HIPAA FAQ

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996. The HIPAA laws are specific to the safeguarding of personal or protected health information (PHI) including your patients medical records. The 3 key aspects of HIPAA are the Privacy Rule, the Security Rule, and the Breach Notification Rule.

Who must be HIPAA compliant?

The HIPAA Rules apply to two groups: covered entities and business associates. A covered entity is a health plan, health care clearinghouse or health care provider that electronically transmits health information. Examples of covered entities are:

  • Doctors
  • Dentists
  • Pharmacies
  • Health insurance companies
  • Company health plans

A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information. Examples of business associates (whose services involve access to PHI) are:

  • CPA
  • Attorney
  • IT provider
  • Billing and coding services
  • Laboratories

What is the HIPAA Omnibus Rule?

The final omnibus rule was passed in January 2013 and became effective in March 2013. The rule is intended to strengthen HIPAA Privacy and Security Rules and Health Information Technology for Economic and Clinical Health (HITECH) Act. The final omnibus rule expands the HIPAA requirements expected of covered entities and business associates and adds subcontractors of business associates that access PHI to the list of organizations that must comply with HIPAA regulations. The rule requires a modification of business associate agreements to include requirements from the final omnibus rule. The final omnibus rule also includes a compliance date of September 23, 2013 for covered entities, business associates and subcontractors of business associates. So time to comply is up!

What are the triggers for an audit?

  • Current employee
  • Ex-employee
  • Patients
  • Data breach
  • Random audit

What was I supposed to do by the deadline?

  • Conduct a security risk analysis
  • Create a risk management plan
  • Create or revise Business Associate Agreements
  • Train all employees
  • Create or update policies and procedures

What if I haven’t even started?

  • Designate a privacy and a security officer
  • Begin a security risk analysis
  • Outline a specific plan with dates and milestones
  • Educate and train employees
  • Document your process, findings and actions