Frequently Asked Questions: HIPAA Privacy Standards
Prepared by Laura Groshong, WSCMHPC Lobbyist
Here are some of the most frequently asked questions about the
new Federal HIPAA privacy standards affecting medical records and
1. Generally what do the HIPAA Privacy Standards require
clinicians to do?
Clinicians who meet the definition of a "covered entity"
under the Privacy Standards (see below) must 1) Notify patients
of their privacy rights with the Notice of Privacy Practice (NPP);
2) Develop privacy policies; 3) Designate a Privacy Officer; 4)
Keep all records, paper and electronic, secured, i.e., locked file
cabinets and password and/or encrypted computers; 5) Develop Authorization
Forms and Business Associate greements.
2. Which clinicians must become HIPAA compliant?
All clinicians who send health information in electronic form in
connection with transactions for which the Secretary of HHS has
adopted standards under HIPAA are “covered entities” (see below).
If a clinician is not sending information electronically, he or
she technically is not a covered entity under HIPAA. However, it
is advisable for all clinicians to become familiar with the HIPAA
Privacy Standards as they are likely to become the basis for standard
practice in all areas of confidentiality in practice.
3. When do clinicians need to comply with the Privacy Standards?
The compliance deadline under Privacy Standards for health care
providers was April 14, 2003. The two ther components of HIPAA,
the Security Standards and the Transaction and Code Set Standards,
have eparate deadlines. For clinicians who filed for an extension
under the Transaction and Code Set tandards, the deadline for compliance
is October 16, 2003; otherwise, the deadline for compliance was
October 16, 2002. The deadline for compliance with the recently
finalized Security Standards is February of 2005.
4. What is a “covered entity”?
A covered entity is defined under the Privacy Standards as any health
plan, health care clearinghouse, or health care provider who transmits
health information in electronic form in connection with transactions
for which the Secretary of HHS has adopted standards under HIPAA.
In practice, most clinicians who bill a insurance electronically
are covered entities. For help in determining whether you are covered
entity, see the decision tool at: http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp
5. What is Protected Health Information (PHI)?
Protected Health Information (PHI) is health information that is
identifiable to a specific individual and that is maintained or
transmitted by a covered entity in any form, whether in oral, paper,
or electronic form.
6. What are “covered transactions”?
A covered transaction is any computer-to-computer transmission of
healthcare claims, payment and remittance, benefit information,
or health plan eligibility information. The covered transactions
most commonly used by clinicians include Health Care Claims
(request for reimbursement by a provider to a health plan for health
care services); Eligibility for Treatment (request for
information by a provider to a health plan about eligibility, coverage
limits, and/or benefits in a health plan for a client or potential
client); Authorization for Treatment (request made to a
health plan for authorization of mental health treatment by a mental
health provider); and Health Care Claims Status (request
by a mental health provider to a health care plan).
7. When may PHI be disclosed without an Authorization form
signed by the patient?
PHI may be disclosed without a separate Authorization form being
signed by the patient when information being released has already
been approved by the initial Authorization form signed by the patient.
This enerally includes information about treatment, payment, and
health care operations (TPO).
8. What does “minimum necessary” mean in disclosing PHI?
Minimum necessary” is a description of the principle behind all
disclosures of PHI, except for those made between health care providers
for treatment purposes. This means that the information disclosed
is the “minimum necessary” for the specific disclosure, i.e., information
being disclosed for payment purposes does not require information
about the treatment progress. The major exception to the “minimum
necessary” principle is when the treatment itself is being discussed,
i.e., in supervision or consultation.
9. What is a “Business Associate”?
A Business Associate is a person or entity that performs certain
functions or activities, on behalf of a covered entity, that involve
the disclosure of PHI. Examples of Business Associates are a third-party
administrator, an accountant, or a secretary who transcribes information
for TPO purposes.
10. What is the “Notice of Privacy Practices” (NPP)?
The Notice of Privacy Practices informs a patient about the privacy
practices of the clinician. The NPP must include information about
how the clinician may disclose PHI about the patient; the rights
of the patient to have access to the record; who is responsible
for the development and implementation of the NPP; and the right
of the patient to correct the record, among other information. The
patient must sign the NPP at the first date of service except in