The federal agencies and advisory committees involved in privacy policy include: 

Unified Agenda of Federal Regulatory and Deregulatory Actions

The Unified Agenda of Federal Regulatory and Deregulatory Actions is a repository of information about regulations in development by federal agencies, published in the spring and fall. Please check this website periodically for regulations under development.

HHS Office for Civil Rights (OCR)

OCR has regulatory and enforcement authority for the HIPAA Privacy and Security rules and issues guidance and interpretations of the HIPAA rules.

HHS Office of the National Coordinator (ONC)

ONC is charged with the development of a nationwide health information technology infrastructure that allows for the electronic use and exchange of health information; includes examining and recommending practices that protect privacy and promote security.  Check out the ONC Guide to Privacy and Security of Electronic Health Information.

  • HHS Health IT Policy Committee (HITPC)
    The HIT Policy Committee makes recommendations to the National Coordinator for Health IT on a policy framework for the development and adoption of a nationwide health information infrastructure, including standards for the exchange of patient medical information.
  • HITPC’s Privacy and Security Workgroup
    ONC has organized a workgroup (subcommittee) under the auspices of the HIT Policy Committee to move forward on a range of privacy and security issues.
  • HHS Health IT Standards Committee (HITSC)
    The HIT Standards Committee makes recommendations to the National Coordinator for Health IT on standards, implementation specifications, and certification criteria for the electronic exchange and use of health information.

Agency for Healthcare Research and Quality (AHRQ)

The AHRQ funded the Health Information Privacy and Security Collaboration (HIPSC), a group of 34 subcontractors charged with identifying best practices and challenges, as well as developing solutions for interoperable health information exchange (HIE) that would protect and maintain privacy and security of health data. HIPSC has produced a variety of reports and implementation guides, as well as the HIPSC Toolkit, a set of guidelines for assessing and improving business practices for privacy and security.

Centers for Medicare and Medicaid Services (CMS)

CMS administers the Medicare and Medicaid EHR Incentive Programs; privacy and security are important components of the program’s implementation.

Centers for Disease Control and Prevention (CDC)

CDC has provided an overview of HIPAA, as well as guidance on how the HIPAA Privacy Rule affects public health management.

Federal Trade Commission (FTC)

Privacy is a central element of the FTC’s consumer protection mission; FTC educates consumers and businesses about the importance of personal information privacy, including the security of personal information.

National Committee on Vital and Health Statistics (NCVHS)

NVCHS Report on Health Information Privacy Beyond HIPAA

NCVHS was established by Congress to serve as an advisory body to the Department of Health and Human Services (HHS) on health data, statistics and national health information policy.

National Institute of Standards and Technology (NIST)

NIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards.

Food and Drug Administration (FDA)

The FDA encourages further development of mobile medical applications (“apps”) that improve health care and provide consumers and health care professionals with valuable health information very quickly. The FDA has a public health responsibility to oversee the safety and effectiveness of a small subset of mobile medical applications.

Federal Communications Commission (FCC)

Public Notice on Telephone Consumer Protection Act (TCPA).

The FCC regulates interstate and international communications by radio, television, wire, satellite and cable.  In the healthcare area, the FCC authorizes a wide variety of radiofrequency-based medical devices including both implanted devices (e.g., heart pacemakers) and patient monitoring devices (e.g., wireless telemetry).

2018 HIPAA Conference Presentation