• search
HIPAA COMPLIANCE EXPERTS
Call Today: (800) 733-6379

FAQs

Below you will find answers to questions we frequently receive about HIPAA compliance. Should you have other questions, please call us at (800) 733-6379 and we will happily assist you.

How Does an Organization Demonstrate Compliance with HIPAA?

To demonstrate compliance if audited or the subject of a breach investigation, an organization must:

  • Have written and up-to-date policies and procedures (HIPAA risk management plan)
  • Show how they maintain compliance with those policies and procedures
  • Have conducted a HIPAA risk assessment
  • Provide annual HIPAA security awareness training for the entire workforce

Regardless of size, an organization must have a HIPAA security and privacy official who manages the compliance program.

What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA regulations address the following:

  • The ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
  • Mandates industry-wide security standards for exchanges of electronic health care information;
  • Requires the protection and confidential handling of protected health information (PHI)

What is HITECH?

HITECH is the acronym for the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, which was signed into law in February 2009. It promotes the adoption and meaningful use of health information technology.

The HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, partly through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

What is the HIPAA Omnibus Rule?

The final HIPAA Omnibus Rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.

  • Patients can ask for a copy of their electronic medical record in an electronic form.
  • When individuals pay by cash for healthcare services, they can instruct their provider not to share information about their treatment with their health plan.
  • The rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.

What is a Covered Entity?

A covered entity is any provider of medical, dental, or other healthcare services or supplies that transmits any protected health information in electronic form. This includes pharmacies, health plans, and healthcare clearinghouses that perform electronic health care billing functions.

If your organization files any insurance claims electronically, including reimbursement from CMS for Medicare and Medicaid services, you are considered a covered entity.

What is a Business Associate?

With certain exceptions, a business associate is a person or business that creates, receives, maintains, stores, or transmits PHI for a function or activity for a covered entity.

Examples of business associates are: IT services; billing and coding companies; cloud storage providers; web site hosting companies that maintain any patient health questionnaires; and legal, actuarial, accounting, consulting, data collection and analysis, management, administrative, accreditation, or financial services.

What is a Business Associate Agreement?

Under HIPAA, a Business Associate Agreement, commonly known as “BAA,” is a contract between a covered entity and a designated business associate. The agreement requires that any protected health information maintained by the business associate must be in accordance with HIPAA regulations.

A BAA must explicitly define how a business associate will report and respond to a data breach, including breaches that are caused by a business associate's subcontractors.

What is the HIPAA Security Rule?

The security standards for the protection of electronic protected health information (ePHI) is commonly known as the HIPAA Security Rule, which establishes national standards for securing patient data that is stored or transferred electronically.

The rule requires the implementation of administrative, technical, and physical security safeguards to ensure the secure passage, maintenance, and reception of PHI.

What is the HIPAA Privacy Rule?

The Standards for Privacy of Individually Identifiable Health Information is commonly known as the HIPAA Privacy Rule, which establishes the national standards to patients' protected (personal) health information (PHI).

Issued and enforced by the US Department of Health and Human Services (HHS), the rule focuses on limiting the use and disclosure of sensitive PHI.

  • It seeks to protect the privacy of patients by requiring doctors and other healthcare providers to provide patients an account of each entity to which the doctor discloses PHI for billing and administrative purposes, while still allowing relevant health information to flow through the proper channels.
  • It also gives patients the right to access their own medical records.

What are the Security Standards for HIPAA Compliance?

The Security Rule requires covered entities and business associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.

Specifically:

  • Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit;
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  • Protect against reasonably anticipated, impermissible uses or disclosures; and
  • Ensure compliance by their workforce.

What is PHI?

Protected health information is individually identifiable health information that is:

  • Transmitted by electronic media
  • Maintained in any electronic medium
  • Transmitted or maintained in any other form (paper records or charts)

There are 18 specific types of protected health information, including patient names, addresses, Social Security numbers, email addresses, fingerprints, or photographic images.  

What is EPHI?

Electronic protected health information (ePHI) refers to any protected health information (PHI) that is covered under HIPAA privacy and security regulations and is produced, saved, transferred, or received in an electronic form.

What is a HIPAA Data Breach?

With certain exceptions, a data breach is the acquisition, access, use, or disclosure of electronic PHI in a manner not permitted under the Security Rule, which compromises the security or privacy of the PHI.

A data breach is a release of unsecured PHI/PII to an unauthorized entity or in an insecure environment, whether intentional or unintentional. 

This includes attempted or successful or improper instance of unauthorized access to, or use of information, or misuse of information, disclosure, modification, or destruction of information or interference with system operations in an information system.

Colington Consulting

HIPAA Training Courses

HIPAA Training Courses

Learn More & Register