HIPAA Compliance FAQs

  • The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was passed to protect an employee’s health insurance coverage when they lose or change jobs. It also has provisions to ensure the privacy and confidentiality of Protected Health Information (PHI). Discover some common HIPAA violations examples and scenarios.

    Covered Entities or service providers, including telemedicine providers, must comply with the risk analysis requirement mandated by the HIPAA Security Rule, MACRA, Meaningful Use and other regulations.  Therefore, if you are a HIPAA Covered Entity or a Business Associate with access to Protected Health Information, you need to know what you need to do to be HIPAA compliant.

  • Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs.

    • Release of the Wrong Patient’s Information.
    • Release of Unauthorized Health Information.
    • Missing Patient Signature on HIPAA Forms.
    • Improper Disposal of Patient Records.
    • Failure to Promptly Release Information to Patients.
  • The penalties were originally implemented in the HITECH Act 2009 and increase each year to account for inflation. The latest is provided by HHS health information privacy, here is the download referencing penalties for breaching HIPAA.

  • The HIPAA Security Rule was enacted in 2004 to establish national standards for the protection of Protected Health Information when it is created, received, used, or maintained electronically by a Covered Entity. The Rule was introduced due to more Covered Entities adopting technology and replacing paper processes.

  • The HIPAA Privacy Rule– or “Standards for Privacy of Individually Identifiable Health Information” – was introduced to standardize a patchwork of state laws relating to how healthcare providers and insurers can use, share, and disclose Protected Health Information. It is important to note that where state laws provide stronger privacy protection, these laws continue to apply.

  • The HIPAA Breach Notification Rule requires Covered Entities and Business Associations to notify the Secretary of Health and Human Services of any impermissible use or disclosure of unsecured Protected Health Information. Different procedures apply depending on the nature of the breach and the number of records disclose without permission.

  • The HIPAA Omnibus Rule was enacted in 2013 to update elements of the Privacy, Security, Enforcement, and Breach Notification Rules, and activate elements of the HITECH Act. Significantly for Covered Entities and Business Associates, it gave the Department of Health and Human Services the resources to investigate breaches and impose fines for non-compliance.

  • The HIPAA Enforcement Rule explains the procedures under which the Department of Health and Human Services will conduct investigations, manage hearings, and impose penalties for HIPAA violations. It is important to note other agencies (for example Centers for Medicare and Medicaid) can take HIPAA enforcement actions, and these may have their own procedures.

  • The HIPAA retention requirements relate to how long Covered Entities must retain HIPAA-related procedures, policies, and other documentation. In states that do not require longer retention periods, the minimum length of time for HIPAA-related documentation to be retained is six years.

  • The HIPAA Privacy Rule was enacted many years before most social media platforms existed and therefore there are no specific rules for social media. Note, the disclosure of personal identifiable information without a patient´s consent is a violation of HIPAA and sharing PHI on social media would come into this category.


Drummond and our team of HIPAA compliance experts are ready to help.
Fill out the form below for a HIPAA Gap Assessment.
ACAP Preferred Vendor
Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.

Click to enable/disable Google Analytics tracking code.
Click to enable/disable Google Fonts.
Click to enable/disable Google Maps.
Click to enable/disable video embeds.
Our website uses cookies, some from third-party services. Define your Privacy Preferences and/or agree to our use of cookies.