Privacy and Security Resources

Access helpful resources related to Privacy and Security regulations, guidance, and best practices

Where does Privacy and Security guidance come from?

Structured guidance and standards help healthcare organizations manage, secure, and protect sensitive health information effectively in an increasingly digital healthcare environment.

Privacy and security resources related to healthcare primarily come from several key sources:

  • Government Regulations and Agencies
    • Health Insurance Portability and Accountability Act (HIPAA): In the United States, HIPAA is the primary legislative framework that outlines rules and standards for protecting health information.
    • Department of Health and Human Services (HHS): Particularly, the Office for Civil Rights (OCR) within HHS is responsible for enforcing HIPAA’s Privacy and Security Rules.
    • State Laws: Various states have their own privacy laws that may supplement or exceed HIPAA requirements.
  • Professional Organizations and Associations
    • Similar types of stakeholders often rely on their professional association for guidance on meeting industry regulation.
  • Technology and Software Developers
    • These organizations provide resources related to best practice implementation to adhere to industry regulations around privacy and security.
  • Other
    • Cybersecurity and Privacy Experts, as well as Certification Bodies can also contribute privacy and security guidance and best practices.

Safe Harbor Law

Covered entities (CEs) and business associates (BAs) that deal with protected health information (PHI) and maintain accredited security standards for more than one (1) year could face lesser fines/penalties and audit scrutiny by the Office for Civil Rights (OCR) in the event of a cyberattack or data breach. H.R. 7898 – Public Law 116-321, also known as the HIPAA Safe Harbor Law, became law on Jan. 5, 2021.1 The law’s name is a bit of a misnomer, because the exact requirements remain unclear until those are promulgated by the U.S. Department for Health and Human Services (HHS). A better description may be a “protected harbor.”

Learn More


The National Institute for Standards Technology (NIST) is part of the U.S. Department of Commerce. NIST sets forth many insightful Special Publications supporting technology and specifically technology supporting healthcare. The Special Publications can be found here.

Additional Helpful links:

The Office for Civil Rights is part of the U.S. Department of Health and Human Services and oversees HIPAA/HITECH Privacy and Security enforcement. Detailed regulatory materials or the latest recommendations can be found on the following pages:

A current listing of those organizations reporting breach situations and/or those under investigation by OCR can be found here.

Privacy and Security Toolkit

Our Accreditation Programs