Baby holds mom's hand

Small healthcare provider HIPAA FAQs

As a smaller healthcare provider or business owner, getting your head around HIPAA compliance can be tough. In recognition of this, The U.S. Department of Health & Human Services (HHS) has a whole section on its website that is dedicated to answering a number of HIPAA-related questions that are frequently asked by  small organizations. While by no means is it an exhaustive list, here are some key questions and answers every organization needs to know.

Who’s covered by HIPAA?

HIPAA covers Health plans, healthcare clearinghouses, and healthcare providers who conduct certain financial and administrative transactions electronically. Collectively, these entities are called “covered entities” under HIPAA and must adhere to the privacy standards.

What is the HIPAA Privacy Rule?

In short, the HIPAA Privacy Rule sets national standards to protect individuals’ medical records and other personal health information. For example, the Privacy Rule gives patients more control over their health information, sets limitations on the use of health records, and establishes safeguards for protecting the privacy of health information. Violations of The Privacy rule can lead to civil and criminal penalties.

What is required under the HIPAA Privacy Rule?

In general terms, under the Privacy Rule covered entities are required to undertake the following activities:  

  • Inform patients about their privacy rights and how their information is used.
  • Adopt and implement privacy procedures.
  • Train staff to understand the privacy procedures.
  • Designate an individual to be responsible for ensuring privacy procedures are adhered to – at a small practice this may be an individual who also has other duties, such as the office manager.
  • Secure patient records containing individually identifiable health information.

Must all small health plans comply with the Privacy Rule?

Certain plans are excluded from having to comply with Privacy Rule. For example, an employee welfare benefit plan that has less than 50 participants and is administered by the employer that establishes and maintains the plan is not a HIPAA covered entity.

Does HIPAA Privacy Rule permit healthcare providers to share patient health information for treatment purposes without the patient’s authorization?

Yes it does. The Privacy Rule allows healthcare providers such as doctors, nurses and hospitals that are covered entities to use or disclose protected health information (PHI) for treatment purposes without the patient’s authorization. This includes sharing the information with other healthcare providers (including providers who are not covered entities) to treat a different patient, or to refer the patient.

Is a covered entity liable for the actions of its business associates?

While the Privacy Rule requires covered entities to enter into written contracts with business associates to protect the privacy of PHI, covered entities are not required to oversee how their business associates implement their safeguards, the extent to which the business associate abides by the contract, nor are they liable for the actions of its business associates. That said, if a business associate breaches the contract and the covered entity finds out about it, reasonable steps must be taken to prevent the violation or breach occurring. If unsuccessful, the contract with the business associate must be terminated.

Is a software vendor a business associate of a covered entity?

It depends. A software vendor is only considered a business associate if they need to gain access to the PHI of the covered entity in order to provide its service. The mere selling or or providing of software does not make a vendor a business associate.

Please note this is absolutely not a complete list of everything you need to know about HIPAA. For more information head over to HHS.gov.