HIPAA FAQs, Business Associate Agreement

Basic HIPAA FAQs: Easy HIPAA Facts that You Need to Know


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

HIPAA consists of a complex set of rules and regulations that can be difficult to understand when you’re not a regulatory lawyer. Since HIPAA has been updated several times since the initial law went into effect in 1996, many professionals are still asking some of the most basic questions. We at Telehealth.org, therefore, provide answers to several basic HIPAA questions in our HIPAA FAQs below.

HIPAA FAQs: Understanding Basic HIPAA Requirements

Several questions are frequently asked about HIPAA. HIPAA FAQs generally relate to what HIPAA is, how it applies to different healthcare organizations, and how to comply with its standards.

What Are the Basic HIPAA Rules?

There are three basic HIPAA rules: the Privacy, Security, and Breach Notification Rules.

  • Privacy Rule: Dictates the proper uses and disclosures of protected health information (PHI).
  • Security Rule: Requires the confidentiality, integrity, and availability of PHI.
  • Breach Notification Rule: Requires PHI breaches to be reported to affected patients, the Department of Health and Human Services (HHS), and for larger breaches, the media.

How Does HIPAA Apply to Behavioral Health Providers?

Behavioral health providers are considered covered entities under HIPAA. As a HIPAA-covered entity, behavioral health providers must comply with all of the standards set forth by the HIPAA Privacy, Security, and Breach Notification Rules. It is important to note that technology vendors are not covered entities, and there are able to sell you technology that doesn’t meet the needed requirements. For a list of basic HIPAA questions to ask any video company, see the Telehealth.org report, called, Videoconferencing Checklist: 30 Questions to Ask Each of Your Potential Video Vendors.

For example, when sending email through Gmail, either as the sender or the recipient, you need to buy the paid version of Gmail, which is known as Gsuite. See this Telehealth.org article entitled, HIPAA Compliance with a Google BAA  for details.

How Do Professionals Become HIPAA Compliant?

To become HIPAA compliant, certain requirements must be met. These include:

  • Conducting annual self-audits
  • Remediating compliance gaps
  • Implementing HIPAA Privacy, Security, and Breach Notification policies and procedures
  • Conducting employee HIPAA training
  • Signing business associate agreements
  • Implementing an incident response strategy

What Is a HIPAA Risk Assessment?

A HIPAA risk assessment, also known as a security risk analysis, enables you to assess the risks and vulnerabilities in their security protections regarding electronically protected health information. The HIPAA Security Rule requires organizations to conduct a risk assessment annually to account for any changes in business practices. By conducting a risk assessment, gaps in compliance are identified. To be HIPAA compliant, these compliance gaps must be addressed with remediation efforts.

What Is a Business Associate and a Business Associate Agreement?

Business associates are entities that create, receive, store, transmit, or maintain PHI on behalf of their covered entity clients. Some examples of business associates include billing services, electronic health record providers, and software providers. As a covered entity the healthcare professionals in the United States are mandated by HIPAA to only buy their technology from vendors who offer business associate agreements (BAA)

Who Needs a Business Associate Agreement?

A business associate agreement (BAA) is a legal document that must be signed between covered entities and their business associates. BAAs must be signed before PHI may be shared with business associate vendors. A BAA limits the liability of both signing parties as they require each to be HIPAA compliant and be responsible for maintaining their compliance.

What Are Basic HIPAA Training Requirements?

HIPAA requires all employees that have the potential to access PHI to be trained. Training must include an overview of HIPAA, cybersecurity best practices, and their organization’s internal HIPAA policies and procedures. To comply with HIPAA standards, employees must be trained upon hire and retrained annually thereafter.

HIPAA Resources

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!

Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
Darlene Kirkpatrick
Darlene Kirkpatrick
7 days ago

what information is not protected by HIPAA

Would love your thoughts, please comment.x