HIPAA Compliance FAQ
Frequently asked questions about HIPAA compliance requirements, audits, and healthcare data security.
HIPAA (Health Insurance Portability and Accountability Act) is a US federal law that sets standards for protecting sensitive patient health information. It applies to covered entities including healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle protected health information (PHI).
The Privacy Rule establishes standards for how PHI can be used and disclosed, giving patients rights over their health information. The Security Rule specifically addresses the protection of electronic PHI (ePHI) and requires administrative, physical, and technical safeguards to ensure its confidentiality, integrity, and availability.
HIPAA penalties range from $100 to $50,000 per violation with annual maximums up to $1.5 million per violation category. Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years for knowingly obtaining or disclosing PHI. The OCR considers factors like willful neglect and corrective actions when determining penalties.
A BAA is a legally binding contract between a covered entity and any vendor or subcontractor that creates, receives, maintains, or transmits PHI on their behalf. The agreement establishes permitted uses and disclosures of PHI, requires the business associate to implement appropriate safeguards, and defines breach notification obligations.
A HIPAA risk assessment involves identifying all systems containing ePHI, evaluating current security measures, determining potential threats and vulnerabilities, assessing the likelihood and impact of potential breaches, and documenting risk levels with mitigation plans. The OCR requires this assessment to be conducted regularly, not just once.
The Breach Notification Rule requires covered entities to notify affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500 or more individuals must also be reported to the HHS Secretary and prominent media outlets. Smaller breaches must be reported to HHS annually.
While HIPAA doesn't explicitly mandate encryption, it is an addressable implementation specification under the Security Rule. If you choose not to encrypt, you must document why and implement an equivalent alternative safeguard. In practice, encryption is considered a best practice and breach safe harbor, meaning encrypted data breaches may not require notification.
HIPAA doesn't prohibit BYOD (Bring Your Own Device) but requires organizations to implement policies and technical controls to protect ePHI on personal devices. This includes mobile device management, encryption, remote wipe capabilities, strong authentication, and clear acceptable use policies.
A HIPAA compliance audit evaluates your organization's adherence to HIPAA Privacy, Security, and Breach Notification Rules. The OCR conducts audits either randomly or in response to complaints and breaches. Organizations should conduct internal audits annually to identify and address gaps before an official OCR audit occurs.
Cloud service providers that store or process ePHI are considered business associates and must sign a BAA. The cloud provider must implement appropriate security measures, and the covered entity must ensure the provider's controls meet HIPAA requirements. Major cloud providers like AWS, Azure, and Google Cloud offer HIPAA-eligible services.
The minimum necessary standard requires covered entities to limit the use, disclosure, and request of PHI to the minimum amount needed to accomplish the intended purpose. This applies to internal access controls, information sharing with business associates, and disclosures to other covered entities.
HIPAA requires all workforce members to receive training on relevant HIPAA policies and procedures. Training should cover privacy and security awareness, the organization's specific HIPAA policies, how to identify and report potential breaches, and role-specific responsibilities. Training must be provided at hire and periodically thereafter.
HIPAA requires covered entities to retain documentation of their compliance efforts including policies, procedures, risk assessments, and training records for a minimum of six years from the date of creation or the date when it was last in effect. State laws may require longer retention periods for actual medical records.
The HIPAA Right of Access gives patients the right to obtain copies of their health records in the format they request within 30 days. Covered entities can charge a reasonable cost-based fee for copies. The OCR has made Right of Access enforcement a priority, issuing significant penalties for violations.
Yes, HIPAA fully applies to telehealth services. Healthcare providers must use HIPAA-compliant communication platforms, ensure proper encryption of video and audio transmissions, maintain appropriate documentation, and have BAAs with telehealth technology vendors. Consumer-grade video tools like standard Zoom or FaceTime are not HIPAA compliant.
A HIPAA contingency plan addresses how your organization will maintain access to ePHI during emergencies such as system failures, natural disasters, or cyberattacks. It must include a data backup plan, disaster recovery plan, and emergency mode operation plan. Regular testing of the contingency plan is a required implementation specification.