Skip to main content
It looks like you're using Internet Explorer 11 or older. This website works best with modern browsers such as the latest versions of Chrome, Firefox, Safari, and Edge. If you continue with this browser, you may see unexpected results.

Health Law and Policy (Spring 2021)

This is a guide for students in Prof. Flamm's Health Law and Policy course.

Health Care Law and Policy (2018)

Mammography eBooks via OhioLINK

AI and Medicine ebooks via OHioLINK; SSRN; and Treatises


IRB Common Rule


Westlaw/Lexis secondary sources search -- ATLEAST50("common rule") AND ATLEAST40(IRB)

Federal Register via or HeinOnline

Administrative Law treatises

U.S.C.S. via Lexis may link to more administrative materials than U.S.C.A. when dealing with a federal statute.


Legislation and Regulation

The United States Congress passed federal statutory law ("statutes"). Federal administrative agencies, under the United States President and the executive branch of government promulgate regulations ("rules'). For example, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 is "a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge."

As passed, HIPAA (1996) was Public Law 104-191, i.e. the 191 law (statute) passed by the Congress. It was codified into sections of the U.S. Code

5 U.S.C. 553, 554, 556, 557, 564 and 706 Chapters 5 and 89; 8 U.S.C. 1481; 10 U.S.C. 1072 Chapter 55;18 U.S.C. 1345, 1347, 1510, 1956 and 982 Chapters 1, 2, 223, 31, 47, 63 and 73; 22 U.S.C. 2504; 25 U.S.C. 1601; 29 U.S.C. 1003, 1021, 1022, 1024, 1132, 1136, 1144, 1161, 1162, 1166 and 1167; 31 U.S.C. 3729 and 3733 Chapter 38; 38 U.S.C.  Chapter 17;  and 42 U.S.C. 11101, 1301, 1320a-7, 1320a-7a, 1320a-7b, 1320c, 1320c-5, 1395cc, 1395h, 1395i, 1395mm, 1395ss, 1395u, 1395x, 233, 242k, 300bb-2, 300bb-6, 300bb-8 and 300e (from

The best way for CWRU Law students to research sections of HIPAA is to use an annotated federal code online or in print -- U.S.C.A. (via Westlaw) or U.S.C.S. (via Lexis). The government provide free access to the unannotated U.S. Code, as well.


The HIPAA Privacy Rule standards are federal regulations/rules that "address the disclosure of individuals health information -- "protected health information" -- by entities subject to the Rule. The HIPAA Privacy Rule is found at 45 CFR Part 160 and Subparts A and E of Part 164. There is also a combined regulation text of all HIPAA Administrative Simplification Regulations from 45 CFR Parts 160, 162, and 164.

Like federal statutes, administrative rules must be constitutional, and the judiciary generally makes such decisions. Regulations must also not exceed the promulgating agency's mandate from the legislative. After internal agency review procedures are exhausted, the judiciary may decide such issues as well. Administrative rules are proposed in the Federal Register (and on, after which a public comment period occurs. Final rules, addressing any substantive public comments are then published first in the Federal Register, and then by topic in the Code of Federal Regulations.  

Please see these two guides for additional information about research federal legislation or federal regulation. (legislation) (regulation)

Legal Aspects of Risk Assessment

Mark Little advocates for a systematic approach for an organization to minimize its legal risks, in the hope of minimizing lawsuits and regulatory penalties, as well as improving the organization's responses.

He suggests six steps:

  • Use a framework
    • ISO 31000 is a framework that is simple, scalable, adaptable, and practical
  • Obtain organizational commitment
    • scope, types of risk tracked, audience for the risk reporting, and budget
  • Identify legal risks
    • sources; potential versus actual risk; and create a risk ledger
  • Analyze legal risk
    • assess risk controls and gauge their effectiveness
  • Evaluate legal risk
    • prioritize the response to the risk: avoid, increase, remove, change, or share
  • Communicate and advise


Selected Websites

Selected Articles

Compliance Skills

Office of the Inspector General (OIG)

  • Compliance
  • Compliance Resource Portal
  • 11 short training videos
  • Seven Steps (per AAPC)
    • Conducting internal monitoring and auditing
    • Implementing compliance and practice standards
    • Designating a compliance officer or contact
    • Conducting appropriate training and education
    • Responding appropriately to detected offenses and developing corrective action
    • Developing open lines of communication
    • Enforcing disciplinary standards through well-publicized guidelines

AAPC, Compliance Management

Governance, Risk and Compliance

According to Ken Reiher, a governance, risk, and compliance strategy allows a healthcare institution or practitioner to protect "all types of protected healthcare information, including protected healthcare information." He notes five unique features of a GR strategy.

  • GRC provides a universal strategy.
  • GRC is more comprehensive ("different") than healthcare compliance.
  • GRC is for individual medical professionals, as well as healthcare institutions, since both must protect personal healthcare information.
  • "GRC is particularly complex" -- especially for large institutions which must deal with multiple jurisdictions ("geographically dispersed')
  • Helpful resources include:
    • risk registries
    • GRC software
    • consultants