The Health Insurance Portability and Accountability Act (HIPAA) has been around for quite some time. There are many misconceptions about HIPAA compliance that our office still gets calls about. This page is to help clear up some of these misconceptions.

All healthcare providers will benefit from the common-sense approach and steps found in our DeskBook series. This book includes detailed information about the HIPAA Security Breach Notification Rules.

Complete & Easy HIPAA Compliance contains the forms and training you need in a easy to understand format. Of all the many HIPAA products we have reviewed, it is by far the best! It is extremely affordable and will save your office TONS of time and headaches.

Frequently Asked Questions About HIPAA

Q.  I just received a notice from XYZ Insurance company that I have to file Electronic Claims. I don't think I can afford that. Do I have to file electronically?

A.  HIPAA grants an exception for small companies (fewer than 10 full time employees). However, some states have passed legislation which over-rides this exception. State statues take precendence. If you have only two people in your office and your state does not have a law requiring electronic claims, then you do not have to file electronically. You may need to file an exemption with the specific company to minimize future hassles and problems.

Q.  How should we handle caller ID? Is it ok for our practice name to appear when we call a patient?

A.  Yes. HIPAA does not require you to block the name of your practice; however, if your practice treats specific diseases, such as cancer, it is a good idea to adhere to the “minimum necessary standard” by limiting the information listed on caller ID. For example, it is more appropriate to say “George Luther Treatment Center” than to say “George Luther Cancer Treatment Center.”

Q.  I’ve recently created a website for my practice. Do I have to post a notice of privacy practices on it?

A.  Yes. If a covered entity has a website, posting a Notice of Privacy Practices is required on the website. Privacy Notices can be purchased HERE.

Q.  If a patient wants to file a complaint about a security violation at my practice, what should I do?

A.  The first course of action is to try to resolve the issue yourself. If the issue is not resolvable by the practice, patients have the right to complain. For security and other non-privacy complaints, the appropriate form to use may be found at http://htct.hhs.gov. This is not the same form used for filing a privacy complaint. The privacy complaint form may be found at www.hhs.gov/ocr/privacy/hipaa/complaints/index.html

Q.  What’s the best way to dispose of old data on a computer? We just got new laptops and we want to donate the old desktops to a local charity.

A.  One of the best ways to ensure data from an old computer is protected is to take a sledgehammer to the hard drive. However, since you want to donate the equipment to a nonprofit, your best bet is to use software technology to permanently erase the information. Simply erasing files on your hard drive or even re-formatting the drive is not sufficient. There are many options out there that will perform a thorough job, including X-Ways Security, BC Wipe, SuperShredder,WipeDrive and Acronis DriveCleanser. Make sure you document the method you use to erase the protected health information.

Q.  How should we verify the identity and authority of a law enforcement person before giving him/her PHI?

A.  It is important to verify the identity and authority of a law enforcement person before handing over PHI. Presentation of an agency identification badge, other official credentials or other proof of government status are all acceptable ways of verifying identity, if the request is made in person. As for verifying authority, you may reasonably rely on a written statement of legal authority, an oral statement of legal authority (if a written statement is impractical) or a request made pursuant to legal process, warrant, subpoena, order or other legal process issued by a grand jury or judicial or administrative tribunal. For more information, go to section 164.514(h) Verification of the privacy rule.

Q.  What if we find out one of our business associates misuses our PHI?

A.  Although you are not required to actively monitor business associates (BAs), if you have substantial and credible evidence of a BA violation, you must take reasonable steps to mitigate the breach or end the violation. If such steps are unsuccessful, you must terminate the contract with the BA. If it is not feasible to end the contract with the BA, you are required to report the problem to HHS.

Q.  I’ve heard conflicting information about fax machines. Once and for all, are faxes considered electronic transactions?

A.  Traditional faxes sent from a fax machine are NOT considered electronic transactions. However, faxes sent from a computer ARE classified as electronic transactions.

Q.  What are the requirements for privacy and security training for employees?

A.  Once you have trained a staff member on HIPAA, there are only limited circumstances when additional training is required. Training is only needed beyond the initial training when there are significant changes to policies and procedures that impact the workforce or an individual changes responsibilities within the covered entity and needs to become familiar with new processes. In addition, if there has been a HIPAA violation, a mitigation action plan may have a retraining component.

Although “full blown” training isn’t required regarding security issues after initial training, the regulations do require regular discussion of security tips with staff at meetings or via e-mail. It is recommended that security tips be shared on a monthly basis with staff members, such as reminders about the importance of individual login and regular password changes. Such discussions should be documented in staff meeting minutes and/or copies of the e-mails should be saved.

How to stay HIPAA Updated

• Join the HIPAA Listserv to find out when new or updated HIPAA rules are published. If you have access to the Internet and would like to receive a free e-mail notification direct from CMS when new HIPAA rules are published, simply sign up for the “free” listserv (email communication list) on their website:http://aspe.hhs.gov/admnsimp/lsnotify.htm .

• Contact your regional “Strategic National Implementation Process” (SNIP) representatives about regional and state HIPAA efforts. They are local groups with extensive knowledge of HIPAA. To find your local SNIP, go to: http://snip.wedi.org .

• Attend your local Professional association meetings. If you already know it all, please be a good mentor and help others.

More Help for HIPAA Headaches

No one knows the HIPAA rules better than the makers of them.  For more information, we encourage you to contact the direct sources within the department of Health and Human Services (HHS).

Privacy standards have been assigned to the Office of Civil Rights (OCR) within (HHS).  

• Visit their web site at: www.hhs.gov/ocr/hipaa

• Call the OCR HIPAA hotline: 1-866-627-7748 (for Privacy issues only)

Transactions, Security, and Identifier standards are assigned to the Centers for Medicare and Medicaid Services (CMS) within HHS.

• Visit their website at: www.cms.hhs.gov/hipaa

• Send email questions to: askhipaa@cms.hhs.gov

• Call the CMS HIPAA hotline: 1-866-282-0659 (for non-Privacy issues)

Security standards are available from the Centers for Medicare and Medicaid Services (CMS).

• Visit their website at: www.cms.hhs.gov/hipaa

Affordable HIPAA help is available from InstaCode Institute www.instacode.com/store

• Complete & Easy HIPAA Compliance – customized forms, policies and training for medical offices.  only $179
• Security Risk Assessment Wizard - easy to use online tool for training and implementing a HIPAA security risk assessment.