Health care providers, health plans, business associates, and other entities affected by the federal HIPAA privacy and security regulations are quickly running out of excuses for not having a robust HIPAA compliance program in place. While following the detailed federal requirements can be expensive and time consuming, the U.S. Department of Health and Human Services' Office for Civil Rights ("OCR") has provided a number of useful and free tools that can help covered entities and business associates comply.

Summaries of the regulations, frequently asked questions, and a detailed audit protocol have been on the OCR website (http://www.hhs.gov/ocr/privacy/) for a long time. Free resources and tools continue to be added regularly. These include:

  • A detailed, 419 page security assessment tool helpful for risks analyses, particularly for smaller physician practices (released on March 28, 2014) and available here.
  • Model Notices of Privacy Practices in both English and Spanish (http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html )
  • Explanatory videos (available here)

The availability of these resources means that, if a covered entity or business associate is audited or investigated, penalties are more likely if the entity has failed to implement certain aspects of the HIPAA privacy or security rule. This is particularly the case if there are compliance tools readily available on the OCR web page. The good news is that the government's free resources are fairly user friendly, and give covered entities and business associates significant insight into the level of compliance effort expected.