HIPAA links
Contact Us

Protecting the Privacy of Personal Health Information


Compliance & Enforcement


How to File a Health Information Privacy Complaint

Health Information Privacy Complaint Form [PDF]

Interim final rule: Civil Money Penalties: Procedures for Investigations, Imposition of Penalties, and Hearings [PDF]




The Privacy Rule

HIPAA Statute

The Security Rule

Identifier Standards

What is the Privacy Rule and why has HHS issued regulations?

Privacy Rule Summary [PDF]

HIPAA Glossary & Acronyms




HIPAA essentials outline

HIPAA Checklist

OCR Summary - HIPAA Privacy Rule

Frequently Asked Questions

Am I a covered entity?

Covered Entity Flowchart


HIPAA - Related Links


Centers for Medicare and Medicaid Services (CMS)

The Privacy Rule and Public Health (CDC)

The Privacy Rule and Research (NIH)

National Committee on Vital and Health Statistics (NCVHS)

Workgroup for Electronic Data Interchange

Portability of Health Coverage - Dept. of Labor

Full List of HIPAA-Related Links


For Consumers


Fact Sheet: Protecting the Privacy of Patients' Health Information


Security Standards for the Protection of Electronic Protected Health Information


HIPAA Essentials Outline For Small Businesses


  • Healthcare industry realities:
    • need for data interoperability
    • evolution from paper to electronic data
    • economic incentives
  • Patient as a consumer:
    • increasing concern about threats to individual privacy
  • Legislative guidance:
    • inconsistent laws from 50 states
    • pressure for Federal mandates

Likely Benefits for Practices

  • Reduces efforts in business office, registration, and managing enrollments, referrals and eligibility
  • Reduces need for IS support of interface engine and EDI communication
  • Enables fee collection at time of service
  • Enables health plan/sponsor payments within 10 days
  • Reduces associated costs of the above

HIPAA's Covered Entities

  • Virtually all healthcare providers, including physicians, hospitals, long-term care providers, home health providers, dentists, ambulance services, etc.
  • All healthcare payers, including health insurance and self-insured employer-sponsored health plans
  • All healthcare clearinghouses that process or route electronic claims

Other Affected Parties: Business Associates

  • Non-employees who perform services for a covered entity, who have access to protected health information (PHI) - e.g., attorneys, medical transcriptionists, vendors
  • Covered entities must establish contracts with Business Associates to ensure they also meet HIPAA requirements

Transactions and Code Sets: Compliance required by October 16, 2002 (or October 16, 2003, upon obtaining federal deadline extension)

  • Lack of standardization has created industry-wide inefficiencies, unnecessarily high costs, opportunities for fraud and abuse
  • HIPAA's standardized transactions include:
    • Health claims / similar encounter info
    • Enrollment / disenrollment in a health plan
    • Eligibility for a health plan
    • Healthcare payment & remittance advice
    • Health plan premium payments
    • Health claim status
    • Referral certification & authorization
    • Health claims attachments (not finalized)
    • First report of injury (not finalized)

If transactions are conducted electronically, HIPAA standards must be used.

Covered entities not required to use electronic transactions -- may still use paper instead of electronic media.

The term "electronic transfer" represents ALL electronic methods. Includes magnetic tape, disk, CD, Internet transmissions, leased or dial-up lines, and private networks, direct data entry.

Entities may use a business associate to conduct a transaction.

Standard code sets include:

  • CPT 4
  • ICD - 9 CM
  • CDT (dental)
  • NDC (drugs) (Will not be mandatory for hospitals)
  • Non-medical code sets

Transactions and Code Sets Impact on Practices

  • Will necessitate claims process modifications
  • Local codes will be eliminated
  • Patient eligibility and referrals can be processed electronically

Unique National Identifiers: Compliance required 24 months after effective dates of final Identifier Standards

  • Purpose is to work with standard transactions and code sets to streamline healthcare administration
  • National Provider Identifier (NPI) -- Final rule expected 2003
  • National Employer Identifier (EIN) -- Final rule published 5/31/02.
    • IRS Federal Employer Identification Number (FEIN) -- 9 digits
  • National Health Plan Identifier (PLANID) -- Proposed rule expected 2003

Privacy: Compliance required April 14, 2003

  • The Privacy Rule is intended to:
    • Protect and enhance rights of consumers by providing them
      • access to their health information
      • control over PHI uses and disclosures
    • Improve healthcare quality by restoring public trust and willingness to share information
    • Improve efficiency and effectiveness by creating uniform nationwide privacy framework
  • Covers electronic, paper & oral information
  • Requires contracts with business associates to protect health information
  • Emphasizes "minimum necessary" access
  • Standards apply to "protected health information": all individually identifiable health information in any form
    • General Rule: Protected health information may not be used or disclosed for reasons other than treatment, payment or healthcare operations without specific patient authorization
  • Patients must receive written notice of provider's information practices; practice must make good faith effort to obtain acknowledgement of receipt
  • Patients may inspect their own health information and obtain a copy
  • Patients may request amendment to health information
  • Patients may receive an accounting of disclosures for purposes other than treatment, payment, and healthcare operations
  • Patients may request that uses and disclosures of health information be restricted
  • Patients must be provided means to report a privacy complaint
  • Providers can release PHI without authorization for treatment, payment or healthcare operations, or:
    • When required by law
    • Public health Activities
    • For victims of abuse, neglect, or domestic violence
    • Health oversight
    • Judicial proceedings
    • Specific law enforcement activities

Providers must obtain a written patient Authorization before releasing PHI for purposes other than Treatment, Payment, and Health Care Operations, such as:

  • Marketing
  • Medical research
  • Fundraising
  • Authorizations generally address a specific need and circumstance or span of time
  • Authorizations are required before psychotherapy notes can be released
  • Providers must identify all Business Associates that have access to or use/disclose protected health information of patients
    • Business Associate contracts must be established to ensure that Business Associates' practices support HIPAA's requirements; sanctions must be applied for non-compliance by Business Associates
  • Providers may release patient's location, condition, or death when needed to family, friends, others involved in the care of the patient
  • Providers may make other disclosures to family and others involved when in the patient's best interest

Security: Compliance required April 21, 2005

  • Security standards apply to health plans, clearinghouses, and any health care provider that electronically maintains or transmits any individual's health information
  • Standards are technology neutral and outline 4 areas of compliance. Look to the proposed Security Rule and/or your IS support person for technical details behind these requirements:
    • Administrative procedures
      • Certification
      • Contingency Plan
      • Formal Mechanisms: Records
      • Info Access Control
      • Internal Audit
      • Personnel Security
      • Security Configuration
      • Security Incident Procedures
      • Security Mgmt. Process
      • Termination Procedures
      • Training
    • Physical security
      • Assigned Security Responsibility
      • Media Controls
      • Physical Access Controls
      • Policy - Workstation Use
      • Secure Workstation Location
      • Security Awareness Training
    • Technical security services
      • Communications/Network Controls
      • Integrity Controls
      • Message Authentication
    • Technical security mechanisms
      • Access Controls
      • Audit Controls
      • Authorization Controls
      • Data Authentication (corruption)
      • Entity Authentication

HIPAA provides for scalable security solutions, based on the practice's assessment of its particular technical environment, business needs, and risks/rewards considerations. Solutions may include:

  • Username/Password Policies and Procedures
  • Log-on/Log-off Policies and Procedures
  • Disaster/Contingency Planning for computer systems
  • System Monitoring
  • Audit Control
  • Testing
  • Virus Protection
  • Locks, Access Controls (e.g. badges, keys)
  • Security Training
  • Personnel Termination Policies and Procedures

Overall Impact of HIPAA on Healthcare Providers

  • Necessitates greater staff attention to health-related privacy and confidentiality
    • New privacy and security policies and procedures
    • New security mechanisms and practices
    • Modification of claims and billing systems, including new transaction formats and identifiers, and elimination of local codes
    • Training of all staff on privacy awareness, new policies and procedures, and system changes
    • Ongoing monitoring for compliance of organization AND individual staff
    • Consistent application of sanctions for non-compliance
    • Thorough documentation of efforts

6 Phases Required To Achieve Compliance

  1. Awareness (general staff education on what to expect from HIPAA)
  2. Gap Analysis (determining gaps between current and required practices)
  3. Implementation Planning (setting plan, budget and timeline to meet HIPAA requirements)
  4. Implementation (deploying the Implementation Plan)
  5. Training (on new policies, procedures and systems changes and updates)
  6. Audit and Compliance (on-going monitoring and enforcement)

Fundamental Steps in Compliance

  • Read and become familiar with regulations; get help where needed
  • Set objectives and scope of overall compliance effort
  • Appoint privacy and security compliance officer
  • Take inventory of computer/information systems (including paper records); understand current transactions/code sets environment and uses
  • Take inventory of security and privacy policies and procedures
  • Identify gaps and weaknesses in office practices, policies, systems, and procedures - as they relate to HIPAA requirements
  • Determine planning priorities and formulate implementation budget
  • Begin promoting HIPAA awareness within office
  • Revise and improve existing security and privacy policies; implement new policies and procedures as needed
  • Deploy new physical and technical safeguards to support policies and procedures
  • Integrate and roll out new or upgraded processes and systems
  • Create reporting and documentation procedures with feedback mechanism
  • Implement necessary ongoing changes
  • Do initial workforce training on new policies and changes, and provide for ongoing training program
  • Provide process for addressing privacy/security breaches when and if they arise



Copyright 2003-2010 ©HIPAAnews.org All Rights Reserved.