Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
HIPAA consists of a complex set of rules and regulations that can be difficult to understand when you’re not a regulatory lawyer. Since HIPAA has been updated several times since the initial law went into effect in 1996, many professionals are still asking some of the most basic questions. We at Telehealth.org, therefore, provide answers to several basic HIPAA questions in our HIPAA FAQs below.
HIPAA FAQs: Understanding Basic HIPAA Requirements
Several questions are frequently asked about HIPAA. HIPAA FAQs generally relate to what HIPAA is, how it applies to different healthcare organizations, and how to comply with its standards.
What Are the Basic HIPAA Rules?
There are three basic HIPAA rules: the Privacy, Security, and Breach Notification Rules.
- Privacy Rule: Dictates the proper uses and disclosures of protected health information (PHI).
- Security Rule: Requires the confidentiality, integrity, and availability of PHI.
- Breach Notification Rule: Requires PHI breaches to be reported to affected patients, the Department of Health and Human Services (HHS), and for larger breaches, the media.
How Does HIPAA Apply to Behavioral Health Providers?
Behavioral health providers are considered covered entities under HIPAA. As a HIPAA-covered entity, behavioral health providers must comply with all of the standards set forth by the HIPAA Privacy, Security, and Breach Notification Rules. It is important to note that technology vendors are not covered entities, and there are able to sell you technology that doesn’t meet the needed requirements. For a list of basic HIPAA questions to ask any video company, see the Telehealth.org report, called, Videoconferencing Checklist: 30 Questions to Ask Each of Your Potential Video Vendors.
For example, when sending email through Gmail, either as the sender or the recipient, you need to buy the paid version of Gmail, which is known as Gsuite. See this Telehealth.org article entitled, HIPAA Compliance with a Google BAA for details.
How Do Professionals Become HIPAA Compliant?
To become HIPAA compliant, certain requirements must be met. These include:
- Conducting annual self-audits
- Remediating compliance gaps
- Implementing HIPAA Privacy, Security, and Breach Notification policies and procedures
- Conducting employee HIPAA training
- Signing business associate agreements
- Implementing an incident response strategy
What Is a HIPAA Risk Assessment?
A HIPAA risk assessment, also known as a security risk analysis, enables you to assess the risks and vulnerabilities in their security protections regarding electronically protected health information. The HIPAA Security Rule requires organizations to conduct a risk assessment annually to account for any changes in business practices. By conducting a risk assessment, gaps in compliance are identified. To be HIPAA compliant, these compliance gaps must be addressed with remediation efforts.
What Is a Business Associate and a Business Associate Agreement?
Business associates are entities that create, receive, store, transmit, or maintain PHI on behalf of their covered entity clients. Some examples of business associates include billing services, electronic health record providers, and software providers. As a covered entity the healthcare professionals in the United States are mandated by HIPAA to only buy their technology from vendors who offer business associate agreements (BAA)
Who Needs a Business Associate Agreement?
A business associate agreement (BAA) is a legal document that must be signed between covered entities and their business associates. BAAs must be signed before PHI may be shared with business associate vendors. A BAA limits the liability of both signing parties as they require each to be HIPAA compliant and be responsible for maintaining their compliance.
What Are Basic HIPAA Training Requirements?
HIPAA requires all employees that have the potential to access PHI to be trained. Training must include an overview of HIPAA, cybersecurity best practices, and their organization’s internal HIPAA policies and procedures. To comply with HIPAA standards, employees must be trained upon hire and retrained annually thereafter.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!
what information is not protected by HIPAA
According to our legal sources, you are not regulated by HIPAA for any information that stays on an electronic device, computer, or mobile device without being transmitted. The minute information leaves your electronic device, you are subject to HIPAA; in some states, you are subject to other privacy laws, too. You may want to ask your malpractice company’s attorney if you have any doubts.