Legislation and Regulation
The United States Congress passed federal statutory law ("statutes"). Federal administrative agencies, under the United States President and the executive branch of government promulgate regulations ("rules'). For example, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 is "a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge."
As passed, HIPAA (1996) was Public Law 104-191, i.e. the 191 law (statute) passed by the Congress. It was codified into sections of the U.S. Code:
5 U.S.C. 553, 554, 556, 557, 564 and 706 Chapters 5 and 89; 8 U.S.C. 1481; 10 U.S.C. 1072 Chapter 55;18 U.S.C. 1345, 1347, 1510, 1956 and 982 Chapters 1, 2, 223, 31, 47, 63 and 73; 22 U.S.C. 2504; 25 U.S.C. 1601; 29 U.S.C. 1003, 1021, 1022, 1024, 1132, 1136, 1144, 1161, 1162, 1166 and 1167; 31 U.S.C. 3729 and 3733 Chapter 38; 38 U.S.C. Chapter 17; and 42 U.S.C. 11101, 1301, 1320a-7, 1320a-7a, 1320a-7b, 1320c, 1320c-5, 1395cc, 1395h, 1395i, 1395mm, 1395ss, 1395u, 1395x, 233, 242k, 300bb-2, 300bb-6, 300bb-8 and 300e (from govinfo.gov)
The best way for CWRU Law students to research sections of HIPAA is to use an annotated federal code online or in print -- U.S.C.A. (via Westlaw) or U.S.C.S. (via Lexis). The government provide free access to the unannotated U.S. Code, as well.
The HIPAA Privacy Rule standards are federal regulations/rules that "address the disclosure of individuals health information -- "protected health information" -- by entities subject to the Rule. The HIPAA Privacy Rule is found at 45 CFR Part 160 and Subparts A and E of Part 164. There is also a combined regulation text of all HIPAA Administrative Simplification Regulations from 45 CFR Parts 160, 162, and 164.
Like federal statutes, administrative rules must be constitutional, and the judiciary generally makes such decisions. Regulations must also not exceed the promulgating agency's mandate from the legislative. After internal agency review procedures are exhausted, the judiciary may decide such issues as well. Administrative rules are proposed in the Federal Register (and on regulations.gov), after which a public comment period occurs. Final rules, addressing any substantive public comments are then published first in the Federal Register, and then by topic in the Code of Federal Regulations.
Please see these two guides for additional information about research federal legislation or federal regulation.
Legal Aspects of Risk Management
Mark Little advocates for a systematic approach for an organization to minimize its legal risks, in the hope of minimizing lawsuits and regulatory penalties, as well as improving the organization's responses.
He suggests six steps:
According to Ken Reiher, a governance, risk, and compliance strategy allows a healthcare institution or practitioner to protect "all types of protected healthcare information, including protected healthcare information." He notes five unique features of a GR strategy.
Office of the Inspector General (OIG)
AAPC, Compliance Management