FAQ HIPAA Compliance

How does HIPAA protect medical records?

  • Patients are able to find out who is able to receive and look at their medical information, as well as how this information may be used.
  • Patients have the right to examine and obtain a copy of their health records.
  • Individuals are able to control certain how their health information may be used or disclosed.
  • Disclosure of information must follow a minimum necessary standard

Back To Top

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was passed by congress in 1996 to set a nationally accepted standard of regulations to keep to protect medical information and keep it confidential.

Back To Top

How can health information be disclosed under HIPAA guidelines?

Permission granted by individual 
Health information may be granted to outside entities or individuals if granted by the individual. The individual must have the opportunity to agree or object to granting permission. However, an exception can be made if the individual is incapacitated, in an emergency situation, or disclosure is determined to be in the best interests of the individual as deemed by their professional judgment.

Facility Directories.
It is a common practice in many health care facilities, such as hospitals, to maintain a patient directory. A covered health care provider may rely on informal permission to list the name, general condition, religious affiliation, and location or individuals in the provider’s facility. Providers may then disclose the minimal required information to anyone asking for the individual by name, or to religious entities that are in line with the individual. Members of the clergy are not required to ask for the individual by name when inquiring about patient religious affiliation.

For Notification and Other Purposes.
Informal permission may be granted to family, relatives, or friends, or to other persons whom the individual identifies. Protected health information may also be provided to entities directly relevant to the care for an individual care for the purpose of obtaining payment for care. For example, a pharmacist to dispense filled prescriptions to a person acting on behalf of the patient. Similarly, a covered entity may rely on an individual’s informal permission to use or disclose protected health information for the purpose of notifying (including identifying or locating) family members, personal representatives, or others responsible for the individual’s care of the individual’s location, general condition, or death. In addition, protected health information may be disclosed for notification purposes to public or private entities authorized by law or charter to assist in disaster relief efforts

For example, a pharmacist is able to dispense prescription medication for the patient’s behalf based on the minimal required information.

Back To Top

Who is required to comply with HIPAA rules?

A complete definition of entities and business associates, required to follow the rules and regulations of HIPAA, are provided on the U.S. Government Publishing Office website.

HIPAA protects individuals from any health information that can be used to identify them. Such information pertains to any health information created or received by:

  • Healthcare providers (Chiropractors, Clinics,  Dentists, Doctors,  Nursing homes, Pharmacies; and Psychologists.)
  • Individual or group plans that provide or pays the cost of health care.
  • Public health authorities
  • Healthcare clearinghouses

Entities identified as “business associates.” may also need to have access to health information when providing services.
Examples of business associates include:

  • Billing companies and companies that process your health care claims
  • Companies that help administer health plans
  • People like outside lawyers, accountants, and IT specialists
  • Companies that store or destroy medical records

Back To Top

What are a patient’s rights regarding protected health information?

Patients have six fundamental rights:

1. The right to receive a notice about privacy policies.
The notice is the terms of service that indicate specifically how they use personal information.will be used. This must include information about the HIPAA, information kept on record, and the right to register a complaint of a patient feels their rights have been violated.  Practices must also keep the patient aware when their information will be transferred to another entity as part of their treatment.

2. The right to access the medical information
A patient may request a summary of their records to be delivered within a designated time period. If need be a practice may charge the patient a reasonable price for all reproduction.
There are some exceptions under which a practice may deny patients access to records. However, this decision must be reviewed by another licensed professional designated in privacy policies and procedures.

3. The right to limit the uses and disclosure of medical information.
The patient has a right to deny who is allowed to have access to medical records, including a diagnosis, to outside entities or family members. This can cause conflict if a practice is required to report the patient’s data to their health plan. Should a practice agree not to disclose the data, it should be documented as such. If not, the patient can either cancel the request or look elsewhere for treatment.

4. The right to request amendments to the medical record.
A patient is allowed to request amendments, in a pre-specified manner (e.g in writing). This request can be refused, but the patient does have the right to appeal. If a practice agrees to amend the patient’s record, they must notify the individual and others provided the information that it has been amended.

5. The right to revoke or limit authorization.
If your practice uses or discloses personal health information for any reason other than for treatment, payment, or healthcare operations, authorization but be obtained from the patient. This is a form that states what information will be disclosed and how it will be done. Parental access to minors’ medical records will continue to be controlled by state law.

6. The right to an accounting of disclosures of personal health information.
According to the privacy rule, patients can ask to see what disclosures have been made only during the past six years.

Back To Top

What Information is Protected by HIPAA?

Any information that identifies an individual based off:

  • Private health information provided by doctors, nurses, and other healthcare providers for a medical record
  • Conversations between a doctor, or nurse, and a patient regarding care or treatment
  • Private health information stored by a health care provider
  • Billing information
  • Common identifiers of an individual (e.g., name, address, birth date, Social Security Number).

Such information is not to be provided or recorded: verbally, written, or in any other form or medium.


Back To Top

What is the minimum necessary standard?

The minimum necessary standard is a key protection of the HIPAA Privacy Rule. It requires an entity to make reasonable efforts to disclose or request only the minimum amount of protected health information needed to accomplish for the purpose of use or disclosure.

When creating policies and procedures for the access and uses of protected health information, covered entities should ensure that their workforce should only have access to information intended for their job function. Access to information not pertinent to their job function should be denied.

Back To Top

How does HIPAA apply to businesses that aren’t covered entities?

The government has created the concept of “business associates” to address this. A business associate is a person or entity, outside of a covered entity, that has access to health information.
Examples include: billing companies, transcription services, practice management companies, financial managers, auditors, service providers, software vendors, or data storage companies.

To comply with the privacy regulation, a covered entity must have a written contract with a business associate that guarantees the privacy of personal health information to the same standards as a covered entity. Such a contract benefits a covered entity as they know that they are dealing with a business that understands, and complies, with HIPAA guidelines.

Back To Top

What is the definition of a covered entity?

HIPAA applies to any entity that falls within three categories.
Health Care Providers
Nursing Homes

Health Plans.
Health insurance companies
Company health plans
Government programs such as Medicare, Medicaid, and the military and veterans health care programs

Health Care Clearinghouses
Companies that function as intermediaries who forward claims information from healthcare providers to insurance payers.

An entity that is one or more of these types of entities is referred to as a “covered entity” in the Administrative Simplification regulations. These are entities that transmit any information in an electronic form in connection with a transaction for medical and health information as defined by HIPAA.

Back To Top

Can telemarketers obtain health information and use it to sell good and services?

A covered entity can share protected health information with a telemarketer with the expressed written consent of an individual or if they have a business agreement with a telemarketer.such as to inform individuals about the covered entity’s own goods or services.

The telemarketer must agree, by contract, to use the information only for communicating on behalf of the covered entity, and inform individuals about the covered entity’s own goods or services. The telemarketer is not permitted to market either its own goods or services, or those of an outside entity.

Back To Top