Physician Office Manager

Privecy Policy Tell a Colleague Mission Statement Mission Statement

HIPAA FAQs

Q: What is HIPAA?

A: HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA contains new privacy standards designed to protect the confidentiality of medical information. HIPAA regulations prohibit a "covered entity" from using or disclosing "individually identifiable" health information.

Highlights of the final privacy regulations include:

  • The privacy regulations cover all individually identifiable health information, electronic records, paper records, or oral communication.
  • Providers will need to obtain a patients consent to the disclosure or use of the patients health information for ordinary activities such as treatment, payment and the entitys own operations.
  • The regulations will permit providers and related foundations to use limited patient information, without patient authorization, in connection with their fundraising activities.
  • Before employer sponsored health plans share protected health information with the employer, there must be specific restrictions on the employers use and disclosure of the information.
  • Healthcare providers and insurance companies will be required to rewrite contracts with business partners-including attorneys, auditors, and consultants-to make sure that they adhere to the privacy rules. Healthcare providers will be responsible for the partners violations only if they had knowledge of such violations.
  • Patients will have the right to inspect and copy their medical records, as well as to request amendments and corrections to their records.
  • Healthcare providers and plans will be required tell patients about how their information is being used and who it is being disclosed to.
  • Healthcare providers and plans will be required to restrict the amount of information used or disclosed to the "minimum necessary" to achieve the purpose of the use or disclosure.
  • Healthcare providers and plans will be required to establish privacy-conscious business practices. These include training staff about privacy issues, designating a "privacy officer", and making sure that the appropriate safeguards are in place to protect health information.
  • The regulations do not provide for a private right of action permitting patients to sue for violations, but do contain both civil and criminal penalties for violation, including fines and imprisonment (e.g., a fine of up to $250,000 and imprisonment for up to 10 years for knowingly disclosing or obtaining protected health information if done for commercial or personal gain or for malicious harm).

Q: Who is a "covered entity"?

A: A "covered entity" is defined as health care providers (physicians, hospitals, nursing homes, clinical laboratories, Durable Medical Equipment suppliers and pharmacies), health plans, health care clearinghouses and their "business partners".

Q: Who are "business partners"?

A: A "business partner" is defined as anyone who receives protected information in order to carry out and assist with specific activities, including attorneys, accountants, consultants, third party administrators, data processing firms, and billing firms.

Q: What is "individually identifiable" health information?

A: Individually identifiable health information includes records of physical or mental health or condition, the provision of health care services, or payment for health care provided that can be attributed to a specific patient. For example, any records with an individual's name, social security number or other information that could allow someone to identify the specific individual in question is "individually identifiable." A covered entity may remove, code, encrypt, or otherwise eliminate or conceal that portion of the health information which makes it individually identifiable as long as the entity does not reveal the "key" that would enable individual identification.

Q: Does HIPAA require medical records to be under lock and key?

A: <