When you work in healthcare, hearing about HIPAA is inevitable. There is a ton of information online about HIPAA, but finding information related to your business can be challenging as a small healthcare practice. Here are some HIPAA FAQs for smaller practices… 

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule dictates the proper uses and disclosures of protected health information (PHI). This includes sharing PHI between providers, health plans, and business associates. 

What is the HIPAA Security Rule?

The HIPAA Security Rule dictates the security measures that are required to be in place to secure PHI. This Rule requires organizations to implement security measures that are “reasonable and appropriate” for their organization. This means that it is not expected for a sole practitioner doctor’s office to have the same security measures in place that a hospital has. To determine the appropriate measures for your organization, you must conduct a security risk assessment annually.

What is the HIPAA Breach Notification Rule?

The Breach Notification Rule requires healthcare organizations to report breaches that compromise the privacy or security of PHI. Breaches affecting less than 500 patients must be reported to affected patients and the Department of Health and Human Services (HHS’) Office for Civil Rights (OCR). These breaches can be reported annually (by March 1 of the year following). Breaches affecting 500 or more patients must be reported to affected patients, HHS’ OCR, and media outlets. These breaches must be reported within sixty (60) days of discovering the incident.

HIPAA and Patient Information

What is protected health information?

Protected health information is individually identifiable health information created, used, or disclosed during diagnosis or treatment. This can relate to the past, present, or future healthcare provision.

The Department of Health and Human Services classifies PHI into 18 identifiers as follows:

  1. Name
  2. Address 
  3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voiceprints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes.

What is a Notice of Privacy Practices?

A Notice of Privacy Practices (NPP) describes how the healthcare organization may and may not use PHI and patients’ rights and obligations concerning PHI. The NPP must be distributed to patients on or before their first visit, and a copy must be available for patients upon request. 

What is a HIPAA authorization form?

Healthcare practices must obtain an authorization form from patients to use or disclose their PHI for purposes beyond treatment, payment, or healthcare operations. The HIPAA Privacy Rule requires that an individual provide signed authorization before the entity may use or disclose PHI for certain purposes. This authorization form enables healthcare practices to use the patient’s PHI for marketing purposes or for reasons other than regular use and disclosures.

What is the HIPAA minimum necessary standard?

The HIPAA Privacy Rule dictates that PHI use and disclosure should be limited to only the minimum necessary to perform a job function. This means that healthcare providers should only access a patient’s PHI when they need to do so. The minimum necessary standard also requires PHI access to be limited based on an employee’s job role and PHI access to be monitored and logged to ensure adherence to the standard.

What is the HIPAA right of access?

The HIPAA Privacy Rule generally provides individuals with a legal, enforceable right to see and receive copies, upon request, of the information in their medical and other health records maintained by their healthcare providers and health plans. This right is known as the HIPAA right of access. Under this standard, patients must be provided their requested records within thirty (30) days of the request in the format they requested them in.

HIPAA Violations and Fines

What is considered a violation of HIPAA?

HIPAA violations occur when healthcare organizations fail to make a “good faith effort” to ensure PHI’s confidentiality, integrity, or availability. Failure to address just one requirement of HIPAA can result in a HIPAA violation, subjecting the organization to fines and corrective actions.

Common HIPAA violations include:

  • Improper use or disclosure of PHI
  • Failure to conduct a risk assessment
  • Failure to encrypt devices containing PHI when it was reasonable to do so
  • Failure to comply with the HIPAA right of access standard

How are HIPAA fine amounts determined?

The HHS OCR determines fine amounts based on the level of perceived negligence. 

  • Tier 1 is the “No Knowledge” Tier. Under this tier, an organization did not know that a member of its workforce violated a HIPAA provision. The maximum fine amount under this tier is $58,000 per violation. 
  • Tier 2 is the “Reasonable Cause” Tier. Under this tier, the violation was due to reasonable cause, not willful neglect. The maximum fine amount under this tier is $58,000 per violation. 
  • Tier 3 is the “Willful Neglect – Corrected” Tier. Under this tier, the violation is due to willful neglect, but the violation is timely corrected. The maximum fine amount under this tier is $58,000 per violation. 
  • Tier 4 is the “Willful Neglect – Not Corrected” Tier. Under this tier, the violation is due to willful neglect and is not timely corrected. The maximum fine amount under this tier is $1.75 million per violation.