Healthcare Information Privacy

HIPAA / HITECH

The federal standard for protected health information security and privacy.

Knowledge Hub
3 Rules
Security · Privacy · Breach
18 PHI Identifiers
De-identification standard
Technical Safeguards
Access · Audit · Encryption
HITECH Enforcement
Civil & criminal penalties
Overview

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for the protection of individually identifiable health information (Protected Health Information, or PHI). The Security Rule applies specifically to electronic PHI (ePHI) and requires Covered Entities and Business Associates to implement administrative, physical, and technical safeguards.

The HITECH Act (2009) strengthened HIPAA enforcement, introduced mandatory breach notification, and extended HIPAA requirements directly to Business Associates. Documentation is central to HIPAA compliance: organizations must maintain evidence of risk analysis, workforce training, policy development, access control implementation, and breach response — and must be able to demonstrate these to HHS Office for Civil Rights (OCR) investigators.

Standard Identity
HIPAA / HITECH
Healthcare Information Privacy
HIPAA
Key Requirements

What the standard
requires you to document.

Risk Analysis

Documented risk analysis of ePHI threats and vulnerabilities — required by 45 CFR § 164.308(a)(1).

Risk Management

Risk management plan and treatment documentation implementing the risk analysis findings.

Workforce Training

Training programme records demonstrating workforce awareness of HIPAA policies.

Access Controls

Documentation of ePHI access controls, unique user identification, and emergency access procedures.

Audit Controls

Audit logging implementation documentation and log review procedures.

Business Associate Agreements

BAA documentation for all third-party vendors with access to PHI.

Breach Notification

Breach risk assessment procedures and notification documentation (60-day reporting).

Physical Safeguards

Workstation use policies, media disposal documentation, and device access controls.

ELDR Documentation

Templates and resources
available from the Knowledge Hub.

HIPAA Security Risk Analysis documentation (45 CFR § 164.308(a)(1)(ii)(A))
Security Risk Management Plan and treatment tracking
HIPAA Security Rule Policies and Procedures — all 18 standards
Technical Safeguards implementation documentation (access, audit, encryption)
Business Associate Agreement (BAA) templates and vendor tracking
Workforce training curriculum and completion records
Breach Risk Assessment methodology documentation
Breach Notification procedures and template notifications
Request Access

Templates and implementation resources for HIPAA / HITECH are available through the ELDR Institute Knowledge Hub and via direct request.

Or: [email protected]

Related Frameworks