Security Guidance — Corrective action / RA

Full description

Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process Enforcement Data Resolution Agreements Case Examples Audit Reports to Congress State Attorneys General Special Topics Parental Access Mental and Behavioral Health Change Healthcare Cybersecurity Incident FAQs HIPAA and COVID-19 HIPAA and Reproductive Health HIPAA and Final Rule Notice HIPAA and Telehealth HIPAA and FERPA Research Public Health Emergency Response Health Information Technology Health Apps Patient Safety Covered Entities & Business Associates Business Associate Contracts Business Associates Training & Resources FAQs for Professionals Other Administrative Simplification Rules Substance Use Disorder Confidentiality Security Rule Guidance Material In this section, you will find educational materials to help you learn more about the HIPAA Security Rule and other sources of standards for safeguarding electronic protected health information (e-PHI).Risk Management Video PresentationThis video presentation is intended to raise awareness and provide practical education to HIPAA covered entities and business associates of the HIPAA Security Rule’s Risk Management requirement.Like risk analysis, effective risk management is an essential component of both HIPAA Security Rule compliance and broader cybersecurity preparedness. Risk management is a critical step not only for safeguarding electronic protected health information, but also for defending against cyber-attacks more generally by reducing risks and vulnerabilities to a reasonable and appropriate level.Topics include:HIPAA Security Rule Risk Management requirementsOCR investigation findings of potential Risk Management violationsRisk Management and cybersecurity resourcesIn developing this video, OCR engaged with the regulated community by soliciting questions on risk management. The final segment of the presentation addresses a selection of these questions.The video is available on OCR’s YouTube channel, @USGovHHSOCR.Recognized Security Practices Video PresentationThe HHS Office for Civil Rights (OCR) has produced a pre-recorded video presentation for HIPAA covered entities and business associates (regulated entities) on “recognized security practices,” as set forth in Public Law 116-321 (Section 13412 of the Health Information Technology for Economic and Clinical Health Act (HITECH). The statute requires OCR to take into consideration in certain Security Rule enforcement and audit activities whether a regulated entity has adequately demonstrated that recognized security practices were “in place” for the prior 12 months.This presentation is intended to educate regulated entities on the categories of recognized security practices and how entities may demonstrate implementation. Topics include:The 2021 HITECH Amendment regarding recognized security practicesHow regulated entities can adequately demonstrate that recognized security practices are in placeHow OCR is requesting evidence of recognized security practicesResources for information about recognized security practicesOCR’s answers to questions on recognized security practicesThe video may be found on OCR’s YouTube channel, @USGovHHSOCR.Security Rule Educational Paper SeriesThe HIPAA Security Information Series is a group of educational papers which are designed to give HIPAA covered entities insight into the Security Rule and assistance with implementation of the security standards.Security 101 for Covered EntitiesAdministrative SafeguardsPhysical SafeguardsTechnical SafeguardsOrganizational, Policies and Procedures and Documentation RequirementsBasics of Risk Analysis and Risk ManagementSecurity Standards: Implementation for the Small ProviderHIPAA Security GuidanceHHS has developed guidance and tools to assist HIPAA covered entities in identifying and implementing the most cost effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of e-PHI and comply with the risk analysis requirements of the Security Rule.Risk AnalysisHHS Security Risk Assessment ToolHHS has also developed guidance to provide HIPAA covered entities with general information on the risks and possible mitigation strategies for remote use of and access to e-PHI.Remote UseHHS has gathered tips and information to help you protect and secure health information patients entrust to you when using mobile devices.Mobile DeviceHHS has developed guidance to help covered entities and business associates better understand and respond to the threat of ransomware.RansomwareNational Institute of Standards and Technology (NIST) Special PublicationsNIST is a federal agency that sets computer security standards for the federal government and publishes reports on topics related to IT security. The following special publications are provided as an informational resource and are not legally binding guidance for covered entities.NIST Special Publication 800-30: Risk Management Guide for Information Technology SystemsNIST Special Publication 800-52: Guidelines for the Selection and Use of Transport Layer Security (TLS) ImplementationsNIST Special Publication 800-66 Rev. 2: Implementing the HIPAA Security Rule: A Cybersecurity Resource GuideNIST Special Publication 800-77: Guide to IPsec VPNsNIST Special Publication 800-88: Computer Security, Guidelines for Media SanitizationNIST Special Publication 800-111: Guide to Storage Encryption Technologies for End User DevicesNIST Special Publication 800-113: Guide to SSL VPNsFederal Information Processing Standards Publication 140-2: Security Requirements for Cryptographic ModulesNIST HIPAA Security Rule Toolkit ApplicationNIST Cyber Security Framework to HIPAA Security Rule CrosswalkThe Federal Trade Commission GuidanceSecurity Risks to Electronic Health Information from Peer-to-Peer File Sharing Applications-The Federal Trade Commission (FTC) has developed a guide to Peer-to-Peer (P2P) security issues for businesses that collect and store sensitive information.Safeguarding Electronic Protected Health Information on Digital Copiers-The Federal Trade Commission (FTC) has tips on how to safeguard sensitive data stored on the hard drives of digital copiers.Medical Identity Theft: FAQs for Health Care Providers and Health Plans-The Federal Trade Commission (FTC) has tips on how to minimize the risk of medical identity theft and how to help patients if they’re victimized.OCR Cyber Awareness NewslettersIn 2019, OCR moved to quarterly cybersecurity newsletters. The purpose of the newsletters remains unchanged: to help HIPAA covered entities and business associates remain in compliance with the HIPAA Security Rule by identifying emerging or prevalent issues, and highlighting best practices to safeguard PHI. Visit our Cybersecurity Newsletter Archive page to view previous newsletters from 2016.January 2026 OCR Cybersecurity Newsletter: System Hardening and Protecting ePHIOctober 2024 OCR Cybersecurity Newsletter: Social Engineering: Searching for Your Weakest LinkAugust 2024 OCR Cybersecurity Newsletter: HIPAA Security Rule Facility Access Controls – What are they and how do you implement them?October 2023 OCR Cybersecurity Newsletter: How Sanction Policies Can Support HIPAA ComplianceJune 2023 OCR Cybersecurity Newsletter: HIPAA and Cybersecurity AuthenticationOctober 2022 OCR Cybersecurity Newsletter: HIPAA Security Rule Security Incident ProceduresQuarter 1 2022 OCR Cybersecurity Newsletter: Defending Against Common Cyber-AttacksFall 2021 OCR Cybersecurity Newsletter: Securing Your Legacy [System Security]Summer 2021 OCR Cybersecurity Newsletter: Controlling Access to ePHI: For Whose Eyes Only?Summer 2020 OCR Cybersecurity Newsletter: HIPAA and IT Asset InventoriesSummer 2019 OCR Cybersecurity Newsletter: Managing Malicious Insider ThreatsSpring 2019 OCR Cybersecurity Newsletter: Advanced Persistent Threats and Zero Day VulnerabilitiesFall 2019 OCR Cybersecurity Newsletter: What Happened to My Data?: Update on Preventing, Mitigating and Responding to RansomwareSign up for the OCR Security Listserv to receive the OCR Cyber Awareness Newsletters in your email inbox. Frequently Asked Questions for Professionals - Please see the HIPAA FAQs for additional guidance on health information privacy topics. Content last reviewed April 8, 2026