Special Topics — Corrective action / RA

Full description

Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process Enforcement Data Resolution Agreements Case Examples Audit Reports to Congress State Attorneys General Special Topics Parental Access Mental and Behavioral Health Change Healthcare Cybersecurity Incident FAQs HIPAA and COVID-19 HIPAA and Reproductive Health HIPAA and Final Rule Notice HIPAA and Telehealth HIPAA and FERPA Research Public Health Emergency Response Health Information Technology Health Apps Patient Safety Covered Entities & Business Associates Business Associate Contracts Business Associates Training & Resources FAQs for Professionals Other Administrative Simplification Rules Substance Use Disorder Confidentiality Special Topics in Health Information Privacy OCR’s Dear Colleague Letter on the HIPAA Privacy Rule and Parental Access to Minor Children’s Medical RecordsOCR has released a Dear Colleague letter reminding HIPAA regulated entities about parents’ rights to access their children’s protected health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Under the Privacy Rule, a parent is the personal representative of his or her minor child where the parent has the legal authority to make health care decisions for the child. The letter reinforces that parents who are their children’s personal representatives can exercise their children’s rights with respect to protected health information, including the right of access.HIPAA and COVID-19During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, the HHS Office for Civil Rights (OCR) has provided guidance that helps explain how the HIPAA Privacy Rule allows patient information to be shared in the outbreak of infectious disease and to assist patients in receiving the care they need.HIPAA and Reproductive HealthOCR has issued guidance on the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (Privacy Rule) and the privacy of individuals’ protected health Information (PHI) relating to abortion and other sexual and reproductive health care.HIPAA and TelehealthOCR has issued guidance about telehealth and the privacy and security of individuals’ protected health information. The guidance materials address how covered entities can provide audio-only telehealth in compliance with the HIPAA Rules. They also clarify how OCR is applying the Notification of Enforcement Discretion for Telehealth Remote Communications to support the good faith provision of telehealth during the COVID-19 nationwide public health emergency.Updated Joint Guidance on Application of HIPAA and FERPA to Student Health RecordsThe U.S. Department of Education and the Office for Civil Rights at the U.S. Department of Health and Human Services issued joint guidance addressing the application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to records maintained on students.Mental Health & Substance Use DisordersAt times, health care providers need to share mental and behavioral health information to enhance patient treatment and to ensure the health and safety of the patient or others. Parents, friends, and other caregivers of individuals with a mental health condition or substance use disorder play an important role in supporting the patient's treatment, care coordination, and recovery. The HIPAA Rules are designed to protect the privacy of all of an individuals' identifiable health information and to ensure that health information is available when needed for treatment and other appropriate purposes. Given the sensitive nature of mental health and substance use disorder treatment information, OCR provides guidance addressing HIPAA protections, the obligations of covered health care providers, and the circumstances in which covered providers can share information—as applied to this context.ResearchResearchers in medical and health-related disciplines rely on access to many sources of health information, from medical records and epidemiological databases to disease registries, hospital discharge records, and government compilations of vital and health statistics.The Privacy Rule recognizes that the research community has legitimate needs to use, access, and disclose individually identifiable health information to carry out a wide range of health research protocols and projects. The Privacy Rule protects the privacy of such information when held by a covered entity but also provides ways in which researchers can access and use the information for research, subject to various conditions.Public HealthProtecting public health, including through public health surveillance, program evaluation, terrorism preparedness, outbreak investigations, and other public health activities, often requires access to or the reporting of the protected health information of individuals. This information is used to identify, monitor, and respond to disease, death, and disability among populations.The Privacy Rule recognizes the legitimate need for public health authorities and certain others to have access to protected health information for public health purposes and the importance of public health reporting by covered entities to identify threats to the public and individuals. Thus, the Privacy Rule permits covered entities to disclose protected health information without authorization for specified public health purposes.Emergency Situations: Preparedness, Planning, and ResponseThe Privacy Rule is carefully designed to protect the privacy of health information, while allowing important communications to occur. For example, the Rule permits the sharing of protected health information for emergency preparedness planning and response under a number of circumstances.HHS has developed guidance materials addressing appropriate uses and disclosures of protected health information in emergency situations.Health Information TechnologyHealth information technology (health IT) involves the exchange of health information in an electronic environment. Widespread use of health IT will improve the quality of health care, prevent medical errors, reduce health care costs, increase administrative efficiencies, decrease paperwork, and expand access to affordable health care. It is imperative that the privacy and security of health information be ensured as this information is maintained and transmitted electronically.The Privacy Rule's established baseline of privacy protections and individual rights with respect to individually identifiable health information support the use of health IT and provide important protections in this area. The Security Rule supports the adoption of new health information technologies while setting standards to ensure appropriate protection of electronic protected health information.HIPAA and Health AppsOCR offers guidance for developers and others seeking more information about how the HIPAA Rules might apply to health applications, as well as a health app developer portal with Health App Use Scenarios and an opportunity to engage with OCR on issues and concerns related to protecting health information privacy in mHealth design and development. Content last reviewed December 3, 2025