The following links provide answers to frequently asked questions. Additionally, our expert consulting specialists are here to guide you every step of the way, helping you comply with federal, state and/or industry requirements.
Learn About Business Associates
- Are accreditation organizations business associates of the covered entities they accredit?
- Are the following entities considered “business associates” under the HIPAA Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?
- Is a physician or other provider considered to be a business associate of a health plan or other payer?
- Is a software vendor a business associate of a covered entity?
- If the only protected health information a business associate receives is a limited data set, does the HIPAA Privacy Rule require the covered entity to enter into both a business associate agreement and data use agreement with the business associate?
- When a covered entity, such as a doctor, uses a certified Telecommunications Relay Service to contact patients with hearing or speech impairments, is the Relay Service a business associate of the doctor?
- When is a health care provider a business associate of another health care provider?
- Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity’s business associate as the minimum necessary?
Learn About Business Associate Contracts
- Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule?
- Is a business associate contract required for a covered entity to disclose protected health information to a researcher?
- What are a covered entity’s obligations under the HIPAA Privacy Rule with respect to protected health information held by a business associate during the contract transition period?
- Is a physician required to have business associate contracts with technicians such as plumbers, electricians or photocopy machine repairmen who provide repair services in a physician’s office?
- Is a business associate contract required with organizations or persons where inadvertent contact with protected health information may result – such as in the case of janitorial services?
- I have an existing contract with a business associate that will renew automatically before April 14, 2003. Does this automatic renewal mean I have to modify the contract by April 14, 2003, to make it compliant with the HIPAA Privacy Rule’s business associate contract provisions or can I still take advantage of the transition period?
Learn About Covered Entities
- Who must comply with HIPAA privacy standards?
- When is a researcher considered to be a covered health care provider under HIPAA?
- Are State, county or local health departments required to comply with the HIPAA Privacy Rule?
- Does the HIPAA Privacy Rule limit what a doctor can do with a family medical history?
Learn About Privacy Rule: General Topics
- What does the HIPAA Privacy Rule do?
- Why is the HIPAA Privacy Rule needed?
- Who must comply with HIPAA privacy standards?
- Does the HIPAA Privacy Rule create a government database with all individuals’ personal health information?
- Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do?
Learn About Health Information Technology
- Is a health information organization (HIO) covered by the HIPAA Privacy Rule?
- Can a health information organization (HIO) operate as a business associate of multiple covered entities participating in a networked environment?
- What are some considerations in developing and implementing a business associate agreement with a health information organization (HIO)?
Learn About Individual Choice
- Does the HIPAA Privacy Rule inhibit electronic health information exchange across different states or jurisdictions?
- How do HIPAA authorizations apply to an electronic health information exchange environment?
- Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to Opt-In or Opt-Out of electronic health information exchange?
- Does the HIPAA Privacy Rule permit a covered entity to disclose psychotherapy notes to or through a health information organization (HIO)?
- Who has the right to consent or the right to request restrictions with respect to whether a covered entity may electronically exchange a minor’s protected health information to or through a health information organization (HIO)?
- Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to decide whether sensitive information about them may be disclosed to or through a health information organization (HIO)?
Learn About Safeguards
- Does the HIPAA Privacy Rule permit a covered health care provider to e-mail or otherwise electronically exchange protected health information (PHI) with another provider for treatment purposes?
- How may the HIPAA Privacy Rule’s requirements for verification of identity and authority be met in an electronic health information exchange environment?
- Does the HIPAA Privacy Rule require hospitals and doctors’ offices to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard?
- May physicians offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?
- Are physicians and doctor’s offices prohibited from maintaining patient medical charts at bedside or outside of exam rooms, or from engaging in other customary practices where the potential exists for patient information to be incidentally disclosed to others?
- May a covered entity hire a business associate to dispose of protected health information?
- May a covered entity reuse or dispose of computers or other electronic media that store electronic protected health information?
- Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?
- Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?
- Does the HIPAA Privacy Rule allow covered entities participating in electronic health information exchange with a health information organization (HIO) to establish a common set of safeguards?
- May physician’s offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes?
- A clinic customarily places patient charts in the plastic box outside an exam room. It does not want the record left unattended with the patient, and physicians want the record close by for fast review right before they walk into the exam room. Will the HIPAA Privacy Rule allow the clinic to continue this practice?
- How should home health workers or other workforce members of a covered entity dispose of protected health information that they use off of the covered entity’s premises?
Learn About Preemption of State Law
Learn About Administrative Safeguards
- What does the Security Rule require a covered entity to do to comply with the Security Incidents Procedures standard?
- Under the Security Rule, must plan sponsors report security incidents to the group health plan? If so, what types of incidents must be reported and what level of details is required?
Learn About Emergency Situations
Learn About Risk Analysis & Risk Management
Learn About Security Incidents
Learn About Technical Safeguards
- Is the use of encryption mandatory in the Security Rule?
- Do the Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employees have access to electronic PHI (e-PHI)?
- Does the Security Rule permit a covered entity to assign the same log-on ID or user ID to multiple employees?