HIPAA Privacy & Security: Answers and Compliance for Health Care Providers

For a quick overview, review these items with a tan background ONLY

NON-subscribers should review and understand this entire tutorial

With HIPAASimple.com, you don't have to become an expert in HIPAA. We think about it for you.

Doing HIPAA on Your Own
If you have a 'Do It Yourself' HIPAA solution, here are some of the things you will need (most documents and agreements have to contain specific wording to be valid):

1. Notice of Privacy Practices to be given to your patients.
2. "Business Associate" agreement for all vendors that receive or create patient information on your behalf.
3. Specific policies and procedures for your staff, designed to meet the HIPAA requirements.
4. One person on your staff who will design your policies and procedures, and answer questions on HIPAA.
5. Training for everyone at your practice, so they will know and follow your specific privacy policies and procedures.
6. Documented security measures for a HIPAA-defined list of possible risks
7. Handling of complaints, violations, mitigation, and sanctions.
8. Special rules to handle specific requests the patients make concerning their health information, such as: access, amendment, accounting of disclosures, confidential communications and restrictions.
9. Valid documentation of all privacy/security activities.

HIPAASimple.com accomplishes these for you with a simple online solution.

NONE of these are true...

Some of the Many Myths about HIPAA

• "I don't need to do anything in my practice. I signed an agreement at the hospital, and that covers me." (A physician in Illinois)
• "If a patient overhears a conversation about another patient, you have broken the law." (A Montana surgeon)
• "You must train your entire staff on the HIPAA regulations." (An advertisement for a HIPAA training course. The reason this is untrue is that you must train your staff on YOUR POLICIES AND PROCEDURES which will keep your practice in compliance with the HIPAA regulations, NOT the regulations themselves.)
• "HIPAA gives the patient ownership of his chart in your office." (A patient's attorney)
• "The regulations still are so restrictive, it will make it difficult for physicians to discuss cases with one another." (A pathologist quoted in the Birmingham Business Journal)
• "The regulations are impossible to comply with. There's no way these will be enforced." (An internist in New Mexico)
• "Specialists often have discussed cases with me as a favor, at no charge, and so I've been able to save the patient a visit and the cost of seeing that specialist. I can't do that now." (a family physician in Alabama)
• "You have to switch your charts from names to numbers." (A supplier of charting materials, in their catalog)
• "You can't call the patient from the reception room by name." (A clinic manager in Texas)
• "We've always been HIPAA compliant" (meaning we've always been careful with patient records - A Florida Family Physician, in an article in Medical Economics Magazine, June, 2009)
• "The regulations require you to give patient information to law enforcement." (An office manager in Colorado)
• "You can't send a friend or family member to the pharmacy to pick up a prescription." (A consultant in Tennessee)

Let HIPAASimple.com set you straight

When we say "HIPAA" or "HIPAA regulations", we mean as defined by both HIPAA and HITECH, as amended.

The HIPAA regulations are hundreds of pages long

HIPAASimple.com combines Security and Privacy into one solution

Who Must Comply?
HIPAA Privacy applies to 'covered entities:' all health plans; all health care clearinghouses; and any health care providers who transmit health information in electronic form in connection with any of the standard transactions.

This means if you or your organization provides healthcare in private practice, AND you (or anyone on your behalf) transmit or receive standard health information ELECTRONICALLY...

YOU MUST COMPLY.

If someone else files any of your claims electronically, or does any other standard healthcare transaction for you electronically, the regulations apply as if you performed them yourself. You must comply. Also remember that most all practices that file to Medicare must file electronically, which would make them 'covered entities.'

Also, the transactions carried over a 'wire' which are specifically EXCEPTED from being defined as 'electronic' are phone conversations and paper faxing (not computer-generated faxes), because the information was not in electronic format prior to transmission.

With HIPAASimple.com, compliance is easy

Risks of Non-compliance
HIPAA Privacy involves your ongoing relationship with your patients, not problems with payers. Patients will know within five minutes of being in your office, whether or not you have a Privacy compliance program in place. Plus, ANYONE can file a complaint about you, not just a concerned patient.

Patients cannot sue a provider using HIPAA. But HIPAA compliance is already being used in other legal actions, such as invasion of privacy and violation of confidentiality. It may be used to demonstrate either a good faith effort to protect privacy, or, if there is no compliance, negligence.

If an employee commits a serious violation of HIPAA, the employer needs to be in compliance to show that the employee was fully aware of the violation of the regulations (and therefore should be liable for the consequences).

Violations can bring hefty fines and lengthy prison terms

Complying as Related Entities
HIPAA allows two classes of legally separate entities to join together in Privacy/Security compliance:
Organized Health Care Arrangement (OHCA): separate entities that are 'clinically integrated' can join into an OHCA for compliance. This might apply when legally separate providers share office and/or staff, treat (at times) the same patients, and appear to the patients to be unified. If so, these providers can agree to comply with HIPAA as a single entity.
Affiliated Entities: when entities are legally separate, but share common ownership or control (click below to see definitions), they can agree to comply with HIPAA as a single entity. This might apply if the providers in a practice also share ownership with a treatment center.
>>Click here for a brief definition of Organized Health Care Arrangement
>>Click here for a brief definition of Affiliated Entities

You might share the work with those who share your office

Anything about patients and their health or payment for health care, is PHI

Health information that cannot be identified with a patient is not PHI. A name by itself is not PHI. But, a name of a patient of an AIDS treatment center IS PHI.

Even 'non-permanent' information must be protected

Examples of PHI (Protected Health Information)
The things that go into a patient's 'chart' or billing records are PHI. The following are examples of other items that are, as well:

• An insurance claim or EOB
• An accounts receivable report with patient last names
• A list of co-pays received with last names and check numbers
• A schedule of patients to be seen, and the reasons for the appointments
• A 'sticky' note with a patient's name and the words 'claim for March 23 denied'
• A recorded phone message giving the persons name and the reason they want an appointment
• A lab request to be sent with a specimen
• A referral request
• A computer screen showing a patient's name and text or graphic representation concerning their health
• An x-ray with a patient's last name
• A discussion about a recent procedure performed where the patient's last name was mentioned
• The 'office side' of a phone call where the patient's name and the reason they wanted to speak to a nurse are repeated

Your policies and procedures must address protecting ALL PHI

Patients have a right to access their records (the Designated Record Set)

Basically, you will give patients access to their 'chart' and billing history, whether held by you or a Business Associate

The rules for de-identification are long and complex.

De-identified Information
The Privacy regulations allow you to freely use and disclose de-identified health information. Health information can be de-identified, or not individually identifiable, using either of two methods. Use the 'Ask a Question' button above if you need more information.

This might be used for research, summary reporting, or other purposes.

Limited Data Set
The Privacy Rule allows use of health information for research, public health, or health care operations if the "covered entity (1) uses or discloses only a 'limited data set'" (as defined), and (2) "obtains from the recipient of the limited data set a 'data use agreement'” (as defined). The Limited Data Set is more information than the 'De-identified health information,' and includes data that is useful for these three purposes. Use the 'Ask a Question' button at the top of this page if you need more information.

Many practices will not encounter a need for de-identified or limited data sets

The records that meet this specification are very limited

Psychotherapy Notes
The Privacy Rule OMITS from the Designated Record Set a special class of records referred to as Psychotherapy Notes. This means that these records, although they must remain confidential, do not have to be preserved and maintained for patient access.

GENERALLY SPEAKING, if certain notes are part of the permanent record, are used in billing, are used to make diagnosis or other treatment decisions, or would be provided to another professional in assisting with treatment, they do NOT meet the criteria. The notes a mental health professional would keep separate, not disclose to others, and only use to recall things said in a previous session could qualify.

This ONLY applies to Mental Health Professionals

'USE' means internal to your practice, 'DISCLOSURE' means outside of your practice

Required Use and Disclosure
You are only required by the HIPAA Privacy regulations to disclose patient health information to (1) the patient, on request, and (2) to the Secretary of Health and Human Services (or authorized representative) to verify compliance with this regulation. Otherwise, uses and disclosures are permitted under various conditions, restrictions, and stipulations.

Except for these two, you cannot violate HIPAA by NOT using or disclosing PHI

Uses or Disclosures not specifically allowed are considered VIOLATIONS OF THE LAW

Permitted Uses and Disclosures
Under HIPAA you are PERMITTED to use or disclose health information:

• For treatment, payment, or health care operations (as defined);
• Incident to a use or disclosure otherwise allowed;
• According to an authorization given by the patient;
• To a personal representative, a family member or friend involved in the patient's care, or for notification of such a person; and
• In a select set of public policy situations.

The restrictions, requirements, and conditions of each of these is discussed further in the next topics.

You may USE or DISCLOSE PHI for these three functions









Patient authorization is NOT required for these three functions









You will need to cover these issues in your 'Notice of Privacy Practices'

Treatment, Payment and Health Care Operations
1. TREATMENT means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care with a third party; consultation between health care providers; or the referral of a patient to another provider.

2. PAYMENT means Payment means The activities undertaken by a health care provider to obtain or provide reimbursement for the provision of health care to an individual. These activities include, but are not limited to:

• Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
• Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
• Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and
• Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement: Name and address; Date of birth; Social security number; Payment history; Account number; and Name and address of the health care provider and/or health plan.

3. HEALTH CARE OPERATIONS means any of the following activities:

• Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
• Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
• Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
• Business management and general administrative activities of the entity, including, but not limited to: Activities relating to compliance with this regulation; Customer service, provided that protected health information is not disclosed to such customer; Resolution of internal grievances; The sale, transfer, merger, or consolidation of all or part of a covered entity with another covered entity; and creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

>>Click here for the HIPAA definition of Health Care Operations

We include detailed definitions here because these three functions encompass MOST (and in many cases ALL) of what private practices do with PHI







Disclosing (outside of your organization) these three functions is permitted, but may require a Business Authorization Agreement (see below)

'Reasonable Safeguards' include being in compliance with the HIPAA Regulations

Incidental Disclosure
The Privacy regulations do not find incidental or unintentional disclosures of health information a violation of the regulations, provided:

• The entity took reasonable precautions and safeguards to prevent this disclosure from occurring; and
• The entity was engaged in a lawful use or disclosure when the incidental or unintentional disclosure occurred.

This means that if someone overhears a conversation while in a hallway or semi-private room, if someone sees a name on a chart at the front desk, etc., this disclosure is NOT a violation, provided reasonable safeguards to prevent these from occurring are in place.

The regulations do not intend to demand remodeling of facilities

Family and Friends
You can disclose personal health information to a family member, friend, or personal representative to enable them to assist in the patient's care, or in order to locate such a person for notification. You can only do so if you first notified the patient of your intentions, and gave them the opportunity to object. You also must limit the information to only that necessary for them to assist in the patient's care.

If the patient is unable, due to incapacity, to understand and/or object, you can use your professional judgment based on what is best for the patient, and infer consent based on the circumstances.

You might infer that the family member who brought the patient in should be given enough information to assist in their care

In these circumstances, patient authorization or opportunity to consent or object is not required

Some of these have special requirements to follow to ensure the use or disclosure is valid

Public Policy Disclosures
HIPAA permits you to use/disclose patient health information in certain defined situations, without having to notify or obtain authorization from the patient. The list of situations includes:

• Uses and Disclosures Required By Law
• Uses and Disclosures for Public Health Activities (including FDA monitoring of drugs)
• Disclosures About Victims of Abuse, Neglect or Domestic Violence
• Uses and Disclosures for Health Oversight Activities
• Disclosures for Judicial and Administrative Proceedings
• Disclosures for Law Enforcement Purposes
• Uses and Disclosures about Decedents
• Uses and Disclosures for Cadaveric Organ, Eye, Tissue Donation
• Uses and Disclosures for Research Purposes (although the rules you must follow here are very arduous)
• Uses and Disclosures to Avert a Serious Threat to Health or Safety
• Uses and Disclosures For Specialized Government Functions (including national security, military and veterans activities, and correctional institutions)
• Disclosures for Workers' Compensation

>>Click here for the regulations concerning judicial and administrative orders

These uses and disclosures are PERMITTED, NOT required



ACCOUNTING of disclosures is generally required for these (discussed below)

Parents and Minors
Concerning information disclosed or not disclosed about an older child to a parent, HIPAA says to follow your state laws and/or your good judgment. State laws vary greatly on this issue.

HIPAA avoids taking sides on this sensitive issue

This key provision is often referred to in the regulations

If a payer requests records on a specific illness, and you send more than that (by sending the entire chart), you have likely violated this standard

The required elements of the authorization is specific

Authorized Use and Disclosure
Except as otherwise required or permitted in the Privacy regulations, uses or disclosures of patient health information REQUIRE A SIGNED AUTHORIZATION FROM THE PATIENT. In other words, an authorization is required for most uses and disclosures that are NOT: (1) to the patient; (2) as requested by Health and Human Services to verify compliance; (3) for treatment, payment, or health care operations; (4) incidental disclosures; (5) disclosures to family or friends; (6) certain fundraising activies; or (7) public policy situations.

Many private practices avoid these situations

Marketing, Fundraising, Research
The rules about marketing are complex. Check with your attorney, or if you are a subscribed user, check with us at 800-279-3668 or support@HIPAASimple.com before you embark on any such arrangement. You cannot directly or indirectly receive remuneration in exchange for PHI without valid authorization from the patient. The few exceptions include valid arrangements with Business Associates, and sale of the practice.

For fundraising, you may disclose only demographics and dates of health care provided to a business associate or institutionally related foundation for fundraising activities, without authorization from the patient. However, you must inform the patient in your Notice of Privacy Practices, and give them an opportunity to opt out. Fundraising materials must also give the individual the opportunity to opt out of receiving future materials.

HIPAA recognizes the value of medical research, and gives various ways it can be conducted without violation.

• Personal health information may be used and disclosed for research with an individual’s written permission in the form of an Authorization.
• De-identified health information, as described above, is not protected, and thus can be used in research.
• Personal Health Information may be used and disclosed for research without an Authorization in limited circumstances:
• Under a waiver of the Authorization requirement, normally through an Institutional Review Board (IRB) that approved the research,
• as a limited data set with a data use agreement,
• preparatory to research, and
• for research on decedents’ information.

>>Click here to download Health and Human Services guidance booklet on Research (.pdf)
(takes a little time to load)

Get advice before you embark on these

Right to Receive a Copy of Your Notice of Privacy Practices
An individual has the right to receive from you a copy of your Notice of Privacy Practices at the first visit, or soon after if treated as an emergency. This document is described below.

The HIPAASimple.com solution gives all of the forms and guidance needed to deliver these rights to individuals

Right to Access Protected Health Information
An individual has a right to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the record set is maintained.

Concerning private practitioners, access can be denied on any portion of the information that meets the following exceptions:

• Psychotherapy Notes (remember the definition is very limited, as explained above);
• Information compiled in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding;
• Research records, provided the research is ongoing, and the patient agreed to be denied access during the research;
• Inmate health records created or received on behalf of a correctional institution, if access to the records might endanger any person;
• If the information came from a third party who is NOT a health care provider, with the understanding it would be kept confidential;
• If a health care provider has determined, in the exercise of professional judgment, that access to the information by the individual or a personal representative would endanger the individual or others (this is 'reviewable');
• The information is about a third party (not a health care provider), and a health care provider has determined, in the exercise of professional judgment, that access to the information could cause substantial harm to that third party (this is 'reviewable')

You must give access within 30 days (60 if the information is off-site), and there are documentation requirements



'Reviewable' items have a specific process whereby an patient can object to an exclusion

Right to Request Amendment to Health Information
An individual has the right to request that a provider amend protected health information in a designated record set for as long as that record set is maintained.

A private practitioner can deny the amendment if any of the following are determined:

• The record is accurate and complete;
• The provider being asked to amend the record did not create the record in question; or
• Based on one of the exceptions, the patient cannot access the record in question.

There are various documentation and notification requirements that accompany this regulation. HIPAASimple.com will guide you through these.

Right to Request Restrictions of Uses and Disclosures
A covered entity must permit an individual to REQUEST that the covered entity restrict uses and disclosures for either: treatment, payment, and health care operations; or those made to friends and family.

There is one situation where you MUST abide by the request to restrict use and disclosure: If (1) the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment); and (2) the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket (without filing a claim) in full.

Other that this instance, you do NOT have to agree to the restrictions if you have a reason not to. Restrictions made on disclosures for treatment, payment, and operations would likely be a hindrance on your practice, and therefore would not normally be agreed to. Disclosures made to friends and family already require the opportunity to object. However, if you do agree to a restriction, you must abide by it.

It seems this required restriction simply means you do not file a claim. However, you must also insure you do not disclose the restricted information to the health plan later, for instance in a "chart review".

Right to Request Confidential Communication
You must communicate protected health information to individuals by alternative means or at alternative locations when you receive a reasonable request to do so. You may require the request in writing, and require that payments for services are not disrupted.

The patient may request that all information go to a different address, or the contact is made through a different phone or pager number.

HIPAASimple.com gives you the guides and forms to keep this accounting.

Right to Accounting of Disclosures
An individual has a right to receive an accounting of disclosures of protected health information (which are outside of the normal course of activities) you made in the six years prior to the date of the request. All of the normal uses and disclosures do not need accounting (ie: treatment, payment, and operations; disclosures to the patient or authorized by the patient; incidental disclosures; disclosures to family and friends; disclosures of a limited data set). The two categories of disclosures that require accounting are:

• The group referred to as 'Public Policy Disclosures' (see above);
• Disclosures that VIOLATE THE PRIVACY RULE.

You can contact HIPAASimple if a Breach occurs, and we will step you through it

Patients Must be Notified if a Breach Occurs
A "BREACH" is acquisition, access, use, or disclosure of PHI in violation of HIPAA privacy and security regulations, in a manner that poses a significant risk of financial, reputational, or other harm to the individual. Excluded is electronic PHI which is strongly encrypted. Also excluded are certain events within your practice, such as accidentally looking up the wrong patient.

"Poses a significant risk" is assumed unless you can demonstrate that the risks are low. You will need to do a simple risk analysis to determine this. The items to consider might be:

• Who used or received the information in violation of HIPAA
• The specific data elements that were breached
• The likelihood the information is accessible and usable
• The likelihood the breach may lead to harm
• Your ability to mitigate the risk of harm

As tedious as some of this seems, NOT doing it can be much more costly

HIPAASimple.com fits your compliance to your systems and capabilities

Flexible and Scalable
The Rule allows you to "use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this [regulation]." You will need a "Risk Assessment" document to show why you approached the needed safeguards in the manner you did. In doing so, you must consider the following factors:

• The size, complexity, and capabilities of the covered entity.
• The covered entity's technical infrastructure, hardware, and software security capabilities.
• The costs of security measures.
• The probability and criticality of potential risks to electronic protected health information.

Addressable Standards
Some of the Security safeguards are 'addressable' instead of required. You must examine (and document) the addressable safeguards considering the following factors:

• Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information, and;
• Implement the implementation specification if reasonable and appropriate; or
• If implementing the implementation specification is not reasonable and appropriate-- then
• Document why it would not be reasonable and appropriate to implement the implementation specification; and
• Implement an equivalent alternative measure if reasonable and appropriate.

'Addressable does NOT mean 'Optional'

These 42 (total) different implementation standards are all handled by HIPAASimple.com

Administrative Safeguards
You must meet the required standards, and meet or document an alternative method for the addressable standards following:

• Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
  • Risk analysis (Required)
  • Risk management (Required)
  • Sanction policy (Required)
  • Information system activity review (Required)
• Standard: Assigned security responsibility (required). Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.
• Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided in this regulation, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information.
  • Authorization and/or supervision (Addressable)
  • Workforce clearance procedure (Addressable)
  • Termination procedures (Addressable)
• Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of HIPAA.
  • Isolating health care clearinghouse functions (Required)
  • Access authorization (Addressable)
  • Access establishment and modification (Addressable)
• Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
  • Security reminders (Addressable)
  • Protection from malicious software (Addressable)
  • Log-in monitoring (Addressable)
  • Password management (Addressable)
• Standard: Security incident procedures. Implement policies and procedures to address security incidents Response and Reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.
• Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
  • Data backup plan (Required)
  • Disaster recovery plan (Required)
  • Emergency mode operation plan (Required)
  • Testing and revision procedures (Addressable)
  • Applications and data criticality analysis (Addressable)
• Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
• Standard: Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.

Physical Safeguards
You must meet the required standards, and meet or document an alternative method for the addressable standards following:

• Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
  • Contingency operations (Addressable)
  • Facility security plan (Addressable)
  • Access control and validation procedures (Addressable)
  • Maintenance records (Addressable)
• Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
• Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
• Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
  • Disposal (Required)
  • Media re-use (Required)
  • Accountability (Addressable)
  • Data backup and storage (Addressable)

Technical Safeguards
You must meet the required standards, and meet or document an alternative method for the addressable standards following:

• Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.
  • Unique user identification (Required)
  • Emergency access procedure (Required)
  • Automatic logoff (Addressable)
  • Encryption and decryption (Addressable)
• Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
• Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. Use a mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
• Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
• Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
  • Integrity controls (Addressable)
  • Encryption (Addressable)

With HIPAASimple.com - you answer a few questions and print the document

Notice of Privacy Practices
An individual has a right to adequate notice of the uses and disclosures of protected health information that you may make, and of their rights and your legal duties with respect to protected health information. Patients in a 'Direct Treatment Relationship' are handled differently than patients in an 'Indirect Treatment Relationship' (click below for a definition).

You must make a 'good faith effort' to give each patient in a Direct relationship your Notice of Privacy Practices. You will need to keep an acknowledgement from the patient that they received it. For Indirect relationship patients, you must make the Notice available on request.

If you have a website for patients, your Notice must be posted there, as well.
>>Click here for HHS' discussion of the 'plain language' requirement
>>Click here for HHS' discussion of Direct and Indirect Treatment Relationships

The content required in this notice is specific, and specific to your practice.

Business Associate Agreements
You must contractually establish the limits and requirements of uses and disclosures of health information by business associates. A Business Associate is any person or organization that receives, creates, stores, or processes PHI on your behalf.

Billing services, answering services, transcriptionists, document management services, your attorney (if they ever review health records), your accountant (if they ever see PHI), coding auditors (working on YOUR behalf), health or regional information exchanges, e-prescribing gateways, appointment verification services, and portals to give your patients access to PHI are all examples. Payers or other providers of health services are normally NOT business associates, since they are working on behalf of the patients.

Business associates are also regulated by HIPAA, and are also required to have this agreement in place. This agreement details each party's responsibilities.

Business associates now have their own requirements under HIPAA

Patient Authorizations
You may not use or disclose protected health information without a valid authorization except as otherwise permitted or required by HIPAA. An authorization is required for most uses and disclosures that are not in the categories of (1) treatment, payment, or health care operations; (2) incidental disclosures; (3) disclosures to family or friends; (4) fundraising; or (5) public policy situations.

The patient must sign the authorization. The content requirements of these authorizations are specific, with additional requirements in the area of marketing.

Data Use Agreements
If you disclose a 'Limited Data Set' of health information for research, data aggregation, or health care operations, you must have a valid Data Use Agreement before doing so.

Privacy / Security Officials
You must designate a privacy official who is responsible for the development and implementation of the policies and procedures and is the contact person for questions or complaints. Although the HIPAA regulations allow the privacy official and the contact person or office to be different, for private practice HIPAASimple.com recommends these be the same person.

You must also designate a security official who is responsible for the development and implementation of the security safeguards. This person can be the same as the privacy official.

HIPAASimple.com will give this person in your office the guidelines needed to perform these functions.

Users of HIPAASimple.com receive these policies and procedures specific to their organization

Policies and Procedures
You must implement policies and procedures with respect to protected health information that are designed to comply with HIPAA Privacy.

The policies and procedures must be reasonably designed, taking into account the size and type of activities that relate to protected health information undertaken by your organization, to ensure such compliance. You must modify the policies and procedures any time there is a change in the HIPAA Privacy regulations, or a material change in your practice affecting your privacy practices.

HIPAASimple.com delivers policies and procedures specific to your practice, and tells you anytime changes in the law require you to change them. If you change your operations, you simply enter your changes, and HIPAASimple.com tells you which materials and guides to reprint.

Training on the general rules of HIPAA does NOT meet this requirement

Workforce Training
You must train all members of your workforce on the policies and procedures with respect to protected health information.

This training must be appropriate to the functions performed by the workforce member in your practice. You must retrain any time a person's functions are affected by a material change in policies or procedures. HIPAASimple.com gives the training materials needed for each function in your practice, and will deliver new materials whenever you make a change to your practice information entered and stored on our system.

Ongoing training is key to HIPAA Privacy compliance

Safeguards
You must have appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

To 'reasonably safeguard' will require physical arrangement and other procedures to prevent the wrong ears and eyes from hearing and seeing the information.

The 'facility guides' at HIPAASimple.com will help you accomplish this for your specific situation.

A good compliance program will prevent most complaints

Complaints and Retaliation
You must provide a process for individuals to make complaints, and you MUST NOT RETALIATE.

The process must be simple, and listed in your Notice of Privacy Practices. You must document every complaint, and its disposition. Of course, any negative action taken against that person, whether patient, employee, or someone else, must be done with great caution and good cause from that point.
>>Click here for the HHS complaint addresses by Region

Mitigation will require a quick response to any situation or complaint where a violation is discovered

Mitigation and Sanctions
You must mitigate, to the extent practicable, any harmful effect that is known concerning a use or disclosure of protected health information in violation of HIPAA by your organization, workforce, or business associates.

You must have AND APPLY appropriate sanctions against members of your workforce who fail to comply with the privacy policies and procedures required by HIPAA. As an employer, your workforce must know in advance these sanctions are in place, and must know the policies and procedures they are expected to follow.

HIPAASimple.com provides the materials and documentation you need.

Complete Documentation
HIPAA requires you to document most everything done concerning the Privacy regulations. You need to demonstrate your effective training, monitoring, and handling of health information, and processing of complaints or violations.

Forms and filing system of HIPAASimple.com make this SIMPLE

Preemption of State Law
HIPAA Privacy preempts state law, except when:

• The state law concerns the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention; or
• The state law is MORE STRINGENT than HIPAA.

Fines for HIPAA Violations

Category of violation	Fine per occurrence	Yearly max
(A) the person did not know (and by exercising reasonable diligence would not have known) that a violation was committed	$100 - 50,000	$1,500,000
(B) the violation was due to reasonable cause and not to willful neglect,	$1000 - $50,000	$1,500,000
(C.1) due to willful neglect, and the violation is corrected	$10,000 - $50,000	$1,500,000
(C.2) due to willful neglect, and the violation is NOT corrected	$50,000	$1,500,000

Examples of willful neglect include a provider not knowing about, or making any efforts to comply with, the HIPAA requirements, someone in the practice failing to train new hires, etc.

Penalties for Criminal Acts
A person who knowingly and in violation of this part [the HIPAA regulations]

1. Uses or causes to be used a unique health identifier;
2. Obtains PHI relating to an individual; OR
3. Discloses PHI to another person

1. Be fined not more than $50,000, imprisoned not more than 1 year, or both;
2. If the offense is committed under false pretenses, be fined not more that $100,000, imprisoned not more than 5 years, or both; AND
3. If the offense is committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.