⚕ HIPAA 101

• Privacy Rule
• Security Rule
• Transactions Rule
• Identifiers Rule
• Enforcement Rule
• Breach Notification Rule
• Final Omnibus Rule

• Training Software
• Risk Management Software
• Data Security Software
• EHR Software

• HIPAA FAQ
• HIPAA PHI Lifecycle
• HIPAA Hosting
• HIPAA State Laws
• HIPAA Glossary
• HIPAA Misspellings

HIPAA FAQ (Frequently Asked Questions)

Here are some of the more commonly-asked questions over time pertaining to HIPAA compliance:

What businesses must comply with HIPAA laws?
Any healthcare entity that electronically processes, stores, transmits, or receives medical records, claims or remittances.

What is Protected Health Information (PHI)?
Information collected from an individual by a covered entity that relates to the past, present or future health or condition of an individual and that either identifies the individual or there is basis to believe that the information can be used to identify, locate, or contact the individual...and thus must be protected. PHI is a subset of PII.

What is HITECH and when does it go into effect?
Stands for the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act provides over $30 billion for healthcare infrastructure and the adoption of electronic health records (EHR). According to the Act, physicians are eligible to receive up to $44,000 per physician from Medicare for meaningful use of a certified EHR system starting in 2019.

What is a Covered Entity (CE)?
Any business entity that must by law comply with HIPAA regulations, which include healthcare providers, insurance companies, and clearinghouses. In this context, health care providers include doctors, medical, dental, vision clinics, hospitals, and related health caregivers.

What are the penalties for HIPAA non-compliance?
Fines can be up to $250,000 for violations or imprisonment up to 10 years for knowing abuse or misuse of individual health information.

HIPAA-ready v. HIPPA-compliant – what is the difference?
HIPAA-ready usually refers to software and other products used by the healthcare industry that make it easier to comply with HIPAA regulations. HIPAA-compliant refers to the actual clinics, hospitals, clearinghouses, and insurance companies that are in compliance with HIPAA regulations. With that said, many products are labelled as "HIPAA-compliant" - just remember that compliance is achieved not in the product itself but by the policies, operations, settings, and safeguards put in place by humans. Products labelled as "HIPAA-ready" or "HIPAA-compliant" means there is a specific feature(s) that make the product easier to use in a compliance regime.

What is HITRUST and how does it work with HIPAA?

While HIPAA is federal legislation that details standards for healthcare compliance, HITRUST is an organization (Health Information Trust Alliance) that helps you achieve compliance. Put another way, HIPAA is simply a set of regulations while HITRUST assists companies with achieving compliance (certification) to those regulations. HITRUST developed and sustains the Common Security Framework (CSF), which functions to coordinate standards set by HIPAA along with others, such as PCI, ICO, and NIST. Another important distinction is that, unlike HIPAA, an organization can become HITRUST-certified.

How is Sarbanes-Oxley and HIPAA related from a data compliance perspective?

They are similiar yet different. HIPAA defines who can view stored data as well as when the data must be destroyed (data privacy). SOX defines which business records a company must store and for how long (data permanence). HIPAA must provide an audit trail of who has accessed what data and when, then prove the data was properly disposed of when the retention period is up. SOX must prove that its data has not been altered from the time it was stored to the time it was retrieved.

How does the GDPR impact HIPAA?

As of May 25, 2018, all U.S. healthcare organizations that have patients, customers, or business associates in the EU must comply with the General Data Protection Regulation (GDPR).

Does HIPAA extend to wearables and medical devices?

It can if the device collects, stores, or transmits PHI (glucose level tied to a specific person for example) to a Covered Entity or Business Associate organization. More medical devices, wearables, and IoMT (Internet of Medical Things) devices have built-in microprocessors and WiFi/Bluetooth that can store PHI data and transmit to the cloud to be accessed by a healthcare entity. A Fitbit for personal use is not bound by HIPAA, but a Fitbit doled as part of a corporate wellness program and tied to a CE or BA would be bound by HIPAA. In this particular case, Fitbit has a Business Associate Agreement for this application.

Is the Amazon Alexa device HIPAA-compliant?

Yes. On April 4, 2019, Amazon released a set of software tools that allows patient PHI to be transmitted and received using it's Alexa devices. Specifically, Amazon can now sign Business Associate Agreements with healthcare providers under HIPAA to allow eligible third-party developers to develop "skills" that utilize the Alexa and AWS platforms.

Does HIPAA extend to medical-use cannabis?

It can. Any organization that collects, processes, stores, or transmits PHI about a customer is bound by HIPAA. A good example would be a dispensary that has an intake form or processes payments electronically.

How is HIPAA related to the opioid crisis?

In 2017, the HHS Office for Civil Rights released guidance explaining when HIPAA permits healthcare providers and other covered entities to share patient PHI with family and others involved in a patient's care in these situations.

How can I keep my workplace trained and certified to meet HIPAA compliance?
Learning, training, and reskilling the worforce is a never-ending thing. As such, consider investing in a modern, online, customizable Learning Management System (LMS) software to meet your particular needs. For more information, see Workplace Training Software for HIPAA.