HIPAA Compliance FAQs

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was passed to protect an employee’s health insurance coverage when they lose or change jobs. It also has provisions to ensure the privacy and confidentiality of Protected Health Information (PHI). Discover some common HIPAA violations examples and scenarios.

Covered Entities or service providers, including telemedicine providers, must comply with the risk analysis requirement mandated by the HIPAA Security Rule, MACRA, Meaningful Use and other regulations. Therefore, if you are a HIPAA Covered Entity or a Business Associate with access to Protected Health Information, you need to know what you need to do to be HIPAA compliant

Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs.
  • Release of the Wrong Patient’s Information.
  • Release of Unauthorized Health Information.
  • Missing Patient Signature on HIPAA Forms.
  • Improper Disposal of Patient Records.
  • Failure to Promptly Release Information to Patients.

The penalties were originally implemented in the HITECH Act 2009 and increase each year to account for inflation. The latest is provided by HHS health information privacy, here is the download referencing penalties for breaching HIPAA.

The HIPAA Security Rule was enacted in 2004 to establish national standards for the protection of Protected Health Information when it is created, received, used, or maintained electronically by a Covered Entity. The Rule was introduced due to more Covered Entities adopting technology and replacing paper processes.
The HIPAA Privacy Rule – or “Standards for Privacy of Individually Identifiable Health Information” – was introduced to standardize a patchwork of state laws relating to how healthcare providers and insurers can use, share, and disclose Protected Health Information. It is important to note that where state laws provide stronger privacy protection, these laws continue to apply.

The HIPAA Breach Notification Rule requires Covered Entities and Business Associations to notify the Secretary of Health and Human Services of any impermissible use or disclosure of unsecured Protected Health Information. Different procedures apply depending on the nature of the breach and the number of records disclose without permission.

The HIPAA Omnibus Rule was enacted in 2013 to update elements of the Privacy, Security, Enforcement, and Breach Notification Rules, and activate elements of the HITECH Act. Significantly for Covered Entities and Business Associates, it gave the Department of Health and Human Services the resources to investigate breaches and impose fines for non-compliance.
The HIPAA Enforcement Rule explains the procedures under which the Department of Health and Human Services will conduct investigations, manage hearings, and impose penalties for HIPAA violations. It is important to note other agencies (for example Centers for Medicare and Medicaid) can take HIPAA enforcement actions, and these may have their own procedures.
The HIPAA retention requirements relate to how long Covered Entities must retain HIPAA-related procedures, policies, and other documentation. In states that do not require longer retention periods, the minimum length of time for HIPAA-related documentation to be retained is six years.

The HIPAA Privacy Rule was enacted many years before most social media platforms existed and therefore there are no specific rules for social media. Note, the disclosure of personal identifiable information without a patient´s consent is a violation of HIPAA and sharing PHI on social media would come into this category.

Drummond and our team of HIPAA compliance experts are ready to help.
Fill out the form below for a HIPAA Gap Assessment.

Download Drummond's Guide to Integration Review of E-Prescription Module

Please fill out the form below to download the guide.

Drummond's guide to EPCS Recertification

Please fill out the form below to download the guide.

Drummond's guide to Initial EPCS Certification

Please fill out the form below to download the guide.