).