HIPAA Privacy Rule FAQs

  1. What is the purpose of the HIPAA Privacy Rule?

    The HIPAA Privacy Rule provides national standards that protect individuals’ personal health information. Specifically, the HIPAA Privacy Rule:

    • Provides patients with more control over their health information
    • Establishes limitations on the use and disclosure of personal health information
    • Mandates safeguards that covered entities must adopt and implement to protect individuals’ personal health information
    • Subjects violators to civil and criminal penalties

  2. Who must comply with the HIPAA Privacy Rule?

    Under the HIPAA Privacy Rule, what are referred to as “covered entities” must comply with the privacy standards. These entities include:

    • Health plans
    • Health care clearinghouses
    • Health care providers who conduct certain electronic financial and administrative transactions such as electronic billing and fund transfers

  3. What are health care providers required to do under the HIPAA Privacy Rule?

    Health care providers are required to do the following to meet compliance:

    • Secure patient’s medical records and other personal health information
    • Notify patients about their privacy rights and explain to the patient how their health information can be used
    • Establish and follow privacy procedures within the organization
    • Provide HIPAA training to employees to ensure a good understanding of both Federal and state laws, as well as the organization’s privacy procedures
    • Appoint a Privacy Official to oversee the organization’s privacy program

  4. When patients request copies of their medical records, are they required to pay for them?

    Under the Privacy Rule, covered entities are permitted to charge reasonable cost-based fees for copying patients’ medical records. The fees should be charged to cover the cost of copying the medical records and postage (if the patient requests medical records to be mailed) only. “Labor costs” associated with searching for, compiling, and copying files cannot be charged for.

  5. Can medical records be released to or accessed by a personal representative of an adult or emancipated minor?

    Under the HIPAA Privacy Rule, an individual’s personal representative is treated as the individual for both an adult or an emancipated minor. A personal representative may access the individual’s medical records and is authorized to make health care decisions on behalf of the individual. However, there is an exception to this provision – Covered Entities are permitted to use professional judgment and decline to a personal representative as an individual if the entity believes that doing so would not be in the best interest of the individual. A good example of this is if an individual is subject to domestic violence, abuse, or neglect. If the personal representative may be involved, the covered entity can choose not to grant the personal representative access or share information with them.

  6. Can individuals revoke their authorization?

    Under the HIPAA Privacy Rule, individuals have the right to revoke their authorization at any time. The individual must submit a written revocation to the covered entity in order to do so. The written revocation is effective as soon as the covered entity receives it.

  7. Are there any exceptions to the HIPAA Privacy Rule disclosure standards?

    Covered entities are not required to obtain an individual’s authorization for any of the following disclosures:

    • Disclosures for health oversight activities
    • Disclosures for organ donation or transplantation
    • Disclosures for specialized government functions
    • Disclosures for Worker’s Compensation
    • Disclosures made for judicial and administrative proceedings
    • Disclosures made to avert imminent threat to health or safety of a person or public
    • Disclosures made to law enforcement
    • Disclosures related to public health
    • Disclosures that are required by law
    • Disclosures to coroners and medical examiners
    • Reports to government agencies of abuse, neglect or domestic violence

  8. Is there a difference between authorization and consent under the HIPAA Privacy Rule?

    Covered Entities are permitted but not required to voluntarily obtain patient consent for uses and disclosures of protected health information for the purposes of treatment, payment, and health care operations. “Authorization” is required for uses and disclosures of protected health information that is not permitted by the Privacy Rule. Finally, when the Privacy Rule requires patient authorization, a voluntary patient consent is not sufficient to satisfy the requirement of a valid authorization.

  9. Are Covered Entities required to prevent all potential risks of incidental use or disclosure of protected health information?

    Covered Entities are not required to eliminate all risk of incidental use or disclosures. However, the Privacy Rule does require covered entities to implement reasonable safeguards to reduce the likelihood of incidental uses or disclosures.

  10. Can a Covered Entity hire a Business Associate to handle the disposal of PHI?

    A Covered Entity can hire a Business Associate to dispose of PHI, so long as the Business Associate enters into a contract with the Covered Entity. The contract should require that the Business Associate dispose of the PHI in accordance with Federal and state laws.

  11. What are the HIPAA Privacy and Security requirements for the disposal of PHI?

    Covered Entities are required to apply the appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. This applies to all forms of PHI. Under the HIPAA Privacy and Security Rules, Covered Entities are not permitted to abandon PHI or dispose of any such information in a way that will render it accessible to the public or to unauthorized individuals. Covered Entities are required to train their workforce on the proper disposal of PHI. Note that under federal standards, the “workforce” includes volunteers. Covered Entities are expected to determine for themselves what steps are reasonable in the disposal of PHI in order to comply with the HIPAA Privacy and Security Rules.

HIPAA Security Rule FAQs

  1. What is the purpose of the HIPAA Security Rule?

    HIPAA established Federal standards for the security of electronic protected health information (e-PHI). The Security Rule was created to ensure that every Covered Entity has safeguards in place to protect the confidentiality, integrity, and availability of e-PHI. Created as a response to the increase in the exchange of e-PHI between Covered Entities, as well as non-Covered Entities, the Security Rule aims to protect an individual’s health information without hindering access and use of that information by health care providers, clearinghouses, and health plans. The standards established by the Security Rule are considered to be the bare minimum of protection required. State laws often provide more stringent standards, which should be applied over and above the new Federal security standards.

  2. What is the difference between “addressable” and “required” implementation specifications in the Security Rule?

    The Security Rule uses two types of implementation specifications to address how the administrative, physical, and technical safeguards should be met. When a specification is described as “required,” that specification is considered mandatory. When the rule states that the specification is “addressable,” a Covered Entity has some flexibility with respect to how they choose to comply with the standard. A Covered Entity may choose to follow one of the following options in order to meet addressable implementation specifications:

    • Implement the addressable implementation specifications as outlined in the rule
    • Implement one or more alternative security measures that will accomplish the same purpose
    • Decide not to implement either the addressable implementation specification or an alternative. However, when a Covered Entity chooses this option, the reasoning
      supporting this decision must be documented. This written documentation should include the factors considered by the Covered Entity, as well as the results of any risk
      assessment on which the decision was based

  3. What types of information does the Security Rule cover?

    The Security Rule applies only to e-PHI – which includes telephone voice response and fax-back systems, as these systems can be used as input and output devices for electronic information systems. E-PHI does not include paper-to-paper faxes, video teleconferencing, or messages left on voice mail, as the information being exchanged did not exist in electronic form before transmission. However, the requirements of the Privacy Rule apply to all forms of protected health information, including written and oral.

  4. How can a Covered Entity determine whether its organizational systems comply with the Security Rule’s requirements?

    HIPAA Security compliance varies from organization to organization, and is an ongoing and ever-changing process. Due to the high degree of flexibility needed to accommodate each individual organization, the Security Rule does not outline any single strategy that is designed to fit all Covered Entities. However, Section §164.306 of the Security Rule contains guidance that organizations can use to determine how best to comply with the standards and implementation specifications. In general, organizations can fulfill the requirements of the Security Rule by:

    • Performing a risk analysis
    • Performing periodic technical and non-technical evaluations of the information security environment
    • Implementing reasonable and appropriate security measures
    • Documenting and maintaining policies, procedures, and other required documentation

  5. Does the Security Rule require an organization to use any specific technologies?

    No. The Security Rule standards are “technology neutral”. This allows Covered Entities to use technologies that meet their individual organizational needs. As the various technologies and software used by the health care community continue to be rapidly developed, improved, and changed, the Security Rule aims to avoid tying Covered Entities to the use of a specific system that might quickly become ineffective or obsolete.

  6. Are Covered Entities required to certify organizational compliance with Security Rule standards?

    No. There is no standard or implementation specification outlined in the Security Rule that requires a covered entity to “certify” compliance. The Security Rule evaluation standard does, however, require covered entities to perform a periodic technical and non-technical evaluation to test whether their security policies and procedures meet security requirements. These evaluations can be performed internally or externally. Organizations may decide to use an external organization such as a consulting company to perform the evaluation, as these companies may have more Security knowledge and are able to provide an outside and unbiased view of operations.

  7. What agency is in charge of enforcing both the HIPAA Privacy and Security Rules?

    The HIPAA Privacy and Security Rules are enforced by the Office for Civil Rights (OCR).

  8. What is the difference between Risk Management and Security Risk Analysis?

    Risk management is the process of implementing required security measures in order to reduce an organization’s risk of losing or compromising its e-PHI. The Security Rule, however, defines risk analysis as the assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of e-PHI, as well as the overall likelihood of a security incident occurring. When conducting a risk analysis, organizations may want to:

    • 1) Take inventory of all systems and applications that are used to access and house data
    • 2) Classify each system by level of risk

    When looking at each system, Covered Entities should consider all relevant losses that would be expected if the security measures were not in place. Losses to consider include

    • Loss or damage of data
    • Corrupted data system
    • Anticipated ramifications of such losses or damage

  9. What are some examples of potential threats to consider when conducting a risk analysis?

    By identifying potential sources of threats, the probability of each threat occurring, and the impact that would have on the confidentiality, integrity, and/or availability of e-PHI, Covered Entities can determine where to focus their risk analysis. The National Institute for Standards and Technology (NIST) categorizes threats into three common categories:

    • Natural: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events
    • Human: Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate
      actions (network-based attacks, malicious software upload, unauthorized access to confidential information)
    • Environmental: Long-term power failure, pollution, chemicals, and liquid leakage

  10. What must a Covered Entity do to comply with the Security Incidents Procedures standard?

    The HIPAA Security Rule defines a security incident as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Each Covered Entity is required to develop and implement policies and procedures that outline how to deal with potential security incidents, including:

    • How to identify a security incident
    • How to report a security incident
    • How to appropriately respond to a security incident
    • How to mitigate the harmful effects of an identified security incident
    • How to document information regarding a security incident and outcom

  11. How does the Security Rule define physical safeguards?

    Physical safeguards are defined as physical measures, policies, and procedures that an organization uses to protect its electronic information systems, buildings, and equipment from both natural and environmental hazards, and unauthorized access or intrusion. These standards must be implemented on systems housed on the Covered Entity’s premises, as well as those housed at another location. The Security Rule physical standards are broken down into the following categories:

    • Facility access controls
    • Workstation use
    • Workstation security
    • Device and media controls

  12. What is encryption, and are Covered Entities required to use it?

    OCR defines encryption as a method of converting an original message of regular text into encoded text, by means of an algorithm. The Security Rule categorized encryption as “addressable”. However, where an organization determines, that encryption is a reasonable and appropriate safeguard in its risk management processes, encryption should be used. When a Covered Entity decides that the use of encryption is not reasonable and appropriate, that decision and reasoning must be documented, and an equivalent alternative measure must be put in place, presuming that the alternative is reasonable and appropriate.

  13. Does the Security Rule contain requirements for access control, such as automatic logoff?

    Yes. Covered Entities are required to have appropriate safeguards in place to protect the organization’s data, regardless of where the employee is working (in office, at home, remotely).

  14. What protections are required to ensure that e-PHI is properly transmitted via email or over the Internet?

    Covered Entities may send e-PHI over an open network as long as it is adequately protected. The Security Rule standards clearly state that Covered Entities must develop appropriate policies and procedures that restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. As such, before sending emails with e-PHI, a Covered Entity should:

    • Assess its use of open networks
    • Identify the available and appropriate means to protect e-PHI as it is transmitted
    • Select a solution and document the decision

  15. Can a Covered Entity assign the same log-on or user ID to multiple employees?

    No. The Security Rule requires that all covered entities, regardless of size or type, assign a unique name and/or number for identifying and tracking user identity of each employee who uses a system that maintains e-PHI. This allows a Covered Entity to identify and track system access and activity by each user.

  16. Can a Covered Entity reuse or dispose of computers or other electronics that store e-PHI?

    Yes, if certain steps have been taken to remove the e-PHI that was stored on the computer or electronic device. The HIPAA Security Rule contains specific requirements that address the disposition of ePHI.


  1. What is the HITECH Act?

    The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA), was signed into law on February 17, 2009. The HITECH Act was intended to promote the adoption and meaningful use of health information technology. The HITECH Act is responsible for the following:

    • Requiring HIPAA Covered Entities and business associates to provide notification following a breach of unsecured protected health
      information (PHI)
    • Extended many of the responsibilities contained in the HIPAA Security Rule to Business Associates
    • Provided individuals with a right to obtain their PHI in an electronic format where the Covered Entity has implemented an electronic health
      record (EHR) system
    • Strengthens the civil and criminal enforcement of the HIPAA rules

  2. What actions must Covered Entities take to comply with the HITECH Act breach notification requirements?

    The HITECH Act breach notification requirements make it mandatory for Covered Entities and their Business Associates to provide notification following a breach of unsecured protected health information (PHI). When a breach occurs, Covered Entities must promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. There are specific timeframes for notification, as well as content and methodology required for each notification.

  3. What is the definition of a breach?

    According to the HITECH Act, a breach is defined as an “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.” In addition, there are three types of scenarios that are an exception to the breach definition:

    • Where PHI is unintentionally acquired, accessed, or used by a workforce member acting under the authority of a covered entity or business
    • Where PHI is inadvertently disclosed from a person authorized to access PHI at a covered entity or business associate to another person
      authorized to access PHI at the covered entity or business associate
    • Where there is a good faith belief, by the covered entity or business associate, that the unauthorized individual to whom the impermissible
      disclosure of PHI was made would not have been able to retain the information

  4. How did the HITECH Act change Business Associate HIPAA responsibilities?

    Before the HITECH Act, Covered Entities used Business Associate Agreements (BAA) to impose requirements on their Business Associates. Now, the HITECH Act requires all Business Associates to comply with the HIPAA Security Rule administrative, physical, and technical safeguards regardless of whether a BAA is in place.

  5. Have the final HITECH Act regulations been released yet?

    They were released in summer 2012.