Frequently Asked Questions

Who must comply with HIPAA privacy standards?

Any provider, health plan or health clearinghouse that creates, transmits, or stores protected health information.  Also, business associates must comply with certain aspects of the privacy rule.

What is the difference between Risk Analysis and Risk Assessment?

The two terms are used interchangeably.  The most important thing is that an organization fully explores their possible risks, and determines what safeguards are appropriate for their specific situation.

Who are the Business Associates?

A business associate is any organization that performs a service or function on behalf of a provider, health plan or health clearinghouse and needs access to protected health information (or PHI) to perform the service or function.

What’s HIPAA?

Essentially, it is the federal rule that outlines how organizations are to keep individual’s medical information out of the hands of people who are not permitted to access.

What is the “minimum necessary’ standard?

It is a part of the HIPAA Privacy Rule that stipulates two things.  First, that only people who need access to another’s health information, will have access to the information.  And, that people who need access to health information will access only the minimum amount necessary.

What is a Notice of Privacy Practices?

It is a document given by providers, health plans and health clearinghouses to individuals that explains a person’s rights related to their health information, and how the organization may share someone’s health information.

Where do I start if I want to comply with regulations?

Two things are needed to begin the process.  First, complete an inventory to determine where protected health information is and where it travels within an organization.  Also (and done as simultaneously to the inventory as possible), a risk assessment needs to be completed.

What happens if I don’t comply with regulations?

Organizations that are not compliance are susceptible to compromising individuals’ private health information.  This can lead to fines, reputational damage, litigation costs, and even prison time.

How will the government find out if I comply with regulations or not?

Any breach must be reported to the federal government, and most are investigated by the government.  Also, the federal government is starting a random HIPAA audit program which will assess if an organization is compliant with HIPAA.

What should I do to protect the PHI in my office?

The best thing to do is create a culture of compliance.  Stress that everyone in an organization has a role to play in protecting the security and privacy of PHI, and give them tools to effectively do so.

Is your question not answered here?

Don’t hesitate to contact us using the form below.

15 + 3 =