Frequently Asked Questions
The Answers You Need
Submit your own and we’ll answer your questions too.
What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act of 1996. It is the federal law that defines the rules for protecting the privacy of patient information across the US healthcare industry. The Department of Health and Human Services (HHS) administers the law. It is the job of the Office for Civil Rights (OCR) to enforce the HIPAA law.
When most people talk about HIPAA, they are referring to the Privacy Rule, Security Rule, and Breach Notification Rule. The Privacy Rule defins what can and cannot be done with patient information. The Securiy Rule is focused on safeguarding the electronic versions of patient information. The Breach Rule defines what is considered a privacy or security breach of patient information.
Am I a HIPAA Covered Entity?
A covered entity is an organization that provides healthcare treatment or insurance payments for that treatment.
Am I a HIPAA Business Associate?
A Business Associate is an organization that provides services to covered entities or other business associates requiring access to patient information in order to do their job.
Is My Vendor a HIPAA Business Associate?
Whether you are a covered entity or a business associate you need to know which of your vendors you should consider a business associate. You should have a signed a Business Associate Agreement with each of your Business Associates.
What is the Notice of Privacy Practices (NPP)?
The NPP is the contract that initiates HIPAA legal commitments between the patient and the covered entity (CE). It defines what HIPAA means to the patient and what the CE is committing to doing under HIPAA. It outlines how the CE may use and disclose PHI about an individual. It defines the patient’s rights with respect to their PHI and how to exercise them. It lays out the CE’s legal duties to protect the PHI and provides the contact info for who the patient should call for more information. Basically, if you don’t know what is in the NPP, then you technically don’t know what you’re committing to do as the CE.
Does an accredited EHR = HIPAA Compliance?
Just about every EHR these days has some sort of accreditation, whether it be ENHAC, ONC-HIT, ONC-ACB, CCHIT, or something else. And many of them refer to how they follow key provisions of ARRA and HITECH. So, if your EHR software has one of these certifications, does it mean they take HIPAA Compliance seriously?
No, not necessarily. All of these accreditations certify that they handle the Meaningful Use requirements for EHRs and follow the standard criteria to electronically exchange healthcare data. It doesn’t mean that they understand or take HIPAA Compliance seriously within their organization. As a BA, EHR vendors must still address the requirements of the HIPAA Security Rule and portions of the Privacy Rule. As a CE, you will still want to properly vet your EHR vendors regarding HIPAA training of their staff, their security awareness processes, whether they have a Breach Response Plan, if they have a policy for permissible uses and disclosures of PHI, and so on. The above mentioned accreditations don’t tell you that they actually follow HIPAA regulations as a BA.
Is Social Media safe to use in healthcare?
The use of social media in healthcare is ever increasing. The number of social networking applications are being developed specifically for the healthcare community. It is important to understand the risks and liabilities of social media when it comes posting images and information online. Workplace ethics and patient privacy must be understood completely before using these tools as a marketing or informational resource.
When does the clock start ticking on the number of days to report at breach?
A CE has to report a breach of over 500 individuals within 60 days from date of “discovery”. The clock starts ticking when the CE discovers the breach. Per §164.404(a)(2) …a breach shall be treated as discovered by a covered entity as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity.
As soon as the CE learns of it, from any source including a BA, the clock starts ticking.