FEDERAL HIPAA LAW COMPLIANCE FOR
HEALTH CARE PROFESSIONALS
Faculty:
Gerald Gianutsos, PhD, JD
Gerald Gianutsos, Ph.D., J.D., is an Emeritus Associate Professor of Pharmacology at the University of Connecticut School of Pharmacy.
Pamela Sardo, PharmD, BS
Pamela Sardo, PharmD, BS, is a freelance medical writer and licensed pharmacist. She is the founder and principal at Sardo Solutions in Texas. Pam received her BS from the University of Connecticut and her PharmD from the University of Rhode Island. Pam’s career spans many years in retail, clinics, hospitals, long-term care, Veterans Affairs, and managed health care responsibilities across a broad range of therapeutic classes and disease states.
Abstract
The Health Insurance Portability and Accountability Act (HIPAA) is the federal law that protects sensitive patient health information from disclosure without the patient’s consent. Another purpose of this legislation is to improve the portability and accountability of health insurance coverage for employees between jobs and to reduce fraud and misuse in healthcare. Electronic health records (EHRs) and electronic medical devices are vulnerable to hacking and other IT incidents, which can lead to breaches of sensitive patient health information. HIPAA rules apply to pharmacists and pharmacy staff. This course explores the HIPAA privacy and security rules and the penalties for noncompliance. Health technology is advancing rapidly. Health care professionals need to keep pace with these changes.
Accreditation Statements
In support of improving patient care, RxCe.com LLC is jointly accredited by the Accreditation CouncilTM for Continuing Medical Education (ACCME®), the Accreditation Council for Pharmacy Education (ACPE®), and the American Nurses Credentialing Center (ANCC®), to provide continuing education for the healthcare team.
Joint Universal Activity Number: The Joint Accreditation Universal Activity Numbers assigned to this activity are as follows:
Pharmacists: JA4008424-0000-26-119-H03-P
Pharmacy Technicians: JA4008424-0000-26-119-H03-T
Credits: 2 contact hour(s) (0.2 CEU(s)) of continuing education credit.
Credit Types:
Pharmacy - 2 Credits
Type of Activity: Knowledge
Media: Computer-Based Training (i.e., online courses)
Estimated time to complete activity: 2 contact hour(s) (0.2 CEU(s)), including Activity Pre-Test, Post-Test, and Activity Evaluation.
Release Date: June 29, 2026 Expiration Date: October 14, 2028
Target Audience: This educational activity is for Physicians, Physician Assistants, Pharmacists, and Pharmacy Technicians
How to Earn Credit: From June 29, 2026, through October 14, 2028, participants must:
Read the “learning objectives” and “author and planning team disclosures;”
Take the “Educational Activity Pre-Test;”
Study the section entitled “Educational Activity;” and
Complete the Educational Activity Post-Test and Activity Evaluation. The Educational Activity Post-Test will be graded automatically. Following successful completion of the Educational Activity Post-Test with a score of 70% or higher, a statement of participation will be made available immediately. (No partial credit will be given.)
CE and CME Credits: Credits for this course will be uploaded to CPE Monitor® for pharmacists and pharmacy technicians.
Statement of Need
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects sensitive patient health information. Sensitive patient health information may not be disclosed without the patient’s consent. Pharmacists and pharmacy technicians require knowledge about the HIPAA Privacy, Security, and Breach Notification Rules. In the modern health care system, technology is advancing rapidly, and the HIPAA rules are changing to keep pace. This course helps close the gap so that clinicians may stay up to date on any changes.
Learning Objectives: Upon completion of this educational activity, participants should be able to:
Identify the health care clinician’s role in HIPAA compliance
Describe HIPAA Privacy and Security Rules
Explain penalties for HIPAA violations
Use this information to answer questions about protected health information
Disclosures
The following individuals were involved in planning, developing, and/or authoring this activity: Gerald Gianutsos, Ph.D., J.D., and Pamela Sardo, PharmD, BS. None of the individuals involved in developing this activity has a conflict of interest or financial relationships related to the subject matter. There are no financial relationships or commercial or financial support relevant to this activity to report or disclose by RxCe.com or any of the individuals involved in the development of this activity.
© RxCe.com LLC 2026: All rights reserved. No reproduction of all or part of any content herein is allowed without the prior, written permission of RxCe.com LLC.
Educational Activity Pre-Test
According to HIPAA regulations, pharmacy teams are considered covered entities because they:
Dispense medication to patients and counsel patients.
Create records, transmit patient health information, and bill services.
Allow patients to purchase magazines, cosmetics, and toys at the pharmacy register.
Take continuing education activities before each license renewal.
As of 2024, protected patient records now include substance use disorder (SUD) treatment records. These records were made confidential to
address concerns that discrimination and fear of prosecution may deter people from entering treatment for SUDs.
ensure that SUDs records do not become part of a patient’s EHRs.
enable all members of a health care team to view the patient’s SUD records.
help clinicians identify drug diversion cases.
A patient comes to the pharmacy after being discharged from the hospital, where they were treated for a Legionella infection. The patient tells you they believe HIPAA has been violated because the State Health Department called them at home asking how they contracted Legionnaires’ disease. How do you respond?
Ask if they are taking university classes because health records can always be disclosed to a school without written authorization as long as the individual is actively enrolled in the university.
Advise the patient to call the police because PHI about Legionella may not be disclosed without a patient’s permission, and someone improperly shared information after their discharge.
Advise that public health agencies can collect health information to prevent or control disease, and note that Legionella infection is a nationally notifiable disease monitored by the CDC.
Inform the patient that everything is okay, as protected health information is available to anyone who requests it, and that a notice about data sharing is prominently posted in hospitals and on hospital websites.
Educational Activity
Highlights
|
Federal HIPAA Law Compliance for Health Care Professionals
Introduction
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects sensitive patient health information. Sensitive patient health information may not be disclosed without the patient’s consent. This course discusses the Privacy Rule, the Security Rule, the Breach Notification Rule, and the penalties for noncompliance. In the modern health care system, technology is advancing rapidly, and HIPAA rules are changing to keep pace.
Evolution of HIPAA
In 1996, President Clinton signed HIPAA into law.1 There were several purposes behind this legislation. The Act sought to improve the portability and accountability of health insurance coverage for employees between jobs, protect patients’ private healthcare information, and combat waste, fraud, and abuse in health insurance and healthcare delivery. Surprisingly, medical savings accounts, tax breaks, pre-existing medical condition coverage, and the simplification of health insurance administration were additional factors incorporated.1,2 With respect to patient privacy, HIPAA protects sensitive patient health information from being disclosed without the patient’s consent.
The Department of Health and Human Services (HHS) implements HIPAA privacy and security rules.3 The Department of Health and Human Services also defines Protected Health Information (PHI).2 The Code of Federal Regulations (CFR) is where HIPAA laws governing federal regulatory agency practices and procedures are located. Healthcare providers and covered entities are defined and described in the CFR.3 A health care provider is described as a provider of medical or health services, and a person or organization furnishing, billing, or being paid for health care.4 Pharmacy teams create records, transmit patient health information, and are considered a HIPAA-covered entity in the CFR.
HIPAA Rules for Covered Entities
HIPAA protections apply only to covered entities defined by HHS as health care providers, health plans, health care clearinghouses, and business associates.5 This definition leaves some personal information at risk since HIPAA does not protect health care data generated by non-covered entities.
HIPAA Privacy Rule
All medical records and other individually identifiable health information, whether electronic, on paper, or oral, are covered and protected by the HIPAA rule.6 The Privacy Rule details the process by which pharmacists and other healthcare professionals handle and protect a patient’s medical information. It also sets limits and conditions on how an individual can use or disclose sensitive information without the patient’s prior authorization. It includes the right to obtain and review a copy of health records. Patients can also request that providers correct their records.7
Rigorous state legislation can take priority over federal HIPAA privacy legislation. For example, state laws may provide stronger confidentiality protections for individuals with certain conditions, such as mental health, HIV infection, and AIDS.8
Covered entities must follow HIPAA regulations. Health plans, healthcare providers, and clearinghouses are required to comply with HIPAA. Health plans encompass health insurance companies, health maintenance organizations (HMOs), and government programs, such as Medicare and Medicaid, that cover health care costs. Health care providers that conduct business and bill electronically include doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacists, and dentists. Healthcare clearinghouse entities process health information they receive by transforming it into a standard electronic format.7
Business associates of covered entities must also comply with the required HIPAA regulations. These associates are contractors and are not employees of a covered entity; however, they may need access to health information. They include medical billing companies, lawyers, information technology (IT) specialists, food service employees, volunteers, and companies that store medical records.7,8
Security Rule
While the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information that the Privacy Rule also covers. This subset is identifiable health information that a covered entity creates, receives, maintains, or transmits in electronic form. This information is called electronic protected health information (e-PHI), and the Security Rule does not apply to PHI transmitted orally or in writing.9 Protected health information transmitted orally or in writing is protected under the Privacy Rule.3 To comply with the HIPAA Security Rule, all covered entities must do the following:10
Ensure the confidentiality, integrity, and availability of e-PHI
Detect and safeguard against threats to the security of the information
Protect against anticipated unauthorized uses
Certify compliance by their workforce
Every organization is responsible for determining its security needs and how it will achieve its security-related goals. The Security Rule leaves it up to the facility, as long as they adhere to the rule.2
Protected Health Information
Protected health information is any identifiable information that appears in medical records or discussions between healthcare staff (such as doctors and pharmacists) regarding a patient’s treatment. It also includes billing information and any information that could be used to identify an individual in a company’s health insurance records. Other unique identifying numbers, characteristics, or codes also apply.11,12 Table 1 lists important identifiers that cause the information to be protected.11,12
Table 1
Defined PHI Identifiers
| Patient Name | Birthdate | Address (anything more specific than the state) |
| Social security number | Phone or fax number | E-mail address, web URL |
| MAC* address of the network card | IP^ address | Driver's license number |
| Vehicle identifier (license plate or VIN) | Biometric data (fingerprint, retina scan) | Medical record number |
| Medical device serial number | Dates of visits, admission, or discharge | Payments, bills |
| Photographs | Diagnostic codes | Health plan account number |
*Media Access Control (MAC) address can be used by routers and switches to control access to a network
^Internet Protocol (IP) address is an identifying number for network hardware connected to a network
Confidentiality and Substance Use Disorder Records
Healthcare professionals frequently provide care for individuals presenting with substance use disorder (SUD). In February 2024, HHS, through the OCR, in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA), issued a Final Rule to revise the Confidentiality of Substance Use Disorder Patient Records regulations.13 The regulations at 42 CFR part 2 (“Part 2”) protect the confidentiality of substance use disorder (SUD) treatment records, including the patient’s identity, diagnosis, and prognosis, or the treatment of any patient engaging in substance misuse prevention education, training, treatment, rehabilitation, or research.13 Confidentiality protections help address concerns that discrimination and fear of prosecution may deter people from entering treatment for SUDs.13
As of February 16, 2026, all federally assisted SUD treatment programs are required to provide a new patient notice that aligns more closely with the HIPAA Notice of Privacy Practices (NPP).13 The HHS provides an updated model HIPAA NPP.13
A covered entity must make a PHI notice available to any person who requests it, prominently post it, and also make it accessible on a website. Health plans must also provide notice to individuals covered by a plan, provide notice of revisions to PHI within 60 days, and notify individuals at least once every 3 years.14 The notice must include a point of contact for further information and for making complaints. The HHS OCR enforces HIPAA rules.14 All complaints should be reported to the OCR. HIPAA violations may result in civil monetary or criminal penalties.9
Disclosure of PHI Allowed in Some Circumstances
Protected Health Information can be disclosed in several circumstances. Public health agencies are authorized to collect health information to prevent, control, or address disease, injury, or disability. These agencies report on diseases and conduct public health surveillance, investigations, and interventions.6
Protected Health Information may be disclosed when a public health agency shares information with a foreign government agency collaborating with a US public health authority. These US authorities include the Food and Drug Administration, the Occupational Safety and Health Administration, the Centers for Disease Control and Prevention, and state and local public health departments.6 An example of an allowed disclosure under state law includes a patient diagnosed with certain infectious diseases of public health importance that are mandated to be reported by a state or nationally (e.g., monkeypox, legionellosis, tuberculosis, or Lyme disease).15
Protected Health Information may be disclosed, without a patient’s permission, for payment, certain health care operations, ongoing treatment, consultation between providers regarding a patient’s care, and referral of a patient by one provider to another.8 Another permissible disclosure occurs when a patient begins discussing their health information while family or friends are present; however, a patient may restrict disclosure of PHI to relatives.16 Disclosure of PHI to law enforcement is permissible if the information is needed to identify or apprehend an escapee or violent criminal.17 Health information is no longer considered PHI if an individual has been deceased for more than 50 years.3
Student immunization records can be disclosed to a school without written authorization, provided the practice setting has a parent or guardian’s consent.18 The practice setting must document that agreement, and state law must require the school to have such information before admitting the student. In addition, the PHI disclosed, in this case, must be limited to proof of immunization.18
There are particular issues involving the PHI of minors. For example, parents can obtain children’s information without their consent, but states set different ages at which minors can block a parent’s request.19
There are no restrictions on the use or disclosure of de-identified health information.20
HIPAA Compliance and the HITECH Act
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires information technology and methods to ensure the security of PHI. For electronic records, encryption renders the data unreadable without the correct key. For physical media, this involves shredding or degaussing paper and electronic records to prevent reconstruction. This renders the PHI unusable or unreadable to individuals not authorized to access it. It is required under the American Recovery and Reinvestment Act of 2009 (ARRA). HITECH is a joint undertaking by the OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).21,22
Electronic PHI is utilized in health care settings through various systems, including electronic health records (EHRs). Electronic systems are vulnerable to cyber-attacks, so all facility systems and technologies must undergo security efforts.23 Table 2 outlines multiple steps for implementing security management to reduce the risk of unintended access and to minimize violations.24
Table 2
Recommended Steps and Actions by a
Covered Entity for Security Management of ePHI
| SECURITY STEPS | ACTIONS |
| Step 1: Risk Analysis | Perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that the entity creates, receives, maintains, or transmits |
| Step 2: Assign Security Responsibility | Designate a security official responsible for developing and implementing the policies and procedures required by the Security Rule |
| Step 3: Workstation Security | Implement policies and procedures to ensure that workforce members who work with ePHI have appropriate authorization, supervision, and access to ePHI |
| Step 4: Information Access Management | Implement policies and procedures for authorizing access to ePHI only when such access is appropriate for the user or recipient's role |
| Step 5: Security Awareness and Training | Train all workforce members on the entity’s security policies and procedures, and apply appropriate sanctions to those who violate them. |
| Step 6: Security Incident Procedures | Implement policies and procedures to address security incidents that identify and respond to suspected or known security incidents and mitigate, to the extent possible, harmful effects of known security incidents, and document security incidents and their outcomes |
| Step 7: Contingency Plan | Establish and implement procedures for responding to emergencies or other occurrences that damage information systems that contain ePHI, including plans for backing up ePHI, restoring any lost data, and continuing critical business processes for protecting the security of ePHI while operating in emergency mode |
| Step 8: Evaluation |
|
A covered entity must also enter into a business contract or other written arrangement, as HHS describes it as a “business associate agreement,” that complies with the law.28 The business associate agreement must do the following:
Document the required satisfactory assurances
Provide that the business associate will comply with the Security Rule
Commit the business associate to ensuring that any subcontractors that create, receive, maintain, or transmit ePHI on behalf of the business associate agree to comply with the Security Rule by entering into a business associate agreement with the subcontractor
Obligate the business associate to report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI, as required by the Breach Notification Rule
Lastly, the HITECH Act revised the Social Security Act. It established multiple categories of violations and multiple tiers of penalty amounts, and it allows penalties to be adjusted annually to account for inflation.
HIPAA Breach and Breach Notification Rule
A HIPAA breach is an unauthorized use or disclosure of PHI under the Privacy Rule that compromises its security or privacy.25 In 2024, reported individual breaches of unsecured PHI of 500 or more patients collectively affected approximately 242,908,056 individuals.26 Hacking or IT incidents were the largest category of breaches.26 In 2025, approximately 61.5 million Americans had their PHI compromised. This number is still high, but it was a vast improvement over 2024.14,27
The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following an infringement of unsecured PHI;25 that is, following a breach, entities must provide notification of the occurrence to affected individuals and the Secretary of HHS, through the online Office for Civil Rights (OCR) breach reporting tool, first-class mail, or e-mail.25,27
If there is insufficient or out-of-date contact information for 10 or more impacted individuals, the business must post the breach notice on its website for at least 90 days or in print or broadcast media. A toll-free phone number must remain active for at least 90 days so individuals may learn if their information was involved in the breach. Notifications must be provided without delay, and no later than 60 days after the discovery of a breach.28
Notifications must include a brief description of the breach, the types of information involved, and the steps affected individuals should take to protect themselves from potential harm. A brief description of what the covered entity is doing to investigate, mitigate harm, and prevent further breaches, along with contact information, is required.28
On a larger scale than a website posting, a media notice is required for any breach that affects more than 500 individuals. It will likely be issued as a press release. Media notification must be provided within 60 days and include the same information required for the individual notice.28
Penalties for Violating HIPAA
The Department of Health and Human Services may impose civil penalties on a covered entity ranging from $141 for a violation due to lack of knowledge (Tier 1 violation) to $71,162 for willful neglect and failure to cure within 30 days (Tier 4 violation).29 These penalties are subject to annual adjustments by HHS.24,29 As of December 2024, the maximum financial penalty per violation for a Tier 1 through Tier 4 violation is $2,134,831, but this is also the annual cap.29
Beyond civil penalties, HHS may impose criminal penalties when a person knowingly obtains or discloses information in violation of HIPAA.24 The possible penalties include fines of $50,000 and imprisonment for up to one year. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses. The penalty increases to $250,000 and up to ten years imprisonment if the conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. State attorneys general can also impose penalties, and the Department of Justice may enforce criminal sanctions.4,24
While an individual cannot sue for a HIPAA violation, they may be able to file a claim for a breach of medical privacy under state law.30,31 Examples of judgments entered against covered entities under state law are described below.
Clinicians may learn from past violations. Attention to HIPAA rules can help a clinician work to maintain a strong professional reputation and avoid government investigations. Several high-profile cases are outlined below.
A surgeon is fired after illegally accessing personal records of celebrities, fined $2000, and sentenced to 4 months in jail.32
In Hereford (Dianna) v. Norton Healthcare Inc., et al., Hereford reportedly advised colleagues to wear gloves to avoid contracting hepatitis. The patient sued the hospital, alleging that sensitive medical information was spoken loudly within earshot of other patients and staff.33
A $1.4 million verdict was entered against Walgreens after one of its pharmacists shared confidential medical information about a patient.34
CVS agrees to pay $2.25 million to settle HIPAA violations related to the improper disposal of prescription bottles and receipts.35
A private practice loses an unencrypted flash drive containing PHI, is fined $150,000, and is required to install a corrective action plan.36
Malware compromises UMass Amherst data, resulting in a $650,000 fine.35
In 2008, UCLA Health System was fined $865,000 after employees accessed medical records for celebrities like Farrah Fawcett, Britney Spears, and Maria Shriver.35
POINT TO PONDER: What first step would you and your team take to prevent any of the scenarios and fines above? |
What’s next?
The current direction of health care is to integrate information technology (IT), often using artificial intelligence (AI).26 The HITECH Act created financial incentives for health IT use among health care practitioners by providing funding for investing in health IT infrastructure, purchasing certified electronic health records (EHRs), and training on and the dissemination of best practices to integrate health IT.26 But with this comes a need to develop greater safeguards for electronic data because of an alarming growth in the number of breaches affecting individual ePHI caused by an escalation of cyberattacks using hacking and ransomware.26
In addition to compromising electronic health records, cyberattacks also impede the proper functioning of medical devices and wearables.26 In February 2026, the FDA issued guidance on recommended cybersecurity for device designs.37
There is also a growing industry that provides tests and analyses directly to customers, clinicians, and for research.38 It is critically important to consider HIPAA as it relates to the ever-expanding use of these new technologies, including AI. As discussed above, covered entities must ensure the confidentiality, integrity, and availability of e-PHI. Privacy-enhancing technologies are being developed to help accomplish this.39
Personal health information should not be entered directly into an online AI platform or via an AI inquiry without adequate security protocols.11 Tools such as chatbots and virtual assistants collect PHI in ways that raise concerns about unauthorized disclosure.40 Artificial intelligence lacks transparency, complicates audits, and may perpetuate biases in healthcare data.40 Moreover, as data moves onto online platforms, it may be transferred to a private for-profit entity that is not a HIPAA-covered entity. This could occur when a consumer downloads a software application. In such cases, oversight may transfer to the Federal Trade Commission.41 Regulation to address privacy protections for these apps is currently a patchwork of guidelines, with no uniform approach established.41
Additionally, in 2025, HHS published a Notice of Proposed Rulemaking to overhaul the HIPAA Security Rule to address these issues.42 It is not yet in effect, but the changes are a response to increasing cybersecurity threats against healthcare entities and aim to codify modern best practices. Key changes in the 2025 proposed rule include mandatory controls, multi-factor authentication (MFA), data encryption, annual audits and testing, and enhanced risk analysis. This proposed rule also mandates written procedures to restore ePHI and systems within 72 hours of an incident, as well as inventory and network maps showing how ePHI flows through their systems.42
Summary
The Health Insurance Portability and Accountability Act (HIPAA) is a federal Act that protects sensitive patient health information. Protected health information is any identifiable information that appears in medical records or discussions between healthcare staff (such as doctors and pharmacists) regarding a patient’s treatment. Sensitive patient health information may not be disclosed without the patient’s consent. The HIPAA Privacy Rule safeguards PHI, while the Security Rule protects a subset of information that the Privacy Rule also covers.
As of February 16, 2026, all federally assisted SUD treatment programs are required to provide a new patient notice that aligns more closely with the HIPAA NPP.
The HHS may impose civil penalties for breaches of HIPAA, or criminal penalties when a person knowingly obtains or discloses information in violation of HIPAA.
References
Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009. 1, Introduction. Accessed June 28, 2026. https://www.ncbi.nlm.nih.gov/books/NBK9576/
Centers for Disease Control and Prevention. Public Health Law. Health Insurance Portability and Accountability Act of 1996 (HIPAA). CDC. September 10, 2024. Accessed June 28, 2026. https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html
Department of Health and Human Services. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules. 78 Fed. Reg. 5566. January 25, 2013. Accessed June 28, 2026. https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the
HIPAA compliance for pharmacies. HIPAA Journal. Updated January 10, 2026. Accessed June 28, 2026. https://www.hipaajournal.com/hipaa-compliance-for-pharmacies/
Moore W, Frye S. Review of HIPAA, Part 2: Limitations, Rights, Violations, and Role for the Imaging Technologist. J Nucl Med Technol. 2020 Mar;48(1):17-23. doi: 10.2967/jnmt.119.227827
FAQs about HIPAA Privacy Rule. National Healthcare Safety Network (NHSN). Centers for Disease Control and Prevention. Last Reviewed: March 15, 2023. Accessed June 28, 2026. https://www.cdc.gov/nhsn/hipaa/index.html
Department of Health and Human Services. Your rights under HIPAA. HHS. Last reviewed May 30, 2025. Accessed June 28, 2026. https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
Mello MM, Adler-Milstein J, Ding KL, Savage L. Legal Barriers to the Growth of Health Information Exchange-Boulders or Pebbles?. Milbank Q. 2018;96(1):110-143. doi:10.1111/1468-0009.12313
Guide to privacy and security of electronic health information version 2. The Office of the National Coordinator for Health Information Technology. April 2015. Accessed June 28, 2026. https://healthit.gov/wp-content/uploads/2017/09/privacy-and-security-guide.pdf
Legal Dictionary. HIPAA Law. April 11, 2019. Accessed June 28, 2026. https://legaldictionary.net/hipaa-law/
The 18 HIPAA Identifiers. Loyola University Chicago Information Technology Services. 2025. Accessed June 28, 2026. https://www.luc.edu/its/aboutus/itspoliciesguidelines/hipaainformation/the18hipaaidentifiers/
45 CFR § 164.514.
U.S. Department of Health and Human Services. Health Information Privacy. HIPAA and Part 2. Understanding Confidentiality of Substance Use Disorder (SUD) Patient Records or “Part 2.” HHS. Content last reviewed February 13, 2026. June 28, 2026. https://www.hhs.gov/hipaa/part-2/index.html
U.S. Department of Health and Human Services Office for Civil Rights. Breach Portal. HIPAA Cases Currently Under Investigation. HHS-OCR. Accessed June 28, 2026. https://ocrportal.hhs.gov/ocr/breach/breach_report_hip.jsf
Commonwealth of Massachusetts. Infectious Disease Reporting and Regulations for Health Care Providers and Laboratories. Mass.gov. 2025. Accessed June 28, 2026. https://www.mass.gov/lists/infectious-disease-reporting-and-regulations-for-health-care-providers-and-laboratories
U.S. Department of Health and Human Services. Health Information Privacy. Summary of the HIPAA Privacy Rule. HHS. Last reviewed March 14, 2025. Accessed June 28, 2026. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html#:~:text=The%20Privacy%20Rule%20protects%20all,health%20information%20(PHI).%22
U.S. Department of Health and Human Services. Health Information Privacy. When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials? HHS. Last reviewed December 28, 2022. Accessed June 28, 2026. https://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html
U.S. Department of Health and Human Services. Health Information Privacy. Student immunizations. HHS. Last reviewed September 19, 2013. Accessed June 28, 2026. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/student-immunizations/index.html
Pathak PR, Chou A. Confidential Care for Adolescents in the U.S. Health Care System. J Patient Cent Res Rev. 2019;6(1):46-50. Published 2019 Jan 28. doi:10.17294/2330-0698.1656
U.S. Department of Health and Human Services. Health Information Privacy. Guidance regarding methods for de-identification of protected health information in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. HHS. Last Reviewed February 3, 2025. Accessed June 28, 2026. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#:~:text=As%20discussed%20below%2C%20the%20Privacy,or%20in%20combination%20with%20other
U.S. Department of Health and Human Services. Health Information Privacy. HITECH Act breach notification guidance and request for public comment. HHS. Last reviewed July 26, 2013. Accessed June 28, 2026. https://www.hhs.gov/hipaa/for-professionals/security/guidance/hitech-act-breach-notification-guidance/index.html
U.S. Department of Health and Human Services. Health Information Privacy. HITECH Act enforcement interim final rule. HHS. Last reviewed June 16, 2017. Accessed June 28, 2026. https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
Office of the National Coordinator for Health Information Technology. Privacy and Security. HIPAA Basics. HIPAA for Providers. ONC. Last Updated: April 1, 2026. Accessed June 28, 2026. https://healthit.gov/privacy-security/hipaa-basics/hipaa-providers/
U.S. Department of Health and Human Services. Annual Civil Monetary Penalties Inflation Adjustment. A Proposed Rule by the Health and Human Services Department. 45 CFR Part 102. Fed. Reg. August 8, 2024. Accessed June 28, 2026. https://www.federalregister.gov/documents/2024/08/08/2024-17466/annual-civil-monetary-penalties-inflation-adjustment
U.S. Department of Health and Human Services. Change Healthcare Cybersecurity Incident Frequently Asked Questions. HHS. March 14, 2025. Accessed June 28, 2026. https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html
U. S. Department of Health and Human Services. Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Year 2024. HHS. 2024. Accessed June 28, 2026. https://www.hhs.gov/sites/default/files/breach-report-to-congress-2024.pdf
U.S. Department of Health and Human Services Office for Civil Rights. Breach Portal. HHS-OCR. Accessed June 28, 2026. https://ocrportal.hhs.gov/ocr/breach/breach_frontpage.jsf?faces-redirect=true
U.S. Department of Health and Human Services. Breach Notification Rule. Health Information Privacy. HHS. Last reviewed July 26, 2013. Accessed June 28, 2026. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
U.S. Department of Health and Human Services. Health Information Privacy. Summary of the HIPAA Security Rule. HHS. December 30, 2024. Accessed June 28, 2026. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Stevens GM. CRS report for Congress: Compliance with the HIPAA medical Privacy Rule. Washington, DC: Congressional Research Service; 2003.
Vanderpool D. HIPAA COMPLIANCE: A Common Sense Approach. Innov Clin Neurosci. 2019;16(1-2):38-41.
Latner AW. Doctor Gets Jail Time for HIPAA Violation. MPR. May 2, 2017. Accessed June 28, 2026. https://www.empr.com/home/features/doctor-gets-jail-time-for-hipaa-violation/
Termination for Nurse HIPAA Violation Upheld by Court. HIPAA Journal. October 19, 2017. Accessed June 28, 2026. https://www.hipaajournal.com/nurse-hipaa-violation/
Adler S. Indiana Court Upholds $1.44M HIPAA Privacy Breach Award. HIPAA Journal. November 14, 2014. Accessed June 28, 2026. https://www.hipaajournal.com/indiana-court-upholds-1-44m-hipaa-privacy-breach-award/
7 Pharmacy HIPAA violations that might surprise you. PBA Health E Elements. July 18, 2019. Accessed June 28, 2026. https://www.pbahealth.com/elements/5-hipaa-violations-you-might-not-know-about/
Adler S. Indiana Court Upholds $1.44M HIPAA Privacy Breach Award. HIPAA Journal. December 13, 2013. Accessed June 28, 2026. https://www.hipaajournal.com/massachusetts-dermatology-clinic-settles-150k-hipaa-breach/
U.S. Food and Drug Administration. Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions. Guidance for Industry and Food and Drug Administration Staff. FDA. February 2026. Accessed June 28, 2026. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-management-system-considerations-and-content-premarket
Wolf S, Ossorio P, Berry S, et al. Integrating rules for genomic research, clinical care, public health screening and DTC testing: creating translational law for translational genomics. J Law Med Ethics. 2020;48(1):69–86. doi: 10.1177/1073110520916996
Jordan S, Fontaine C, Hendricks-Sturrup R. Selecting Privacy-Enhancing Technologies for Managing Health Data Use. Front Public Health. 2022;10:814163. Published 2022 Mar 16. doi:10.3389/fpubh.2022.814163
Li J. Security Implications of AI Chatbots in Health Care. J Med Internet Res. 2023;25:e47551. Published 2023 Nov 28. doi:10.2196/47551
U.S. Federal Trade Commission. Mobile Health App Interactive Tool. FTC. November 2024. Accessed June 28, 2026. https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool#:~:text=The%20FTC%20enforces%20Section%205,an%20enforcement%20action%20against%20you
U.S. Department of Health and Human Services. HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information. A Proposed Rule by the Health and Human Services Department. 45 CFR Parts 160 and 164. Fed. Reg. January 6, 2025. Accessed June 28, 2026. https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information#footnote-961-p997
DISCLAIMER
The information provided in this course is general in nature, and it is designed solely to provide participants with continuing education credit(s). This course and materials are not meant to substitute for the independent, professional judgment of any participant regarding that participant’s professional practice, including but not limited to patient assessment, diagnosis, treatment, and/or health management. Medical and pharmacy practices, rules, and laws vary from state to state, and this course does not cover the laws of each state; therefore, participants must consult the laws of their state as they relate to their professional practice.
Healthcare professionals must consult their employer, healthcare facility, hospital, or other organization for guidelines, protocols, and procedures to follow. The information provided in this course does not replace those guidelines, protocols, and procedures, but is for academic purposes only, and this course’s limited purpose is for the completion of continuing education credits.
Participants are advised and acknowledge that information related to medications, their administration, dosing, contraindications, adverse reactions, interactions, warnings, precautions, or accepted uses is constantly changing. Any person taking this course understands that such a person must make an independent review of medication information before any patient assessment, diagnosis, treatment and/or health management. Any discussion of off-label use of any medication, device, or procedure is informational only, and such uses are not endorsed hereby.
Nothing contained in this course represents the opinions, views, judgments, or conclusions of RxCe.com LLC. RxCe.com LLC is not liable or responsible to any person for any inaccuracy, error, or omission with respect to this course or course material.
© RxCe.com LLC 2026: All rights reserved. No reproduction of all or part of any content herein is allowed without the prior, written permission of RxCe.com LLC.
RxCe.com
© RxCe.com LLC 2025: All rights reserved.