Blog Post

HIPAA Frequently Asked Questions

Richard P. Kusserow | March 2020

HIPAA Compliance Overview

Listed below are frequently asked questions about HIPAA compliance requirements. Browse this resource for the basics of how your organization can become HIPAA compliant.

If you are unable to find the answers you are looking for, please contact the HIPAA compliance team with your question by calling our lead consultant, Catie Heindel, at (847) 256-2323 or by clicking here to contact us online.

HIPAA Privacy Rule

Have Compliance Concerns? We Have Solutions.

Speak with an Expert Today

HIPAA Security Rule


HIPAA Privacy Rule Frequently Asked Questions

Question: What does the HIPAA Privacy Rule do?

Answer: The HIPAA Privacy Rule creates national standards to protect individuals’ personal health information. More specifically, the HIPAA Privacy Rule:

  • Health plans
  • Health care clearinghouses
  • Health care providers who conduct certain electronic financial and administrative transactions such as electronic billing and fund transfers.

Question: What does the HIPAA Privacy Rule require health care providers to do?

Answer: Generally, health care providers are required to conduct the following compliance activities:

  • Secure patient’s medical records and other personal health information.
  • Notify patients about his or her privacy rights and explain to the patient how their health information can be used.
  • Establish and follow privacy procedures for the health care provider’s organization.
  • Administer HIPAA training to employees to ensure understanding with both Federal and state laws, as well as the organization’s privacy procedures.
  • Appoint a Privacy Official to oversee the organization’s privacy program.

Question: Are patients required to pay for copies for their medical records when requested?

Answer: Under the Privacy Rule, covered entities may charge reasonable cost-based fees for copying patients’ medical records. The fees should only include the cost of copying the medical records and postage (if the patient requests medical records to be mailed). The fee may not include costs related to the searching and retrieving of the requested medical record.

Question: Can a personal representative of an adult or emancipated minor access an individual’s medical record?

Answer: The HIPAA Privacy Rule treats an individual’s personal representative as the individual. This applies if the personal representative is for an adult or emancipated minor. As a personal representative, he or she may access the individual’s medical records and is authorized to make health care decisions on behalf of the individual. It is important to note that there is an exception to this provision. Covered entities are not required to treat a personal representative as an individual, if the entity believes that doing so would not be in the best interest of the individual, i.e., covered entity exercises professional judgment. For example, if an individual is subject to domestic violence, abuse, or neglect and the personal representative may be involved, the covered entity may not grant the personal representative as the individual.

Question: Can individuals revoke their authorization?

Answer: In accordance with the HIPAA Privacy Rule, individuals have the right to revoke their authorization at any time. In order to revoke his or her authorization, the individual must submit a written revocation to the covered entity. The written revocation is effective when the covered entity receives it.

Question: Are there any exceptions to the HIPAA Privacy Rule disclosure standards?

Answer: Covered entities are not required to obtain individual’s authorization for the following disclosures:

  • Disclosures for health oversight activities
  • Disclosures for organ donation or transplantation
  • Disclosures for specialized government functions
  • Disclosures for Worker’s Compensation
  • Disclosures made for judicial and administrative proceedings
  • Disclosures made to avert imminent threat to health or safety of a person or public
  • Disclosures made to law enforcement
  • Disclosures related to public health
  • Disclosures that are required by law
  • Disclosures to coroners and medical examiners
  • Reports to government agencies of abuse, neglect or domestic violence

Question: Is there a difference between consent and authorization under the HIPAA Privacy Rule?

Answer: Covered entities are permitted, however not required, to voluntarily obtain patient consent for uses and disclosures of protected health information for the purposes of treatment, payment, and health care operations. An “authorization” under the HIPAA Privacy Rule is required for uses and disclosures of protected health information that is not permitted by the Privacy Rule. Further, when the Privacy Rule requires patient authorization, a voluntary patient consent is not sufficient to satisfy the requirement of a valid authorization.

Question: Are covered entities required to prevent all risk of incidental use or disclosure of protected health information?

Answer: According to the HIPAA Privacy Rule, covered entities are not required to eliminate all risk of incidental use or disclosures. However, the Privacy Rule does require covered entities to adopt and implement reasonable safeguards to limit incidental uses or disclosures.

Question: Can a covered entity hire a business associate to dispose of PHI?

Answer: A covered entity can hire a business associate to dispose of PHI, but the business associate must enter into a contract with the covered entity. The contract should require that the business associate dispose of the PHI in accordance with Federal and state laws.

Question: What are the HIPAA Privacy and Security requirements for disposing protected health information?

Answer: Covered entities are required to apply the appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. This applies to all forms of protected health information. As such, covered entities are not permitted to abandon protected health information or dispose such information that it will be accessible to the public or unauthorized individuals. Covered entities are required to train their workforce on the proper disposal of protected health information. It is important to note that under federal standards, the “workforce” includes volunteers. Covered entities should also determine what steps are reasonable to dispose protected health information while comply with the HIPAA Privacy and Security Rules.

HIPAA Security Rule Frequently Asked Questions

Question: What is the purpose of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule?

Answer: HIPAA established Federal standards for the security of electronic protected health information (e-PHI). The Security Rule is designed to ensure that every covered entity has implemented safeguards to protect the confidentiality, integrity, and availability of e-PHI. Due to the growth in the exchange of e-PHI between covered entities, as well as non-covered entities, the Security Rule standards aim to protect an individual’s health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans. The standards established by the Security Rule are considered to be the least amount of protection that is required (“floor”); State laws may provide more stringent standards that should be applied over and above the new Federal security standards.

Question: What is the difference between the addressable and required implementation specifications in the Security Rule?

Answer: The Security Rule utilizes two types of implementation specifications to address how the administrative, physical and technical safeguards should be met. Where a specification is described as “required,” the specification must be implemented. Where the rule states that the specification is “addressable,” a covered entity has some flexibility with respect to how to comply with the standard. In order to meet standards that contain addressable implementation specifications, a covered entity may choose to follow one of the options listed below:

  • Implement the addressable implementation specifications as outlined in the rule;
  • Implement one or more alternative security measures that will accomplish the same purpose;
  • Decide not to implement either the addressable implementation specification or an alternative. However, where a covered entity chooses this option, the reasoning supporting the decision must be documented. The written documentation should include the factors considered by the covered entity, as well as the results of any risk assessment on which the decision was based.

Question: What types of information does the Security Rule cover?

Answer: The standards and specifications of the Security Rule apply only to electronic protected health information (e-PHI). E-PHI includes telephone voice response and fax back systems, as these systems can be used as input and output devices for electronic information systems. E-PHI does not include paper-to-paper faxes or video teleconferencing or messages left on voice mail, because the information being exchanged did not exist in electronic form before the transmission. It should be noted that, conversely, the requirements of the Privacy Rule apply to all forms of protected health information, including written and oral.

Question: How can a covered entity determine whether its organizational systems comply with the Security Rule’s requirements?

Answer: HIPAA Security compliance is different at each organization and is an ongoing and ever changing process. As such, the Security Rule does not outline any single strategy that is designed to fit all covered entities. However, Section §164.306 of the Security Rule contains guidance that organizations can use when deciding how to best comply with the standards and implementation specifications. In general, organizations can attest to its compliance efforts with respect to the Security Rule by:

  • Performing a risk analysis;
  • Performing periodic technical and non-technical evaluations of the information security environment;
  • Implementing reasonable and appropriate security measures; and
  • Documenting and maintaining policies, procedures and other required documentation.

Question: Does the Security Rule require an organization to use specific technologies?

Answer: No. The Security Rule standards are “technology neutral” in order to allow covered entities to use technologies that meet their individual organizational needs. As the various technologies and software used by the health care community are rapidly developing, improving and changing, the Security Rule aimed to avoid binding covered entities to the use of a specific system.

Question: Are covered entities required to certify organizational compliance with Security Rule standards?

Answer: No. There is no standard or implementation specification outlined in the Security Rule that requires a covered entity to “certify” compliance. However, the Security Rule evaluation standard does require covered entities to perform a periodic technical and non-technical evaluation to test whether the organization’s security policies and procedures meet security requirements. Such evaluations can be performed internally or externally. Organizations may decide to use external organizations, for example, a consulting company, to perform the evaluation as these companies may have more Security knowledge or may be able to provide an outside view of operations.

Question: What agency is in charge of enforcing the HIPAA Privacy and Security standards?

Answer: The HIPAA Privacy and Security Rules are enforced by the Office for Civil Rights (OCR).

Question: What is the difference between Security Risk Analysis and Risk Management?

Answer: Risk management is the process and activities that organizations conduct to implement the required security measures in order to sufficiently reduce an organization’s risk of losing or compromising its e-PHI. On the other hand, the Security Rule defines risk analysis as the assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of e-PHI in its possession, as well as the overall likelihood of incident occurrence. When conducting a risk analysis, organizations may want to: (1) take inventory of all systems and applications that are used to access and house data, and (2) classify each system by level of risk. Additionally, when looking at each system, covered entities should consider all relevant losses that would be expected if the security measures were not in place. Losses to consider include: loss or damage of data, corrupted data systems, and anticipated ramifications of such losses or damage.

Question: What are possible examples of threats to consider when conducting a risk analysis?

Answer: A covered entity should determine which risks to examine by identifying potential sources of threats, as well as the probability and likely impact of the threat, that would affect the confidentiality, integrity, and/or availability of e-PHI. The National Institute for Standards and Technology (NIST) categorizes threats into three common categories: Human, Natural, and Environmental. The list below contains a several examples of the types of threats that exist in each category:

  • Natural: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.
  • Human: Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information).
  • Environmental: Long-term power failure, pollution, chemicals, and liquid leakage.

Have Compliance Concerns? We Have Solutions.

Speak with an Expert Today

Question: What must a covered entity do in order to comply with the Security Incidents Procedures standard?

Answer: The HIPAA Security Rule defines a security incident as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” The rule requires that each covered entity develop and implement policies and procedures that outline how to deal with potential security incidents, including:

  • How to identify a security incident
  • How to report a security incident
  • How to appropriately respond to a security incident
  • How to mitigate the harmful effects of an identified security incident
  • How to document information regarding a security incident and outcome

Question: How does the Security Rule define physical safeguards?

Answer: The Security Rule requires covered entities to implement physical safeguard standards to protect their electronic information systems. Physical safeguards are defined as physical measures, policies, and procedures that an organization uses to protect its electronic information systems, buildings and equipment from natural and environmental hazards and unauthorized intrusion. These standards must be implemented for both systems housed on the covered entity’s premises or at another location. The Security Rule physical standards are broken down into the following categories:

  • Facility access controls;
  • Workstation use;
  • Workstation security; and
  • Device and media controls.

Question: What is encryption and are covered entities required to use encryption by the Security Rule?

Answer: OCR defines encryption as a method of converting an original message of regular text into encoded text, by means of an algorithm (type of formula). As the Security Rule categorized the encryption implementation specification as addressable, it is not required. However, where an organization determines, during its risk assessment, that the encryption specification is a reasonable and appropriate safeguard in its risk management processes, encryption should be used. On the other hand, where a covered entity decides that the use of encryption is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.

Question: Does the Security Rule contain requirements for access control, such as automatic logoff?

Answer: Yes. Covered entities are required to implement appropriate safeguards to protect the organization’s data, regardless of where the employee is working (in office, at home, remotely). As such, organizations should consider, during a risk assessment, whether the use of automatic logoff procedures are a reasonable and appropriate safeguard in the company’s work environment. If the covered entity decides that the logoff implementation specification is not reasonable and appropriate, this determination should be documented and an equivalent alternative measure should be implemented.

Question: What protections are required to ensure that e-PHI is properly sent in an email or over the Internet?

Answer: Covered entities may send e-PHI over an electronic open network as long as it is adequately protected. The Security Rule standards for access control, integrity and transmission security state that covered entities must develop appropriate policies and procedures that restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. As such, before sending emails with e-PHI, a covered entity should:

  • Assess its use of open networks,
  • Identify the available and appropriate means to protect e-PHI as it is transmitted,
  • Select a solution, and
  • Document the decision.

Question: Can a covered entity assign the same log-on identification (ID) or user ID to multiple employees?

Answer: No. The Security Rule requires that all covered entities, regardless of size or type, assign a unique name and/or number for identifying and tracking user identity. The term user is defined as a “person or entity with authorized access.” As such, covered entities are required to assign a unique name and/or number to each employee who uses a system that maintains e-PH. This allows a covered entity to identify and track system access and activity by user.

Question: Can a covered entity reuse or dispose of computers or other electronics that store e-PHI?

Answer: Covered entities may dispose of or reuse computers or other electronics that store ePHI if certain steps have been taken to remove the e-PHI that was stored on the computer or electronic device. The HIPAA Security Rule contains specific requirements that address the disposition of ePHI.

HITECH Act Frequently Asked Questions

Question: What is the HITECH Act?

Answer: The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA), was signed into law on February 17, 2009. The HITECH Act was designed to promote the adoption and meaningful use of health information technology. Notably, the HITECH Act did the following:

  • Requires HIPAA covered entities and business associates to provide notification following a breach of unsecured protected health information (PHI)
  • Extends many of the responsibilities contained in the HIPAA Security Rule to Business Associates
  • Provides individuals with a right to obtain their PHI in an electronic format where the covered entity has implemented an electronic health record (EHR) system
  • Strengthens the civil and criminal enforcement of the HIPAA rules

Question: What actions must covered entities take to comply with the HITECH Act breach notification requirements?

Answer: The HITECH Act breach notification requirements make it mandatory for HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). Where a breach has occurred, covered entities must promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. There are specific timeframes for notification, as well as content and methodology required for each notification.

Question: What is the definition of a breach?

Answer: According to provisions in the HITECH Act, a breach is defined as an “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.” However, there are three types of scenarios that provide an exception to the breach definition:

  • Where PHI is unintentionally acquired, accessed, or used by a workforce member acting under the authority of a covered entity or business associate
  • Where PHI is inadvertently disclosed from a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate.
  • Where there is a good faith belief, by the covered entity or business associate, that the unauthorized individual to whom the impermissible disclosure of PHI was made would not have been able to retain the information.

Question: How did the HITECH Act change business associate HIPAA responsibilities?

Answer: Before the HITECH Act, covered entities imposed HIPAA privacy and security requirements on business associates by entering into contractual Business Associate Agreements (BAA). However, the HITECH Act now requires all business associates to comply with the HIPAA Security Rule administrative, physical and technical safeguards, regardless of whether a BAA is in place between the business associate and covered entity.

Question: Have the final HITECH Act regulations been released yet?

Answer: They are scheduled for release later summer 2012.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.

Subscribe to blog