HIPAA Questions and Answers

The Health Insurance Portability and Accountability Act (HIPAA) is a collection of regulations designed for healthcare organizations and their business associates. However, the language used in the HIPAA regulation can be open to interpretation. To address common concerns and provide clarity, this article aims to provide HIPAA training answers by addressing frequently asked questions about HIPAA.

The Health Insurance Portability and Accountability Act (HIPAA) comprises of a set of regulations for healthcare organizations and their business associates. The HIPAA regulation, however, was written in a manner that leaves a lot open for interpretation. This HIPAA questions and answers is meant to clear up some of the common questions around HIPAA.

HIPAA Questions and Answers: What is the Purpose of HIPAA?

What is the purpose of HIPAA? HIPAA was enacted to ensure the confidentiality, integrity, and availability of protected health information (PHI). 

Confidentiality. PHI collected on patients holds a wealth of information. When PHI falls into the wrong hands, it can be used to commit identity theft or fraud. Organizations working with PHI have an obligation to ensure the confidentiality of PHI, protecting it against unauthorized individuals.

Integrity. PHI must also be protected against corruption. As such, healthcare organizations must implement safeguards to prevent individuals from altering PHI without authorization.

Availability. To ensure quality of service, PHI must be readily available. This includes having access to PHI in the event of an emergency or natural disaster. 

HIPAA Questions and Answers: What Does HIPAA Mean to You?

The question of what does HIPAA mean to you, depends on who is asking the question. For patients, HIPAA means that healthcare entities are ensuring the confidentiality, integrity, and availability of PHI. For healthcare entities and business associates, HIPAA means that they must comply with the regulation to secure PHI.

HIPAA Questions and Answers: What are the Three Primary Parts of HIPAA?

HIPAA consists of several rules and regulations that can be broken down into three categories or rules. What are the three primary parts of HIPAA? The three primary parts of HIPAA are the Privacy Rule, Security Rule, and Breach Notification Rule

Privacy Rule: organizations working in healthcare have an obligation to protect the confidentiality of PHI. The Privacy Rule dictates what organizations must have in place to ensure that PHI is used and disclosed properly.

Security Rule: this rule dictates the security measures that organizations should have in place to protect PHI. This is especially important for securing electronic protected health information (ePHI), which is PHI that is stored in electronic format.

Breach Notification Rule: organizations that experience a breach are required to report it to the HHS, affected patients, and in some cases, the media. The Breach Notification Rule dictates the procedures for reporting a breach, including what information must be included in breach notification letters sent to patients.

HIPAA Questions and Answers: What Information is Protected Under HIPAA Law? Which of the Following Would be Considered PHI HIPAA?

The questions of what information is protected under HIPAA law and which of the following would be considered PHI HIPAA are interrelated. So, what information is protected under HIPAA law? The answer to this is protected health information, or PHI.

That leads to the question, which of the following would be considered PHI HIPAA? PHI HIPAA is any individually identifying information that relates to past, present, or future health. The Department of Health and Human Services (HHS) classifies PHI into 18 identifiers as follows:

  1. Patient names  
  2. Geographical elements (such as a street address, city, county, or zip code)
  3. Dates related to the health or identity of individuals (including birthdates, date of admission, date of discharge, date of death, or exact age of a patient older than 89)
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers
  13. Device attributes or serial numbers
  14. Digital identifiers, such as website URLs 
  15. IP addresses
  16. Biometric elements, including finger, retinal, and voiceprints
  17. Full face photographic images 
  18. Other identifying numbers or codes

HIPAA Questions and Answers: Why Policies and Procedures are Important in Healthcare

Although not a question, why policies and procedures are important in healthcare is important to be addressed. Policies and procedures are important in healthcare because they ensure adherence to HIPAA standards. Organizations working with PHI must have customized policies and procedures on how their organization complies with the Privacy, Security, and Breach Notification Rules. Employees must be trained annually on their organization’s policies and procedures. 

HIPAA Questions and Answers: What is a Healthcare Vendor?

What is a healthcare vendor? A healthcare vendor, also known as a business associate, is an entity that a healthcare organization contracts to create, receive, transmit, store, or maintain on their behalf.

Some examples of business associates include:

A managed service provider

A third-party claims processor

An accounting firm who must access patient data

The attorney for a healthcare provider


Healthcare clearinghouses 

Freelance medical transcriptionists

Pharmacy benefits managers

HIPAA Questions and Answers: Can You Go to Jail for HIPAA Violations?

One common question that healthcare employees often have is can you go to jail for HIPAA violations? The simple answer is yes. There are certain circumstances in which individuals can be subject to jail time for HIPAA violations.

Criminal violation penalties are categorized into three tiers:

Negligence: up to 1 year jail time 

Falsely obtaining protected health information: up to 5 years jail time 

Malicious intent or personal gain: up to 10 years jail time

In addition, employees that commit aggravated identity theft are subject to a mandatory two-year imprisonment.

HIPAA Questions and Answers: What is HIPAA Violation for Employers? What is a HIPAA Violation in Workplace?

What is HIPAA violation for employers and what is a HIPAA violation in workplace, go hand-in-hand. Employers should never access or share employees’ PHI without authorization from the employee. Although many companies do not have access to employee’s PHI, employers with self-insured health plans do. In this instance, employers are considered HIPAA covered entities (CEs) and therefore have an obligation to be HIPAA compliant.

HIPAA Questions and Answers: Can a Family Member Violate HIPAA?

The question of, can a family member violate HIPAA, comes up frequently. The answer to this is convoluted. Technically, a family member cannot violate HIPAA, but a healthcare provider can violate HIPAA by disclosing PHI to a patient’s family member without authorization. Healthcare providers can only disclose PHI to a patient’s family when the patient designates that member to receive health information about them.

HIPAA Questions and Answers: Who Can File a HIPAA Complaint?

Who can file a HIPAA complaint? Any individual or entity that believes that an organization working with protected health information has violated HIPAA can report the incident. The HHS has a breach portal on their website in which suspected HIPAA violations can be reported. The HHS also has a hotline in which entities can call to ask questions about HIPAA related incidents.

HIPAA Questions and Answers: What Rights are Patients Entitled to According to HIPAA?

What rights are patients entitled to according to HIPAA?

  1. The provisions prohibiting the use or disclosure of PHI. This right protects patients from their PHI being sold for marketing purposes.
  2. The right of access provisions. This gives patients the right to request their medical records from their healthcare provider.
  3. The provisions allowing for amendment of PHI. This right allows patients to request changes to their medical records if there is an error.

HIPAA Questions and Answers: When Can Medical Records be Destroyed?

When can medical records be destroyed? HIPAA requires medical records to be retained for:

  Six years from their creation; or

  Six years from their last use.

Complete Compliance Solution

Make sure your business and the tools you use to run it are compliant.

Global CTAs Image