Advocates for ethical mental health care

Frequently Asked Questions: HIPAA Security Standards

October 2004
Prepared by Laura Groshong, LICSW

1. When do I have to have the HIPAA Security Standards in place to be HIPAA compliant?
All Covered Entities with over 50 employees must be compliant by April 21, 2005. All other smaller covered entities, including private practitioners must be compliant by April 21, 2006.

2. Are the Security Standards and Privacy Standards the same in the kinds of communications they cover?
The Security Standards apply only to electronic transmissions or data storage of electronic Protected Health Information (ePHI). The Privacy Standards apply to verbal, written and electronic transmission of Protected Health Information (PHI).

3. Do I have to comply with Security Standards if I am not a Covered Entity (CE)?
No. The Security Standards apply only to clinicians who are Covered Entities, i.e., who have sent Protected Health Information electronically at least once.

4. What is the purpose of the Security Standards?
To maintain the confidentiality of ePHI; to prevent changes to ePHI, i.e., maintain the integrity of the electronic data); to maintain availability to ePHI; to prevent unidentified electronic access to ePHI; and to prevent physical access by unidentified personnel to areas and computers holding ePHI.

5. What is the difference between “required” and “addressable” areas of the Security Standards?
“Required” areas must be covered in the Risk Management Plan; “addressable” areas may be covered in the Risk Management Plan, but are optional.

6. What is Risk Assessment?
Risk Assessment is the evaluation of 39 required and 4 optional items which are identified in the Security Standards.

7. What is a Risk Management Plan?
A Risk Management Plan is the documentation of how required Security Standards will be implemented.

8. Is external auditing of the Risk Management Plan necessary?
No, but it may be conducted by qualified reviewers if desired. A “certification” will not remove responsibility for compliance from the CE.

9. Do I have to ‘back up’ all ePHI on disc or CD?

10. Will I be found guilty of violating the Security Standards if I lose my ePHI due to theft or natural disaster?
Yes, if reasonable precautions according to the Security Standards have not been followed.

11. Do I need to have an ‘audit trail’ when I access my own ePHI on my own computer?
No, but a record of all disclosed ePHI is required.

12. Do I need a firewall, passcode (i.e., password), and other computer security systems to be compliant with the Security Standards?

13. Do I need to regularly change my password to be compliant with Security Standards?

14. What are the civil and criminal penalties for violating the Security Standards?
The civil penalties are $100 for every violation with a $25,000 cap for identical violations. The criminal penalties for purposeful violations are up to 10 years in prison and $250,000.


Washington State Coalition of Mental Health Professionals & Consumers
Mailing Address:  P.O. Box 30087  Seattle, WA 98113     Phone:   206-444-4304