Search
Contact Us
Contact Us

HIPAA Compliance FAQs

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was passed to protect an employee’s health insurance coverage when they lose or change jobs. It also has provisions to ensure the privacy and confidentiality of Protected Health Information (PHI). Discover some common HIPAA violations examples and scenarios.

Covered Entities or service providers, including telemedicine providers, must comply with the risk analysis requirement mandated by the HIPAA Security Rule, MACRA, Meaningful Use and other regulations. Therefore, if you are a HIPAA Covered Entity or a Business Associate with access to Protected Health Information, you need to know what you need to do to be HIPAA compliant

Covered entities under HIPAA include health plans, healthcare providers, and healthcare clearinghouses. Health plans include health insurance companies, health maintenance organizations, government programs that pay for healthcare (Medicare for example), and military and veterans’ health programs.

A “Business Associate” is defined as any person or organization, outside of a covered entity’s workforce, engaged by a covered entity to perform activities or services necessitating access to Protected Health Information (PHI).

HIPAA regulations require that covered entities establish contracts or other arrangements with their business associates to ensure the protection of PHI. It is crucial to ensure these agreements comply with HIPAA standards.

  • Release of the Wrong Patient’s Information.
  • Release of Unauthorized Health Information.
  • Missing Patient Signature on HIPAA Forms.
  • Improper Disposal of Patient Records.
  • Failure to Promptly Release Information to Patients.

    Read the Common HIPAA Violations and Tips on How to Avoid Them blog for more information.

The penalties were originally implemented in the HITECH Act 2009 and increase each year to account for inflation. The latest is provided by HHS health information privacy, here is the download referencing penalties for breaching HIPAA.

The HIPAA Security Rule was enacted in 2004 to establish national standards for the protection of Protected Health Information when it is created, received, used, or maintained electronically by a Covered Entity. The Rule was introduced due to more Covered Entities adopting technology and replacing paper processes.
The HIPAA Privacy Rule – or “Standards for Privacy of Individually Identifiable Health Information” – was introduced to standardize a patchwork of state laws relating to how healthcare providers and insurers can use, share, and disclose Protected Health Information. It is important to note that where state laws provide stronger privacy protection, these laws continue to apply.

The HIPAA Breach Notification Rule requires Covered Entities and Business Associations to notify the Secretary of Health and Human Services of any impermissible use or disclosure of unsecured Protected Health Information. Different procedures apply depending on the nature of the breach and the number of records disclose without permission.

The HIPAA Omnibus Rule was enacted in 2013 to update elements of the Privacy, Security, Enforcement, and Breach Notification Rules, and activate elements of the HITECH Act. Significantly for Covered Entities and Business Associates, it gave the Department of Health and Human Services the resources to investigate breaches and impose fines for non-compliance.
The HIPAA Enforcement Rule explains the procedures under which the Department of Health and Human Services will conduct investigations, manage hearings, and impose penalties for HIPAA violations. It is important to note other agencies (for example Centers for Medicare and Medicaid) can take HIPAA enforcement actions, and these may have their own procedures.
The HIPAA retention requirements relate to how long Covered Entities must retain HIPAA-related procedures, policies, and other documentation. In states that do not require longer retention periods, the minimum length of time for HIPAA-related documentation to be retained is six years.

The HIPAA Privacy Rule was enacted many years before most social media platforms existed and therefore there are no specific rules for social media. Note, the disclosure of personal identifiable information without a patient´s consent is a violation of HIPAA and sharing PHI on social media would come into this category.

Drummond and our team of HIPAA compliance experts are ready to help.
Fill out the form below for a HIPAA Gap Assessment.

FREE EXPERT CONSULTATION

Do you have Compliance, Interoperability, or Security questions?
Book your FREE consultation with a Drummond expert and get answers.
Learn More

Drummond Group, LLC

3622 Lyckan Parkway, Suite #3003
Durham, NC 27707 USA

sales@drummondgroup.com
(877) 437-8666

Contact Us

Services
Resources
About Us
Privacy Policy
Cookie Policy
Terms of Use

© 2025 Drummond Group, LLC. All rights reserved. All brand names and trademarked logos used on this website are for identification purposes only and are the property of their respective owners. Their inclusion here does not imply endorsement, sponsorship, or affiliation with Drummond. All content, including text, images, graphics, and other materials, is protected by copyright law and may not be reproduced, distributed, or transmitted without prior written permission from Drummond Group, LLC.

DISCLAIMER: The services offered by Drummond Advisory Services are separate and distinct from the Drummond Group Test Lab and Certification Body. The purpose of Drummond Advisory Services is to provide expert support and guidance for the planning, analysis, and execution of certification activities; it does not negate the steps or required actions of the certification process. Use of Drummond Advisory Services does not guarantee successful ONC Health IT testing or certification.