HIPAA FAQ

Frequently asked questions about HIPAA compliance

When it comes to understanding HIPAA, there are several common questions that are asked. Many providers and vendors working in the healthcare space are not fully aware of what exactly HIPAA entails. This is not at all surprising since the HIPAA regulations were drafted in a way in which it can apply to multiple types and sizes of healthcare businesses. That’s why we’ve put together this HIPAA FAQ.

Understanding your requirements under the law can mean all the difference should you be targeted by a HIPAA audit or hacking incident, both of which can lead to reputational damage. Keep reading to check out some of the top HIPAA FAQs we receive from our clients, and from across the healthcare industry.

What kind of information is protected by HIPAA?

The information protected under the HIPAA regulation is known as protected health information (PHI). PHI is defined as any demographic information that can be used to identify a patient, classified into 18 key identifiers. Some examples include a patient’s name, address, telephone number, email address, medical records, financial information, Social Security number, and full facial photo, to name a few.

There is also what is known as electronic protected health information (ePHI) which is any PHI that is stored, maintained, transmitted, or in any way handled in a digital or electronic format.

HIPAA regulation is primarily focused on maintaining the confidentiality, integrity, and availability of PHI and ePHI.

Who needs to be HIPAA compliant?

There are several types of entities that need to be HIPAA compliant. This includes any business that works with protected health information (PHI) in any capacity. HIPAA classifies these entities into two groups, covered entities and business associates.

A covered entity (CE) is any organization that uses or creates PHI over the course of healthcare payment, treatment, or operations. That includes healthcare providers, healthcare clearinghouses, and health insurance plans.

A business associate (BA) is any organization that is hired by a CE or another BA that may have contact with PHI over the course of the work they have been hired to perform. That includes many different organizations, but some common examples of BAs include medical billing and coding services, transcription services, managed service providers, answering services, shredding companies, physical and cloud storage providers, telehealth platforms, EHR platforms, secure messaging platforms, email service providers, practice management firms, attorneys, accountants, and many more.

Both covered entities and business associates must be HIPAA compliant to protect any PHI they encounter.

How do I become HIPAA compliant?

Becoming HIPAA compliant requires that your organization address all standards identified in the HIPAA rules.

However, a good HIPAA compliance program includes more than just policies and procedures addressing HIPAA standards. The following are some of the items that an effective compliance program will address.

Internal audits to assess the status of your compliance compared against the regulation
Remediation plans to fix any gaps in your compliance that your audits may have uncovered
Policies and procedures to document how your organization will address the HIPAA standards
Annual employee training and attestation
Documentation of your compliance program retained for 6 years
Appointing a compliance officer, a privacy officer, and security officer
Vendor management and business associate agreements
Incident management to track and report an incident, should a breach occur

What are HIPAA training requirements and how often does it need to be completed?

Under HIPAA, all employees must be trained annually. However, that training should be built into your onboarding process, rather than having one-off training sessions. This is to ensure that no employee is handling PHI without being properly trained on their HIPAA responsibilities first.

HIPAA training should cover:

HIPAA 101 training
Cybersecurity and awareness training
HIPAA social media training
Incident management training
Training on all policies and procedures
Fraud, Waste, and Abuse training (if your business bills Medicare)

What is a HIPAA risk assessment?

A HIPAA risk assessment is a requirement identified in the regulation, which allows your organization to identify potential areas of risk. These risks can manifest in physical, technical, or administrative safeguards that must be addressed to help mitigate security issues.

You can find out more about a HIPAA risk assessment template here.

Is there HIPAA compliance certification?

The Department of Health and Human Services (HHS) is responsible for creating HIPAA laws, while the Office for Civil Rights (OCR) is responsible for enforcing those laws. Neither governing agencies issue any formal certification for HIPAA compliance in any format. There is also no legitimate HIPAA compliance certification issued by third party organizations. Any claims to the contrary are misleading.

Are all HIPAA compliance solutions the same?

No. Many HIPAA compliance solutions on the market mislead consumers into believing that they address the full extent of the regulation. However, upon closer inspection, it becomes clear that many solutions only address pieces of the regulation. You may commonly see solutions that provide some combination of HIPAA training, HIPAA policies and procedures, or security risk assessments, which market themselves as total HIPAA solutions.

Healthcare professionals and vendors should educate themselves about their HIPAA requirements, and compare the actual regulation against the marketing of these various incomplete solutions.

Only a total HIPAA solution will properly protect your organization in the event of a HIPAA audit–or even help you avoid them altogether.

Is there such a thing as “overkill” when it comes to HIPAA compliance?

HIPAA regulation sets standards for enforcement and fines. Under HIPAA, fines are levied based on the level of “perceived negligence” uncovered by federal auditors. That means that the more your organization has done to properly address and implement an effective compliance program, the better off you’ll be in the long run.

Shortcuts and piecemeal solutions will not only put your patients’ and clients’ data at risk, but it could also mean the difference between thousands (or millions) of dollars in HIPAA fines and passing your audit.

Keep in mind that the regulation mandates you to perform a “good faith effort” toward HIPAA compliance. That means understanding your HIPAA requirements and doing everything that is “reasonably appropriate” to mitigate your risks and become HIPAA compliant. Any efforts you take toward your HIPAA compliance must be properly documented–along with a log of any changes made to your compliance, maintained for up to six years.

When it comes to protecting your business, your reputation, and the privacy of your sensitive healthcare data, there is no such thing as “overkill.”

Are there different HIPAA requirements for different healthcare specialties?

Healthcare specialties all have the same general HIPAA compliance requirements. Though there are certain stipulations within the law which single out disclosures of psychotherapy notes in particular, all other components of the law are common, regardless of medical specialty.

I already address my cybersecurity–does that make me HIPAA compliant?

No! Even though compliance and cybersecurity go hand-in-hand to protect your business, healthcare professionals have very different requirements when it comes to each.

Security is about mitigating the risk of a data breach–caused by a malware incident, ransomware incident, or simple employee error. Compliance, however, is about meeting the requirements laid out by HIPAA.

You need both to protect your business and have peace of mind.

General HIPAA FAQs

What does HIPAA stand for?

HIPAA stands for the Health Insurance Portability and Accountability Act.

Why was HIPAA legislation enacted?

HIPAA was enacted to “improve the portability and accountability of health insurance coverage.” It’s purpose is also to minimize fraud, waste, and abuse in the healthcare space. Additionally, HIPAA protects patients by requiring healthcare organizations to implement privacy and security standards in regards to protected health information.

Why is HIPAA important in healthcare?

HIPAA is so important as it creates minimum standards for the privacy and security of protected health information. It also requires breaches affecting PHI to be reported to individuals affected and the HHS’ OCR. As breaches have become more prevalent in the healthcare space, safeguarding PHI has never been more important. Without adequate privacy and security protections, breaches are inevitable. PHI compromised in a breach can lead to identity theft and financial fraud, and without proper breach notification, patients affected by a breach may be unaware that they are at risk.

What are the basic rules of HIPAA?

There are three basic rules of HIPAA.

This includes:

the HIPAA Privacy Rule which regulates the proper uses and disclosures of protected health information;
the HIPAA Security Rule which requires the confidentiality, integrity, and availability of PHI to be maintained; and
the HIPAA Breach Notification Rule which requires breaches affecting PHI to be reported.

Are HIPAA laws federal or state?

HIPAA is a federal law that regulates businesses working in healthcare. However, there are also state healthcare laws that must be considered. For instance, some state laws have stricter breach reporting requirements than the federal HIPAA requirements. When this is so, the stricter law must be followed.

Are HIPAA laws different in each state?

No matter what state a healthcare business operates in, they must comply with HIPAA. However, healthcare businesses are also required to comply with the state laws in which they operate. For larger businesses that operate in multiple states, they need to comply with each state law in which they operate. For example, a multi-site covered entity that treats patients in both California and Texas, would need to comply with the CCPA and Texas HB 300 in addition to HIPAA.

Where does HIPAA apply?

HIPAA applies to organizations working in healthcare. This includes covered entities and business associates. HIPAA supersedes state healthcare laws except in instances where the state law is stricter than HIPAA. In these instances, the stricter state law must be followed.

When does HIPAA not apply?

There is a common misconception that HIPAA applies to any business that inquires about an individual’s health status. This is not the case. HIPAA ONLY applies to businesses involved in healthcare treatment, payment, or operations (covered entities) and the businesses that they contract to provide services for them (business associates).

This has been an especially hot topic since the start of the coronavirus pandemic. Private businesses such as airlines, restaurants, movie theaters, concert venues, sports arenas, amusement parks, and much more, DO NOT need to comply with HIPAA. These businesses have the right to ask an individual to provide proof of a negative COVID test or vaccination, and refuse service to individuals who fail to show that proof.

Am I a covered entity?

You are a covered entity if you are a healthcare provider, health plan, or healthcare clearinghouse.

Am I a business associate?

You are a business associate if you work with protected health information in any capacity. If you have the potential to view PHI over the course of work you provide your clients, then you are a business associate.

How often do I need to address or update my HIPAA compliance program?

HIPAA compliance is not static. This is because businesses are constantly evolving by making changes to the way they operate, adding new equipment or technologies, or hiring new employees. This is why HIPAA requires you to conduct self-audits, review your policies and procedures, review business associate agreements, and conduct employee training at least annually (or sooner if there is a change in your business). Additionally, to meet employee training requirements, employees must be trained upon hiring and annually going forward. As such, conducting an annual training, in which all of your employees are trained at the same time, does not meet HIPAA standards. This is because, should you conduct your annual training in January and hire a new employee in February, that employee would go untrained for almost a year.

What does HIPAA mean for employers?

Since protected health information is only covered by HIPAA when it is used to communicate information about an individual’s past, present, or future medical condition, the provision of healthcare to an individual, or the payment for the provision of healthcare, employers and their employees are often not subject to the Privacy Rule, even if they come into contact with PHI.

However, many employers sponsor their own health plan. These kinds of health plans are known as self-insured health plans. In a self-insured health plan, the employer provides the insurance coverage from its own funds, and administers the plan. Plan administration involves the employer’s viewing and accessing the protected health information of employee plan participants. When the employer is performing these functions, the employer is acting as a health plan, and therefore, as a covered entity. When acting as an insurer the employer must comply with HIPAA.