HIPAA (currently under revision)
Step-wise Approach to Achieving Compliance (currently under revision)
Frequently Asked Questions (currently under revision)


  • HHSDepartment of Health and Human Services
  • OCR – HHS Office for Civil Rights [www.hhs.gov/ocr/hipaa] – OCR will investigate complaints
  • PHI – Protected Health Information – information created or received by a health care provider that relates: to the physical or mental health of the individual, past, present or future; to the provision of health care; to payment for the provision of health care
  • TPO – treatment, payment or health care operations
  • Business Associates – those who receive PHI from covered entities in order to carry out essential functions or perform services for providers (accountants, lawyers, medical transcription services, claims processing vendors)
  • Covered Entity – health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically
  • Personal Representative – usually a parent or guardian of a minor who has the authority to make health care decisions and therefore has the right to obtain access to health information and control PHI
  • DRS – designated record set
  • Gap Analysis – assessment of the practice as pertains to the accessibility of records to providers, employees, or patients; physical location of records; computer access.
  • Minimum Necessary – disclose the least amount of PHI for treatment purposes; a reasonable effort to limit use, disclosure and requests for PHI. EXCEPT-to HHS (OCR), other laws, to comply with HIPAA transactions, or if so authorized by the patient



The purpose of the Privacy Rule is to protect patients from unauthorized access to their health information. A hospital’s computer system was entered and sensitive information was divulged; another system was accessed and information was altered. The fear by individuals that their health information could be used in this way, or against them, such as for withholding of insurance, jobs, etc., has prompted the need to protect the public against this technological assault.

The Privacy Rule, HIPAA 1996, became effective 4/14/2001, with the requirement that practices are compliant by 4/14/2003, and small practices by 2004. There will be guidelines issued periodically to aid in this transition, in addition to the steps covered entities will need to take to come into full compliance. An important concept to this end is scalability, which means that the extent to which the rules apply are scaled based upon the size and complexity of each practice. The fifty-physician group must have more stringent rules and safeguards in place than the solo practitioner.

The Health Insurance Portability and Accountability Act (HIPAA) Security Standards (the "Security Rule") were published in final form in the Federal Register on February 20, 2003.  All covered entities, including physicians who transmit standard transactions (e.g. ( claims), must comply with the Security Rule by April 21, 2005. The Security Rule is intended to establish a level of protection for protected health information focusing on information transmitted and maintained electronically.  The Security Rule specifies a series of administrative, technical and physical procedures to assure the security of protected health information.  

Although the previously published proposed rule included a standard for electronic signatures, this version of the Security Rule does not include the electronic signature standard requirement.  A final rule for electronic signatures will be published at a later date.  The AMA will provide a summary of the Security Rule and a compliance checklist shortly.  The six-page text of Security Rule is available at the link below, starting at page 44. The remainder of the document is background information.  Visit http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/pdf/03-3877.pdf to learn additional information.


Step-wise approach to achieving compliance:

  1. Name a Privacy Officer.
  2. Assess information forms – computers, charts. Provide a policy for automatic log-off, unique user ID and password, and audit trails.
  3. Assess physical security – remedy any breaches.
  4. Write policies and procedures –
    1. Confidentiality of PHI
    2. Patient Consent and Notice of Privacy Policies
    3. Medical record storing, accessing, releasing
    4. Workstations
    5. Charts
    6. Faxes
    7. Verbal communications of PHI
    8. E-mail with PHI
    9. Electronic communications (employees and patients)
    10. Sign-in sheets/logs
    11. BA policies
    12. Minimum necessary – what constitutes the minimum amount of information needed to communicate
    13. Employee termination
    14. Release of information
    15. Remote access
    16. Patient Rights
  5. Teach employees.
  6. Notice to patients – create the Privacy Notice, and make available.
  7. Consent Form, which describes how PHI will be used and refers them to the Privacy Notice.
  8. Review and amend BA contracts.
  9. Assess external threats (need for "firewalls")
  10. Create an Authorization form if there is an intent to use PHI for others reasons (i.e. research)


Frequently asked questions:

  1. Which will take priority – State laws or HIPAA?
    The State laws, which usually are more restrictive, override HIPAA, as does CLIA
  2. Can a provider use collection agencies or credit agencies?
    As long as there is a proper agreement in place between the covered entity and the BA (collection or credit agencies), then this is acceptable to carry out TPO. However, information should be limited to payment history.
  3. Is the covered entity liable for privacy violations of a BA?
    No. Make sure there is a signed agreement with each Business Associate.
  4. Can research be done without individual authorizations?
    If patients are "de-identified", so that there is no feasible way information can be associated with an individual, research can be done. Usually, the IRB (Internal Review Board) of an institution has restrictions and limitations for research clearly specified, which is compliant with the Privacy Rule.

Contact the Author:  Andrea Leeds, M.D.