hipaajournal.com

# The HIPAA Journal

Independent news and advice for HIPAA compliance

Site URL: https://www.hipaajournal.com
Generated: 2025-06-16 15:07:16 UTC

--------------------------------------------------

## HIPAA Advice

- [HIPAA Compliance Checklist](https://www.hipaajournal.com/hipaa-compliance-checklist/) - This HIPAA compliance checklist explains what you need to know about HIPAA regulations.
- [What is HIPAA Incident Management?](https://www.hipaajournal.com/hipaa-incident-management/) - All HIPAA covered entities and business associates are required to have procedures in place for identifying and responding to suspected or known security incidents, mitigating any harmful effects of the incidents, and documenting the incidents and their outcomes.
- [HIPAA Violation Fines](https://www.hipaajournal.com/hipaa-violation-fines/) - HIPAA violation fines can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general for failing to comply with HIPAA regulations. In this article, we provide a detailed explanation of HIPAA violation fines that have been imposed on HIPAA-regulated entities found to have violated the HIPAA Rules.
- [What are the Penalties for HIPAA Violations?](https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/) - The penalties for HIPAA violations include civil monetary penalties ranging from $141 to $2,134,831 per violation, depending on the level of culpability. Criminal penalties can also be imposed for intentional HIPAA violations, leading to fines and potential imprisonment.
- [Background Checks for Healthcare Employees](https://www.hipaajournal.com/background-checks-for-healthcare-employees/) - Background checks for healthcare employees are an important safeguard in environments in which the well-being of patients and the integrity of the care are paramount. Pre-employment screening for healthcare workers  – and frequent re-screening thereafter – can also help mitigate the risk of fraud and theft for healthcare organizations.
- [Outsourced HIPAA Compliance](https://www.hipaajournal.com/outsourced-hipaa-compliance/) - Outsourced HIPAA compliance is when a HIPAA-regulated entity engages external consultants to manage part, or all, of the organization’s HIPAA compliance obligations in order to support an existing in-house compliance team, as an alternative to building an in-house team, or in response to a HIPAA security incident.
- [HIPAA Compliance for Software Development](https://www.hipaajournal.com/hipaa-compliance-for-software-development/) - HIPAA compliance for software development is an important consideration for vendors and service providers who intend to develop or provide software for the healthcare and health insurance industries that will be used to create, receive, store, or transmit Protected Health Information. However, software HIPAA compliance is rarely the only consideration.
- [Effective HIPAA Policy Management](https://www.hipaajournal.com/hipaa-policy-management/) - Effective management of HIPAA policies is one of the most constructive ways in which organizations can support HIPAA compliance by ensuring policies and procedures are applied consistently across the organization.
- [What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?](https://www.hipaajournal.com/relationship-between-hitech-hipaa-electronic-health-medical-records/) - The relationship between HITECH, HIPAA, and electronic health and medical records is primarily that certain provisions of the HITECH Act amended HIPAA to support the Meaningful Use of electronic health and medical record adoption. A second relationship between HITECH, HIPAA and electronic health and medical records is that HITECH was responsible for introducing the Breach Notification Rule into HIPAA, which changed the burden of proof for demonstrating the harm had occurred/not occurred following a breach of unsecured PHI.
- [HIPAA Compliance for Business Associates](https://www.hipaajournal.com/hipaa-compliance-for-business-associates/) - HIPAA compliance for business associates has acquired greater significance since the publication of proposals to align the HIPAA Security Rule more closely with HHS’ Healthcare Sector Cybersecurity Strategy – among which is a requirement for covered entities to obtain verifications from business associates that they have implemented measures to protect electronic Protected Health Information.
- [HIPAA and Video Surveillance](https://www.hipaajournal.com/hipaa-and-video-surveillance/) - Complying with HIPAA and video surveillance regulations requires careful planning to ensure that Protected Health Information captured by surveillance cameras is secured against unauthorized uses or disclosures, and that the deployment of surveillance cameras – and the data captured by them – does not violate other federal or state laws.
- [What Information Can Hospitals Give Over the Phone?](https://www.hipaajournal.com/what-information-can-hospitals-give-over-the-phone/) - What information hospitals can give over the phone depends on the purpose of the phone call, the recipient of the information, and any restrictions or authorizations in force at the time. The phone system being used can also impact what information hospitals can give over the phone.
- [HIPAA for Therapists](https://www.hipaajournal.com/hipaa-for-therapists/) - When discussing HIPAA for therapists, it is important to be aware that a therapist can be a solo covered entity, a hybrid covered entity, part of an affiliated covered entity, part of an Organized Health Care Arrangement, a business associate to a covered entity, or an employee of any of the above. Even when none of these options apply, therapists may still need to comply with HIPAA-style privacy, security, and breach notification requirements mandated by state legislation.
- [Is Google Workspace HIPAA Compliant?](https://www.hipaajournal.com/is-google-workspace-hipaa-compliant/) - Google Workspace is HIPAA compliant for services that have “included functionality”, provided HIPAA-covered organizations subscribe to a Workspace Plan that supports HIPAA compliance and configure the services to comply with the HIPAA Security Rule. To make Google Workspace HIPAA compliant, it is also necessary to agree to Google’s Business Associate Addendum (BAA) to the Terms of Service Agreement.
- [HIPAA Compliance for Self-Insured Group Health Plans](https://www.hipaajournal.com/hipaa-compliance-for-self-insured-group-health-plans/) - HIPAA compliance for self-insured group health plans – or self-administered health group plans – is a complicated area of HIPAA legislation due to the different ways in which self-insured group health plans can operate and due to potential exemptions from HIPAA compliance.
- [Patient Rights Under HIPAA](https://www.hipaajournal.com/hipaa-rights/) - Patient rights under HIPAA include the ability to access and request corrections to their health information, receive notifications about how their information is used and shared, make decisions on specific information sharing, and file complaints if they believe their rights are violated or their information is mishandled.
- [HIPAA Rules for Dentists](https://www.hipaajournal.com/hipaa-rules-for-dentists/) - The HIPAA Rules for dentists are the same as for any other healthcare provider that qualifies as a HIPAA covered entity inasmuch as, if a dentist qualifies as a HIPAA covered entity, they must comply with the applicable standards of the HIPAA Privacy, Security, and Breach Notification Rules. However, not all dentists qualify as a covered entity, and the HIPAA regulations for dental offices may not apply in every state if the state has passed a privacy law with more stringent data protection or increased patient rights.
- [Is Saying Someone Died a HIPAA Violation?](https://www.hipaajournal.com/saying-someone-died-hipaa-violation/) - In answer to the question is saying someone died a HIPAA violation, it depends on who is making the statement, who the statement is made to, and what other information is disclosed with the statement. Saying someone died can be a HIPAA violation, but – as this blog discusses – in most cases it is not.
- [What is Considered a Breach of HIPAA?](https://www.hipaajournal.com/what-is-considered-a-breach-of-hipaa/) - A breach of HIPAA is considered to be any acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information. It is important to understand what is considered a breach of HIPAA – and how breaches differ from violations of HIPAA – to avoid penalties for non-compliance with the Breach Notification Rule. 
- [HIPAA and HITECH](https://www.hipaajournal.com/hipaa-and-hitech/) - The relationship between HIPAA and HITECH began in 2009 with the American Recovery and Reinvestment Act – an Act introduced by the Obama administration to stimulate the economy by incentivizing investment in infrastructure, education, health, and renewable energy. Division A Title XIII and Division B Title IV of the American Recovery and Reinvestment Act – together known to as the Health Information Technology for Economic and Clinical Health Act (HITECH) – set aside funds for the creation of a nationwide network of Health Information Exchanges and signaled the start of the Meaningful Use program.
- [How to Secure Patient Information PHI](https://www.hipaajournal.com/secure-patient-information-phi/) - To best explain how to secure patient information and PHI, it is necessary to distinguish between what is patient information and what is PHI because although HIPAA requires PHI to be secured, it does not require all patient information to be secured. The easiest way to distinguish between PHI and other patient information is to define PHI first, because any remaining patient information does not need to be secured under HIPAA – although other privacy and security laws may apply.
- [What is Texas HB300?](https://www.hipaajournal.com/what-is-texas-hb-300/) - Texas HB300 is a bill passed by the Texas legislature in 2011 that updates Chapter 181 of the Texas Health and Safety Code relating the privacy of medical records which preempts HIPAA where more stringent protections exist. The bill has significant implications for many organizations based in Texas – and those outside the State – that assemble, collect, analyze, use, evaluate, store, or transmit the Protected Health Information of Texas residents.
- [How Employees Can Help Prevent HIPAA Violations](https://www.hipaajournal.com/employees-prevent-hipaa-violations/) - Employees can help prevent HIPAA violations by fully understanding what PHI is, knowing when PHI can permissibly be used and disclosed, and by following their employers’ policies on the compliant use of healthcare technologies and communication devices. Employees can also help prevent HIPAA violations by reporting ongoing poor practices to a manager or compliance officer.
- [How Should You Respond to an Accidental HIPAA Violation?](https://www.hipaajournal.com/accidental-hipaa-violation/) - How you should respond to an accidental HIPAA violation depends on the nature of the accidental violation and the potential consequences. Examples of accidental HIPAA violations that would require different responses because of their nature and/or potential consequences include:
- [HIPAA Disclosure Accounting](https://www.hipaajournal.com/hipaa-disclosure-accounting/) - Section §164.528 of the Privacy Rule is better known as the HIPAA disclosure accounting standard and states that an individual has the right to know who disclosures of Protected Health Information have been made to in the past six years. However, there are so many exceptions to this standard, it is difficult to know what is left to account for.
- [How To Become HIPAA Compliant](https://www.hipaajournal.com/become-hipaa-compliant/) - One of the simplest ways how to become HIPAA compliant is to adapt HHS’ “The Seven Fundamentals of an Effective Compliance Program” to address compliance challenges identified in a HIPAA risk assessment. Thereafter, it can be beneficial to take advantage of HIPAA compliance software in order to maintain a compliant workplace.
- [What is a HIPAA Compliant Home Office?](https://www.hipaajournal.com/hipaa-compliant-home-office/) - A HIPAA compliant home office is a working environment set up to support HIPAA compliance and safeguard the privacy and security of Protected Health Information when a covered entity, business associate, or a member of either’s workforce works from home. Because of the different functions that can be performed from – and services that can be provided by – a home office, the requirements for HIPAA compliance can vary considerably.
- [What Is A HIPAA Audit Checklist?](https://www.hipaajournal.com/hipaa-audit-checklist/) - A HIPAA audit checklist is a document covered entities and business associates should use to audit compliance with the standards of the HIPAA Administrative Simplification Regulations applicable to their operations.
- [The Benefits Of Healthcare Compliance Software](https://www.hipaajournal.com/healthcare-compliance-software/) - Healthcare compliance software is a comprehensive management tool that helps chief compliance officers to effectively oversee compliance efforts across their organization’s facilities, by proactively managing risk, streamlining workflows, improving collaboration, and demonstrating the achievement of compliance objectives to stakeholders.
- [Is Gossip a HIPAA Violation?](https://www.hipaajournal.com/is-gossip-a-hipaa-violation/) - Gossip can be a HIPAA violation – potentially resulting in a sanction for the gossiper – depending on who is gossiping, who they are gossiping about, and what the content of the gossip is. It is important to know under what circumstances gossip is a HIPAA violation because, when a violation occurs, there could be significant consequences for everyone.
- [Removing Medical Collections from a Credit Report with Help from HIPAA](https://www.hipaajournal.com/removing-medical-collections-from-credit-report-hipaa/) - Due to the complexity of medical billing, human error, and medical ID theft, it is not unusual for “allegedly” unpaid medical bills to appear on a credit report – potentially impacting individuals’ access to credit, employment, and housing. However, recent changes to credit reporting regulations and industry practices have made removing medical collections from a credit report easier – and HIPAA can help with the process.
- [HIPAA Risk Assessment](https://www.hipaajournal.com/hipaa-risk-assessment/) - A HIPAA risk assessment assesses threats to the privacy and security of PHI, the likelihood of a threat occurring, and the potential impact of each threat so it is possible to determine whether existing policies, procedures, and security mechanisms are adequate to reduce risks and vulnerabilities to a reasonable and appropriate level.    
- [Understanding the HIPAA Medical Records Destruction Rules](https://www.hipaajournal.com/medical-records-destruction-rules/) - The HIPAA medical records destruction rules relate to the safeguards covered entities and business associates must implement to ensure Protected Health Information and electronic Protected Health Information is disposed of compliantly. The HIPAA medical records destruction rules have no impact on state requirements for retaining medical records – which can be much longer than the HIPAA document retention requirements.
- [HIPAA Retention Requirements](https://www.hipaajournal.com/hipaa-retention-requirements/) - The HIPAA retention requirements are that certain types of documents must be maintained for six years from the date of their creation or from the date on which they were last in effect, whichever is later. The reason why it is necessary to clarify which documents should be retained is to prevent confusion between the HIPAA retention requirements and state medical record retention requirements.
- [Is a HIPAA Violation Grounds for Termination?](https://www.hipaajournal.com/hipaa-violation-grounds-for-termination/) - A HIPAA violation can be grounds for termination depending on the nature of the violation, the consequences of the violation, the employee’s prior compliance history, and the sanctions policy of the employer.
- [Why is HIPAA Important?](https://www.hipaajournal.com/why-is-hipaa-important/) - HIPAA is important because, due to the passage of the Health Insurance Portability and Accountability Act, the Department of Health and Human Services was able to develop standards that protect the privacy of individually identifiable health information and the confidentiality, integrity, and availability of electronic Protected Health Information.
- [Can E-Signatures Be Used Under HIPAA Rules?](https://www.hipaajournal.com/can-e-signatures-be-used-under-hipaa-rules-2345/) - E-signatures can be used under HIPAA Rules provided mechanisms are put in place to ensure the authenticity of the signatory, to ensure the contract, document, agreement, or authorization signed with a digital signature meets legal compliance requirements, and to ensure that any PHI contained within the document is protected from unauthorized access and disclosure. 
- [What Are Covered Entities Under HIPAA?](https://www.hipaajournal.com/covered-entities-under-hipaa/) - Covered entities under HIPAA are individuals, institutions, or organizations that transmit protected health information electronically in transactions for which the Department of Health and Human Services (HHS) has adopted standards.
- [De-identification of Protected Health Information: How to Anonymize PHI](https://www.hipaajournal.com/de-identification-protected-health-information/) - The de-identification of Protected Health Information enables covered entities and business associates to use or disclose health information to third parties for any purpose without being restricted by the requirements of the HIPAA Privacy Rule. However, it is important to be aware that other laws may apply to uses and disclosures of de-identified health information.
- [Does HIPAA Apply to Spouses?](https://www.hipaajournal.com/does-hipaa-apply-to-spouses/) - HIPAA does not apply to spouses inasmuch as spouses are not required to ensure the privacy of Protected Health Information disclosed to them by a partner or by a member of a covered entity’s workforce. However, HIPAA applies to when Protected Health Information can be disclosed to spouses, partners, and other family members.  
- [HIPAA Compliance for Nurses](https://www.hipaajournal.com/hipaa-compliance-for-nurses/) - Generally, HIPAA compliance for nurses is considered to mean adhering to policies and procedures developed by an organization’s HIPAA Privacy Officer and applying the best practices of security awareness training provided by an organization’s HIPAA Security Officer. However, sometimes it is necessary to do more than provide basic training to help nurses work compliantly.
- [Is It a HIPAA Violation to Send to Collections?](https://www.hipaajournal.com/is-it-a-hipaa-violation-to-send-to-collections/) - It is not a HIPAA violation to send to collections provided the minimum necessary Protected Health Information is disclosed and – if using an external collection agency – a Business Associate Agreement is in place with the collection agency. However, before sending medical bills to collections, it is important to consider state and local laws relating to medical debt relief. 
- [HIPAA Policies and Procedures](https://www.hipaajournal.com/hipaa-policies-and-procedures/) - HIPAA policies and procedures are “work rules” healthcare organizations must implement and regularly update to ensure the confidentiality, integrity, and availability of Protected Health Information – addressing areas such as the privacy of individually identifiable health information, patient rights, data protection, staff training, and security incident responses. 
- [The HIPAA Minimum Necessary Rule Standard](https://www.hipaajournal.com/ahima-hipaa-minimum-necessary-standard-3481/) - The HIPAA minimum necessary rule standard applies to uses and disclosures of PHI that are permitted under the HIPAA Privacy Rule, including the accessing of PHI by healthcare professionals and disclosures to business associates and other covered entities. The standard also applies to requests for protected health information from other HIPAA covered entities.
- [Does HIPAA Apply to Schools?](https://www.hipaajournal.com/does-hipaa-apply-to-schools/) - HIPAA applies to schools in certain circumstances, such as when a school is a private school, when it provides medical services to the public, or when an unattached healthcare professional provides vaccination services to students.
- [What is the HHS OIG Exclusions List?](https://www.hipaajournal.com/hhs-oig-exclusions-list/) - Healthcare providers participating in federal healthcare programs are advised to regularly check the HHS OIG Exclusions List to avoid penalties for non-compliance with §1128 of the Social Security Act.
- [HIPAA Notice of Privacy Practices](https://www.hipaajournal.com/hipaa-notice-of-privacy-practices/) - A HIPAA Notice of Privacy Practices is a document provided to patients on first contact, and to health plan members on enrollment, that outlines how a HIPAA covered entity can use or disclose Protected Health Information (PHI) and the rights individuals have to obtain copies of their PHI. The Notice must also include the contact details for an individual who can answer questions or to whom complaints can be made.
- [Who Does HIPAA Apply To?](https://www.hipaajournal.com/who-does-hipaa-apply-to/) - HIPAA applies to everyone as individuals inasmuch as everyone has personally identifiable health information that they have the right to inspect and request corrections when errors or omissions exist. HIPAA can also apply to certain types of organization depending on which section of HIPAA you review.  
- [HIPAA Guidelines on Telemedicine](https://www.hipaajournal.com/hipaa-guidelines-on-telemedicine/) - The HIPAA guidelines on telemedicine start with preparing for the remote delivery of healthcare by auditing procedures, analyzing risks, training healthcare professionals, and entering into Business Associate Agreements with the vendors of communication services. Thereafter, procedures must be developed for verifying patient identities and obtaining consent where necessary, and for securing PHI collected or disclosed in patient encounters.
- [Is ChatGPT HIPAA Compliant?](https://www.hipaajournal.com/is-chatgpt-hipaa-compliant/) - ChatGPT is not HIPAA compliant and cannot be used to (for example) summarize patients’ notes or compile letters to patients that include Protected Health Information because OpenAI – the developer of ChatGPT – will not enter into a Business Associate Agreement with covered entities and business associates. However, there are ways to use ChatGPT in compliance with HIPAA.
- [What to Do if You Discover a HIPAA Violation in the Workplace](https://www.hipaajournal.com/hipaa-violation-in-the-workplace/) - If you discover a HIPAA violation in the workplace, what you should do depends on the nature of the violation, whether or not unsecured PHI has been impermissibly disclosed, and what the potential consequences are.
- [HIPAA Exceptions](https://www.hipaajournal.com/hipaa-exceptions/) - The text of the Healthcare Insurance Portability and Accountability Act is full of HIPAA exceptions – adding to the complexity of complying with the Act and often resulting in organizations and public agencies applying far more stringent restrictions than necessary. 
- [What is HIPAA Authorization?](https://www.hipaajournal.com/what-is-hipaa-authorization/) - A HIPAA authorization is a form that must be completed by a patient or a health plan member when a covered entity wishes to use or disclose PHI for a purpose not permitted by the HIPAA Privacy Rule. The failure to obtain a valid HIPAA authorization is considered a serious violation of HIPAA compliance.
- [Is Texting in Violation of HIPAA?](https://www.hipaajournal.com/texting-violation-hipaa/) - There are many factors that determine whether a message sent via a text service is texting in violation of HIPAA.
- [How to Report a HIPAA Violation](https://www.hipaajournal.com/report-hipaa-violation/) - How you report a HIPAA violation varies depending on the nature of the violation and whether you are a member of the public, a member of a covered entity’s workforce, or a covered entity. There are also various channels for reporting a HIPAA violation. These channels include the Privacy Officer at the organization where the violation occurred, your State Attorney General, and HHS’ Office for Civil Rights.
- [What is Considered Protected Health Information Under HIPAA?](https://www.hipaajournal.com/what-is-considered-protected-health-information-under-hipaa/) - Health, treatment, or payment information, and any identifiers maintained with this information, is considered Protected Health Information under HIPAA if the information is created, received, maintained, or transmitted by a “covered entity” or by a “business associate”.
- [What Happens if a Nurse Violates HIPAA?](https://www.hipaajournal.com/what-happens-nurse-violates-hipaa/) - What happens if a nurse violates HIPAA depends on the nature of the violation, the consequences of the violation, the nurse’s previous compliance history, and the content of the Covered Entity’s sanctions policy.
- [HIPAA Business Associate Agreement](https://www.hipaajournal.com/hipaa-business-associate-agreement/) - A HIPAA Business Associate Agreement is most often a contract between a HIPAA covered entity and a business or individual that performs certain functions or activities on behalf of, or provides a service to, the covered entity when the function, activity, or service involves the creation, receipt, maintenance, or transmission of Protected Health Information (PHI) by the business or individual.
- [The HIPAA Password Requirements and the Best Way to Comply With Them](https://www.hipaajournal.com/hipaa-password-requirements/) - The HIPAA password requirements are a combination of Administrative and Technical Safeguards designed to manage and monitor access to PHI.
- [What is Considered PHI Under HIPAA?](https://www.hipaajournal.com/considered-phi-hipaa/) - Under HIPAA PHI is considered to be an individual’s health, treatment, and payment information, and any further information maintained in the same designated record set that could identify the individual or be used with other information in the record set to identify the individual.
- [What is a HIPAA Violation?](https://www.hipaajournal.com/what-is-a-hipaa-violation/) - A HIPAA violation is any failure to comply with the HIPAA regulations – which can include the unauthorized access, use, or disclosure of Protected Health Information (PHI), the failure to provide patients with access to their PHI, a lack of safeguards to protect PHI, the failure to conduct regular risk assessments, or insufficient workforce training on the HIPAA rules.
- [What is HIPAA Certification?](https://www.hipaajournal.com/what-is-hipaa-certification/) - HIPAA certification is the process in which an independent third party organization audits a medical organization or practice to certify and confirm that the physical, technical, and administrative safeguards required for HIPAA compliance have been met, with the award of a formal document that signals the completion of a HIPAA compliance process.
- [HIPAA And Social Media Guidelines](https://www.hipaajournal.com/hipaa-social-media/) - The most important rule for any HIPAA and social media guidelines is that social media content must NEVER include Protected Health Information (PHI). This must be front and center of any HIPAA compliance policy.
- [Is Telling a Story about a Patient a HIPAA Violation?](https://www.hipaajournal.com/is-telling-a-story-about-a-patient-a-hipaa-violation/) - Whether telling a story about a patient is a HIPAA violation depends on who is telling the story, why the story is being told, what information about the patient is revealed in the story, and whether a patient has authorized a disclosure of PHI or exercised their right to restrict disclosures. 
- [HIPAA Privacy Rule](https://www.hipaajournal.com/hipaa-privacy-rule/) - The HIPAA Privacy Rule provides a federal floor of privacy standards that protects individuals’ health information and other identifying information by limiting the permissible uses and disclosure of such information by “covered entities” and “business associates” without authorization. The HIPAA Privacy Rule also gives individuals the rights to control how their health information is used and disclosed, to request copies of information maintained about them, and request corrections when omissions or errors exist.
- [Can Medical Records be Subpoenaed?](https://www.hipaajournal.com/can-medical-records-be-subpoenaed/) - Medical records can be subpoenaed because every type of record can be subpoenaed, and a more relevant question would be “how should healthcare providers respond to a subpoena for medical records”?
- [What is the HITECH Act?](https://www.hipaajournal.com/what-is-the-hitech-act/) - The Health Information Technology for Economic and Clinical Health Act or HITECH Act is the part of the American Recovery and Reinvestment Act of 2009 that incentivized the meaningful use of EHRs and strengthened the privacy and security provisions of HIPAA. Among other measures, the HITECH Act extended the reach of HIPAA to business associates of covered entities, who were now accountable for failures of HIPAA compliance. The Act also introduced tougher penalties for violations of HIPAA.
- [HIPAA History](https://www.hipaajournal.com/hipaa-history/) - Our HIPAA history lesson starts on August 21, 1996, when the Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law. HIPAA was created to “improve the portability and accountability of health insurance coverage” and the Act introduced a number of measures to ensure the continuity of coverage between jobs, guarantee coverage for employees with pre-existing conditions, and prevent “job lock” – a scenario in which plan members stayed in a job to avoid losing health benefits.
- [The 10 Most Common HIPAA Violations You Should Avoid](https://www.hipaajournal.com/common-hipaa-violations/) - HIPAA violations most often occur when covered entities, business associates, or members of either’s workforces fail to comply with the HIPAA Privacy, Security, or Breach Notification Rules.
- [Does HIPAA Apply to Employers?](https://www.hipaajournal.com/does-hipaa-apply-to-employers/) - HIPAA applies to employers in certain circumstances and, although HIPAA does not protect individually identifiable health information maintained by a covered entity in its role as an employer, it is important for employers to understand in what circumstances HIPAA applies in order to avoid HIPAA violations. Employers also need to ensure that their workforces receive the necessary training to understand whether or not health data collected and maintained by their employer is protected by the HIPAA Privacy Rule.
- [What Happens if You Break HIPAA Rules?](https://www.hipaajournal.com/what-happens-if-you-break-hipaa-rules/) - What happens if you break HIPAA Rules depends on whether you are a covered entity or business associate, or a member of either’s workforce. If the former, you may be liable for sanctions issued by HHS’ Office for Civil Rights, State Attorneys General, and/or the Federal Trade Commission. If the latter, the consequences depend on the content of your employer’s HIPAA sanctions policy.
- [Can A Patient Sue for A HIPAA Violation?](https://www.hipaajournal.com/sue-for-hipaa-violation/) - A patient can sue for a HIPAA violation – and there are an increasing number of class action suits for protected health information data breaches – although not under the provisions of HIPAA laws. There is no private cause of action in HIPAA, so it is not possible for a patient to directly sue for a HIPAA violation under HIPAA.
- [Can Doctors Share Patient Information with Other Doctors?](https://www.hipaajournal.com/can-doctors-share-patient-information-with-other-doctors/) - Doctors can share patient information with other doctors provided the disclosure complies with the HIPAA Privacy Rule – and a Business Associate Agreement is entered into when required – and provided the patient information is not restricted by the patient or subject to HIPAA’s authorization requirements.
- [HIPAA Continuity of Care](https://www.hipaajournal.com/hipaa-continuity-of-care/) - HIPAA continuity of care is when ongoing care is provided within a healthcare organization or Organized Health Care Arrangement, or when care is provided by multiple healthcare organizations following HHS guidance on minimum necessary disclosures. Whereas the HIPAA Privacy Rule appears to allow disclosures of PHI for continuity of care and care coordination, HHS’ guidance implies disclosures of PHI between covered entities must be kept to the minimum necessary amount.  
- [What are the HIPAA Breach Notification Requirements?](https://www.hipaajournal.com/hipaa-breach-notification-requirements/) - The HIPAA breach notification requirements are that HHS’ Office for Civil Rights and individuals whose unsecured Protected Health Information (PHI) has been exposed must be notified within a specified timeframe. Different timeframes exist for notifying a breach to HHS’ Office of Civil Rights depending on the number of records breached, and it is important that covered entities develop a breach response plan to ensure breaches of unsecured PHI are made in a timely manner.
- [HIPAA Compliance for Pharmacies](https://www.hipaajournal.com/hipaa-compliance-for-pharmacies/) - HIPAA compliance for pharmacies can consist of compliance with all the HIPAA Administrative Simplification Regulations in addition to the HIPAA Privacy, Security, and Breach Notification Rules depending on a pharmacy’s activities. Many pharmacy activities may also be subject to more stringent laws than HIPAA – in which case it will be necessary to implement measures beyond those required by HIPAA.
- [HIPAA Compliance for Counselors](https://www.hipaajournal.com/hipaa-compliance-for-counselors/) - The responsibility for HIPAA compliance for counselors in the healthcare industry can vary depending on a counselor’s HIPAA status and whether a practice is part of a managed care organization – in which case, the structure of the managed care organization can determine who is responsible for HIPAA compliance. 
- [HIPAA Compliance for Psychologists](https://www.hipaajournal.com/hipaa-compliance-for-psychologists/) - In most cases, HIPAA compliance for psychologists consists of complying with all applicable HIPAA Administrative Simplification Regulations when a psychologist is a qualifying sole practitioner or in charge of a qualifying practice, or complying with an organization’s HIPAA policies and procedures when a psychologist is a member of a HIPAA covered organization’s workforce. 
- [What is a HIPAA Security Incident?](https://www.hipaajournal.com/what-is-a-hipaa-security-incident/) - A HIPAA security incident is an event that threatens the confidentiality, integrity, or availability of electronic Protected Health Information (PHI) regardless of whether the event is successful or not. It is important that all security incidents are tracked and reviewed to identify potential weaknesses in security defenses. 
- [HIPAA Compliance for Psychiatrists](https://www.hipaajournal.com/hipaa-compliance-for-psychiatrists/) - The nature of HIPAA compliance for psychiatrists can vary depending on whether a psychiatrist is a sole practitioner that qualifies as a HIPAA covered entity, a unit within a managed care organization, part of an affiliated entity, a hybrid entity, a business associate, or a member of a HIPAA covered organization’s workforce. 
- [5 HIPAA Compliance Examples](https://www.hipaajournal.com/hipaa-compliance-examples/) - Although a search for HIPAA compliance examples most often returns results listing HIPAA violations, if you look deep enough it is possible to find multiple examples of HIPAA compliance, workplaces designed to support HIPAA compliance, and policies that explain why compliance with HIPAA is important. 
- [HIPAA Compliance for Dentists](https://www.hipaajournal.com/hipaa-compliance-for-dentists/) - HIPAA compliance for dentists consists of complying with the applicable standards of the HIPAA Administrative Simplifications Regulations, state regulations with stronger protections than HIPAA, and any compliance requirements attributable to the operational setup. It is important for dentists to be aware of their HIPAA “status”, understand who within the organization is responsible for HIPAA compliance, and ensure all dental practice workers comply with HIPAA privacy and security policies and procedures.
- [How to Report a HIPAA Violation Anonymously](https://www.hipaajournal.com/how-to-report-a-hipaa-violation-anonymously/) - There are ways you can report a HIPAA violation anonymously but, due to the risk your anonymous report may be dismissed by HHS’ Office for Civil Rights, it is a better option to include your name and contact details and request they are not revealed to the organization you are complaining about. Alternatively, you may be able to report a HIPAA violation anonymously to a different agency, or directly to the organization at which the violation occurred.
- [What is a Limited Data Set Under HIPAA?](https://www.hipaajournal.com/limited-data-set-under-hipaa/) - A limited data set under HIPAA is a set of identifiable healthcare information that the HIPAA Privacy Rule permits covered entities to share with certain entities for research purposes, public health activities, and healthcare operations without obtaining prior authorization from patients, if certain conditions are met.
- [What is Individually Identifiable Health Information?](https://www.hipaajournal.com/individually-identifiable-health-information/) - Individually identifiable health information is information relating to an individual’s past, present, or future health condition, treatment for the condition, and payment for the treatment that identifies the individual or that could be used to identify the individual. It is important to be aware that information that could be used to identify an individual is not always Protected Health Information (PHI).
- [HIPAA Compliance and Medical Records](https://www.hipaajournal.com/hipaa-compliance-and-medical-records/) - HIPAA compliance and medical records security go hand in hand because even a single medical record qualifies as a designated record set which is subject to the privacy and security protections of HIPAA.
- [What is the Purpose of HIPAA?](https://www.hipaajournal.com/purpose-of-hipaa/) - The purpose of HIPAA was originally to ensure more employees could continue to receive health insurance coverage when they were between jobs and would not be discriminated against for pre-existing conditions. Due to the costs that would be incurred by health plans – and concerns these may be passed on to plan members and employers – Congress added a second Title to the Act to combat fraud and abuse of the healthcare insurance system. 
- [What Does HIPAA Stand For?](https://www.hipaajournal.com/what-does-hipaa-stand-for/) - The acronym HIPAA stands for Health Insurance Portability and Accountability Act of 1996 and that led to the development of standards for the privacy of Protected Health Information. Few articles discussing what does HIPAA stand for explain how a bill with the objective of reforming the health insurance industry evolved into an act of legislation that now controls how healthcare data is safeguarded.
- [HIPAA Security Officer](https://www.hipaajournal.com/hipaa-security-officer/) - All covered entities and business associates are required by 45 CFR 164.308 – the Administrative Safeguards of the HIPAA Security Rule – to identify a HIPAA Security Officer who is responsible for the development and implementation of policies and procedures to ensure the integrity of electronic Protected Health Information (ePHI). The role of HIPAA Security Officer is often designated to an IT Manager due to the perception that the integrity of ePHI is an IT issue. However, this is not necessarily the case.
- [HIPAA Compliance Software](https://www.hipaajournal.com/hipaa-compliance-software/) - The purpose of HIPAA compliance software is to provide a framework to guide a HIPAA-covered entity or business associate through the process of becoming HIPAA-compliant and ensuring continued compliance with HIPAA and HITECH Act Rules.
- [What is Protected Health Information?](https://www.hipaajournal.com/what-is-protected-health-information/) - Protected Health Information is an individual’s health, treatment, or payment for treatment information – and any information maintained in the same data set that could identify the individual – when the information is maintained or transmitted by an organization covered by HIPAA.
- [The HIPAA Conduit Exception Rule and Transmission of PHI](https://www.hipaajournal.com/hipaa-conduit-exception-rule/) - The HIPAA Conduit Exception Rule applies to organizations that would normally be considered business associates, but who are exempted from complying with HIPAA because they only have transient access to PHI. For the benefit of HIPAA compliance, it is important to understand the difference between transient access, persistent access, and no view access.
- [HIPAA Explained](https://www.hipaajournal.com/hipaa-explained/) - Our HIPAA explained article provides information about the Health Insurance Portability and Accountability Act (HIPAA) and the Administrative Simplification Regulations – which include the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule.   
- [HIPAA Compliance Logo](https://www.hipaajournal.com/hipaa-compliance-logo/) - The HIPAA logo is closely associated with respecting patient privacy. A HIPAA entity can use a HIPAA compliance logo to indicate to patients that their patient rights under HIPAA are respected. There is no official HIPAA logo, so The HIPAA Journal has developed a number of logos that can be used by HIPAA Covered Entities to show patients that they care about patient rights and comply with HIPAA. The objective is to promote HIPAA awareness among patients.
- [The 7 HIPAA Compliance Rules for Covered Entities](https://www.hipaajournal.com/hipaa-compliance-rules/) - The 7 HIPAA compliance rules for covered entities are the rules within the HIPAA Administrative Simplification Regulations that covered entities must comply with, ensure compliance with by members of the workforce, and oversee compliance with when services are contracted out – or Protected Health Information is disclosed – to business associates and other third parties.
- [What are HIPAA EDI Transactions?](https://www.hipaajournal.com/hipaa-edi-transactions/) - HIPAA EDI transactions are Electronic Data Interchange transactions between healthcare providers and health plans that comply with the standards adopted by the Secretary for Health and Human Services in Part 162 of the HIPAA Administrative Simplification Regulations. The failure to comply with the standards for HIPAA EDI transactions can have significant consequences. 
- [Is Acuity HIPAA Compliant?](https://www.hipaajournal.com/is-acuity-hipaa-compliant/) - Acuity is HIPAA compliant for covered entities and business associates that subscribe to a HIPAA-enabled Powerhouse or Enterprise account, configure the account to support HIPAA compliance, and disable non-compliant integrations and services. Depending on if and how payments are accepted via Acuity, it may also be necessary to change payment processors.
- [Examples of PHI in Healthcare](https://www.hipaajournal.com/examples-of-phi-in-healthcare/) - Examples of PHI in healthcare include any individually identifiable health information maintained by a covered entity or business associate that relates to an individual’s health condition, treatment for a health condition, or payment for treatment. Non-health information assumes the same protections as PHI only when it is maintained in the same designated record set as PHI.
- [Is Freshworks Helpdesk HIPAA Compliant?](https://www.hipaajournal.com/is-freshworks-helpdesk-hipaa-compliant/) - Freshworks Helpdesk is HIPAA compliant and can be used to create, receive, store, or transmit Protected Health Information, but only if an organization subscribes to an Enterprise plan and complies with Freshworks’ mandatory configuration specifications. It will also be necessary to implement a “secure operating environment” if utilizing the Freshchat capability.
- [What is a HIPAA Compliant Video Chat?](https://www.hipaajournal.com/hipaa-compliant-video-chat/) - A HIPAA compliant video chat is an online, face-to-face conversation with a person – or persons – who it is permitted to disclose Protected Health Information to, and that is conducted via a platform that supports HIPAA compliance and in a manner that is HIPAA compliant. However, exceptions to this definition may exist for a variety of reasons. 
- [HIPAA Compliant Computer Disposal](https://www.hipaajournal.com/hipaa-compliant-computer-disposal/) - The requirement for HIPAA compliant computer disposal applies to any electronic device that is used to create, receive, maintain, transmit or access electronic Protected Health Information (ePHI), and any electronic media on which ePHI has been stored. However, although the HIPAA Security Rule states what the requirement is, guidance to support compliance with the requirement is long out of date.
- [What is the CCPA HIPAA Exemption?](https://www.hipaajournal.com/ccpa-hipaa-exemption/) - The CCPA HIPAA exemption consists of two clauses in the California Consumer Protection Act that exempts HIPAA covered entities from complying with the Act and subsequent amendments enacted by the California Privacy Rights Act. The CCPA HIPAA exemption also applies to business associates in respect of Protected Health Information created, received, maintained, or transmitted by a business associate on behalf of a covered entity. 
- [What are the Physical Safeguards of HIPAA’s Security Rule?](https://www.hipaajournal.com/physical-safeguards-of-hipaas-security-rule/) - The Physical Safeguards of HIPAA’s Security Rule are the standards and implementation specifications that must be applied when applicable "to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion."
- [Is iMessage HIPAA Compliant?](https://www.hipaajournal.com/is-imessage-hipaa-compliant/) - iMessage is not HIPAA compliant and should not be used to communicate Protected Health Information (PHI) because iMessages are backed up in the iCloud, which prohibits the creation, receipt, storage, or transmission of PHI in its Terms of Service. This means it is not possible to accommodate “reasonable requests” to receive communications containing PHI via iMessage.
- [What is a HIPAA Power of Attorney?](https://www.hipaajournal.com/hipaa-power-of-attorney/) - A HIPAA Power of Attorney is most often an authorization granting a member of an individual’s family access to the individual’s Protected Health Information in order to make healthcare and payment decisions on behalf of the individual. Different procedures may apply depending on the terminology used in the authorization, the individual’s wishes, state laws, and the circumstances in which the HIPAA Power of Attorney is triggered.
- [Is eFax HIPAA Compliant?](https://www.hipaajournal.com/efax-hipaa-compliant/) - eFax is HIPAA compliant for covered entities and business associates that subscribe to a qualifying eFax account, enter into a Business Associate Agreement, and configure the service to support HIPAA compliance. However, due to concerns about the vendor’s HIPAA knowledge and messaging, this may not be the most suitable electronic fax solution for all organizations.
- [What Does HIPAA Compliance Mean?](https://www.hipaajournal.com/what-does-hipaa-compliance-mean/) - HIPAA compliance means complying with all applicable standards, requirements, and implementation specifications of the HIPAA Administrative Simplification Regulations in order to safeguard the privacy of Protected Health Information (PHI) and ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted electronically.
- [What is the Definition of HIPAA?](https://www.hipaajournal.com/definition-of-hipaa/) - The definition of HIPAA is that the Health Insurance Portability and Accountability Act 1996 was passed by Congress to reform the health insurance industry and ensure workers could maintain health coverage when they change or lose their jobs. “Healthcare HIPAA” resulted from efforts to mitigate the cost of the reforms and prevent a decline in tax revenues.
- [Is Grammarly HIPAA Compliant?](https://www.hipaajournal.com/is-grammarly-hipaa-compliant/) - Grammarly is HIPAA compliant and can be used with other compliant content creation tools to write, share, and send content that contains Protected Health Information – provided covered entities subscribe to a Business Enterprise plan with a minimum of 100 seats. Unfortunately, this is the only subscription option for which Grammarly will enter into a Business Associate Agreement.
- [What are PII Encryption Requirements?](https://www.hipaajournal.com/pii-encryption-requirements/) - PII encryption requirements exist when federal, state, or industry regulations mandate the use of encryption to protect the confidentiality of Personally Identifiable Information at rest and/or in transit. When no such regulations exist, it is still advisable to encrypt PII to ensure it is undecipherable in the event it is disclosed to or accessed by an unauthorized party.
- [Is WeTransfer HIPAA Compliant?](https://www.hipaajournal.com/is-wetransfer-hipaa-compliant/) - WeTransfer is not HIPAA compliant and cannot be used to upload and send or receive files that include Protected Health Information – even if the service is used inside a HIPAA compliant file sharing service. However, there are several HIPAA-compliant alternatives to WeTransfer that organizations can use to securely transmit large files – albeit not so quickly, and not for free.
- [Is Microsoft Forms HIPAA Compliant?](https://www.hipaajournal.com/is-microsoft-forms-hipaa-compliant/) - Microsoft Forms is HIPAA compliant inasmuch as the app is an in-scope service included in Office 365 and Microsoft 365 subscriptions that support HIPAA compliance. However, due to a reported issue with the form footer, Microsoft Forms is not an effective option for collecting Protected Health Information. 
- [HIPAA Compliance Tools](https://www.hipaajournal.com/hipaa-compliance-tool/) - HIPAA compliance tools are used as part of the HIPAA compliance process, for example, forms and notices, and to measure HIPAA compliance, for example, assessment tools or checklists that guide covered entities and business associates through the basics of HIPAA compliance.
- [PHI vs PII: What is the Difference in Healthcare?](https://www.hipaajournal.com/phi-vs-pii/) - Any analysis of PHI vs PII has to take into account there are multiple definitions of Personally Identifiable Information (PII) depending on the context of the definition and the source of the definition. For this reason, this analysis of PHI vs PII focuses on the difference between the two acronyms in the healthcare industry only.
- [What Does the HIPAA Security Rule Cover?](https://www.hipaajournal.com/what-does-the-hipaa-security-rule-cover/) - The HIPAA Security Rule covers a subset of individually identifiable health information protected by the Privacy Rule and it applies when Protected Health Information is created, received, stored, or transmitted electronically. In such circumstances, the subset of information covered by the HIPAA Security Rule is referred to as electronic Protected Health Information or ePHI.
- [HIPAA Compliant Appointment Reminders](https://www.hipaajournal.com/hipaa-compliant-appointment-reminders/) - HIPAA compliant appointment reminders are communications with patients that must take into account any consent requirements or privacy restrictions and the channel of communication being used to remind the patient of the appointment. In addition to complying with HIPAA, appointment reminders must also comply with FCC regulations.
- [What is ePHI?](https://www.hipaajournal.com/ephi/) - In HIPAA, ePHI stands for electronic Protected Health Information – data related to an individual’s health condition, treatment for the condition, or payment for the treatment which is created, received, stored, or transmitted electronically. To fully understand this definition of electronic Protected Health Information (ePHI), it is also necessary to understand what HIPAA is, who it applies to, and what is considered Protected Health Information.
- [Are Fingerprints PII?](https://www.hipaajournal.com/are-fingerprints-pii/) - Fingerprints are personally identifiable information (PII) inasmuch as they can be used to identify an individual and may enhance security when used with biometric identification software such as scanners and touchpads. However, if fingerprint data is hacked, it can have a permanent impact on the individuals whose PII has been breached.
- [What is HIPAA?](https://www.hipaajournal.com/what-is-hipaa/) - HIPAA is an acronym for the Health Insurance Portability and Accountability Act – an Act primarily intended to reform the health insurance industry which also led to the adoption of federal standards for safeguarding patients’ “Protected Health Information” (PHI) and ensuring the confidentiality, integrity, and availability of PHI created, maintained, processed, transmitted, or received electronically (ePHI).
- [Does HIPAA Apply to Animals?](https://www.hipaajournal.com/does-hipaa-apply-to-animals/) - HIPAA does apply to animals if details of an animal could be used to identify the subject of Protected Health Information maintained in the same designated record set by a covered entity or business associate. However, HIPAA does not apply to animals in all other circumstances – including when details of animals are maintained in a veterinary medical record.
- [Is Grasshopper HIPAA Compliant?](https://www.hipaajournal.com/is-grasshopper-hipaa-compliant/) - Grasshopper is not HIPAA compliant because its virtual phone system communicates with users’ devices via existing communication services over which Grasshopper has no control. Consequently, Grasshopper is unable to comply with the Security Rule standards necessary to provide a HIPAA compliant service as a business associate.
- [What is the Difference between FERPA and HIPAA?](https://www.hipaajournal.com/difference-between-ferpa-and-hipaa/) - The main difference between FERPA and HIPAA is that FERPA applies to most student health records maintained by or on behalf of an educational institution that receives federal funding, while HIPAA excludes student health records maintained by a FERPA covered organization from the definition of Protected Health Information. However, there are cases in which educational institutions may be covered by both sets of regulations.
- [Is Windows 11 HIPAA Compliant?](https://www.hipaajournal.com/windows-11-hipaa-compliant/) - Windows 11 is HIPAA compliant inasmuch as the operating system has the underlying security and administrative capabilities to support HIPAA compliance. In addition, Microsoft has confirmed that its in-scope cloud platforms and services are covered by the Microsoft Business Associate Agreement when used on a device running Windows 11.
- [What Should a HIPAA Sanctions Policy Consist Of?](https://www.hipaajournal.com/hipaa-sanctions-policy/) - A HIPAA sanctions policy should consist of appropriate sanctions against workforce members who fail to comply with privacy and security policies and procedures, or who fail to comply with the Privacy or Breach Notification Rules. However, the HIPAA Rules do not require regulated entities to impose any specific types of sanctions or implement any particular sanction methodology.
- [Is GroupMe HIPAA Compliant?](https://www.hipaajournal.com/groupme-hipaa-compliant/) - GroupMe is not HIPAA compliant and cannot be used to create, collect, store, or transmit Protected Health Information due to its lack of Technical Safeguards. In addition, GroupMe’s owners – Microsoft – will not enter into a Business Associate Agreement with users of the GroupMe service as it is not an “in-scope” service.
- [Is Airtable HIPAA Compliant?](https://www.hipaajournal.com/is-airtable-hipaa-compliant/) - Airtable is HIPAA compliant for covered entities and business associates who subscribe to an Enterprise Scale plan and enter into a Business Associate Agreement with Airtable. However, covered entities and business associates are advised that limitations apply to how Airtable can be used in compliance with HIPAA.
- [What is the Civil Penalty for Knowingly Violating HIPAA?](https://www.hipaajournal.com/civil-penalty-for-knowingly-violating-hipaa/) - The civil penalty for knowingly violating HIPAA falls within the range of $13,785 and $68,928 per violation depending on whether or not the reason for the violation is corrected within 30 days (i.e., Tier 3 violation or Tier 4 violation). The civil penalty for knowingly violating HIPAA can also be influenced by an organization’s prior compliance history and its cooperation during a HIPAA compliance investigation.
- [Who is Responsible for Enforcing the HIPAA Security Rule?](https://www.hipaajournal.com/responsible-for-enforcing-the-hipaa-security-rule/) - Parties responsible for enforcing the HIPAA Security Rule include HHS’ Office for Civil Rights, other federal and state agencies, and organizations’ HIPAA Privacy Officers. HHS’ Centers for Medical and Medicaid Services (CMS) may also soon be indirectly responsible for enforcing the HIPAA Security Rule if compliance with HHS’ Healthcare Sector Cybersecurity Strategy becomes a condition for participation in federal health programs.
- [What Does TPO Stand for in HIPAA?](https://www.hipaajournal.com/what-does-tpo-stand-for-in-hipaa/) - In HIPAA, TPO stands for Treatment, Payment, and Healthcare Operations – activities in which HIPAA covered entities and business associates are generally permitted to use and disclose Protected Health Information without an individual’s consent or authorization. However, there are exceptions, and conditions are attached to certain types of uses and disclosures. 
- [Is Typeform HIPAA Compliant?](https://www.hipaajournal.com/typeform-hipaa-compliant/) - Typeform is HIPAA compliant on the surface, and could be an option to collect, store, and transmit Protected Health Information via forms, surveys, and quizzes, provided HIPAA covered organizations conduct due diligence to ensure the platform and its capabilities genuinely support HIPAA compliance. 
- [What is TPA in Healthcare?](https://www.hipaajournal.com/tpa-in-healthcare/) - TPA in healthcare stands for Third Party Administrator – most often a state-licensed individual or organization that acts as an independent intermediary between an employer’s self-funded health plan and healthcare providers. Although independent, the purpose of a TPA in healthcare is to support self-funded health plans by managing administrative tasks and processes on health plans’ behalf.
- [HIPAA Compliant Credit Card Processing](https://www.hipaajournal.com/hipaa-compliant-credit-card-processing/) - HIPAA compliant credit card processing is rarely an issue for HIPAA covered entities because financial institutions and entities processing payments on their behalf are exempt from complying with the HIPAA Administrative Simplification Regulations. However, there are some scenarios in which HIPAA compliance can be a factor.
- [Does HIPAA Apply to Veterinarians?](https://www.hipaajournal.com/does-hipaa-apply-to-veterinarians/) - HIPAA does not apply to veterinarians because veterinarians do not conduct electronic healthcare transactions for which the Department of Health and Human Services has adopted standards and therefore do not qualify as HIPAA covered entities. However, regulations similar to HIPAA apply to veterinarians in several states or in certain circumstances.
- [HIPAA Rules and Regulations](https://www.hipaajournal.com/hipaa-rules-and-regulations/) - The HIPAA rules and regulations are the standards and implementation specifications adopted by federal agencies to streamline healthcare transactions and protect the privacy and security of individually identifiable health information. This guide explains why the HIPAA rules and regulations exist, what they consist of, and who they apply to.
- [HIPAA Transactions and Code Sets Rules](https://www.hipaajournal.com/hipaa-transactions-and-code-sets-rules/) - The HIPAA transactions and code sets rules have the objective of replacing non-standard descriptions of healthcare activities with standard formats for each type of activity in order to streamline administrative processes, lower operating costs, and improve the quality of data.
- [HIPAA Unique Identifiers Explained](https://www.hipaajournal.com/hipaa-unique-identifiers/) - The requirement to adopt HIPAA unique identifiers for individuals, employers, health plans, and healthcare providers was originally included in the text of HIPAA in order to improve the efficiency of healthcare transactions and to reduce administrative costs. However, no standards were ever adopted for individuals, and the standards for health plans were rescinded in 2019.
- [Does HIPAA Apply after Death?](https://www.hipaajournal.com/does-hipaa-apply-after-death/) - With regards to the question does HIPAA apply after death, the Privacy Rule states: “A covered entity must comply with the requirements of this subpart  with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.” (§164.502(f)). 
- [Is Wix HIPAA Compliant?](https://www.hipaajournal.com/is-wix-hipaa-compliant/) - Wix is not HIPAA compliant, but it is still possible for covered entities and business associates to use Wix for building and hosting websites that collect non-health information. Potential workarounds for making Wix HIPAA compliant are complicated and could result in HIPAA violations if the workarounds are not configured properly.
- [What Information is Protected Under HIPAA Law?](https://www.hipaajournal.com/what-information-is-protected-under-hipaa-law/) - The information protected under HIPAA law is known as Protected Health Information – a subset of individually identifiable health information that is protected under HIPAA law when it is created, received, maintained, or transmitted by a covered entity. Individually identifiable non-health information is also protected under HIPAA law when it is maintained in the same designated record set as Protected Health Information.
- [What is Required for HIPAA Compliance?](https://www.hipaajournal.com/what-is-required-for-hipaa-compliance/) - What is required for HIPAA compliance is for covered entities and business associates to comply with all applicable standards and implementation specifications of the HIPAA Administrative Simplification Regulations in order to protect the privacy and security of individually identifiable health information.
- [Who is Responsible for HIPAA Compliance?](https://www.hipaajournal.com/who-is-responsible-for-hipaa-compliance/) - Covered entities and business associates are responsible for HIPAA compliance, the compliance of their workforces, and the compliance of any third party service providers to whom Protected Health Information (PHI) is disclosed. To manage the responsibilities, covered entities and business associates are required to designate a Privacy Officer and/or a Security Officer. 
- [How Much Does HIPAA Compliance Cost?](https://www.hipaajournal.com/how-much-does-hipaa-compliance-cost/) - Estimates of how much does HIPAA compliance cost have risen sharply since HHS  forecast costs of between $458 and $3,602 for health plans – and of between $1,269 and $10,211 for hospitals – for complying with the Privacy Rule in 1999. A quarter of a century later, mid-range estimates of how much does HIPAA compliance cost fall into the range of between $80,000 and $120,000.
- [What Information does a Patient Information Form Gather?](https://www.hipaajournal.com/what-information-does-a-patient-information-form-gather/) - What information a patient information form gathers varies depending on the purpose of gathering the information and how it might be used. Because there is no one-size-fits-all patient information form, there is no one-size-fits-all answer to what information does a patient information form gather.
- [HIPAA Guidelines for Healthcare Professionals](https://www.hipaajournal.com/hipaa-guidelines-for-healthcare-professionals/) - The HIPAA guidelines for healthcare professionals are that healthcare professionals should understand all relevant HIPAA standards and apply them in accordance with their employer’s workplace policies. Understanding the relevant standards helps prevent unintentional violations of HIPAA and the potential for sanctions.
- [The Three Pillars of HIPAA Compliance](https://www.hipaajournal.com/three-pillars-of-hipaa-compliance/) - The three pillars of HIPAA compliance are to develop, implement and continuously improve a HIPAA compliance program, a HIPAA training program, and an information technology security program.
- [Is HoneyBook HIPAA Compliant?](https://www.hipaajournal.com/honeybook-hipaa-compliant/) - HoneyBook is not HIPAA compliant and cannot be used to create, collect, store, or transmit electronic Protected Health Information if a healthcare provider qualifies as a HIPAA covered entity or provides services to or on behalf of a covered entity as a business associate. However, this does not mean HoneyBook cannot be used by healthcare providers at all. 
- [Does HIPAA Apply to Workers Comp?](https://www.hipaajournal.com/does-hipaa-apply-to-workers-comp/) - HIPAA does not apply to workers comp inasmuch as workers compensation insurers and administrative agencies are not required to comply with the HIPAA Administrative Simplification Requirements. However, HIPAA does apply to disclosures of Protected Health Information by HIPAA covered entities for workers comp purposes.
- [MSP HIPAA Compliance for Managed IT Service Providers](https://www.hipaajournal.com/hipaa-for-msps/) - MSP HIPAA compliance for managed IT service providers often consists of not only understanding the compliance capabilities of the services being provided, but also understanding the compliance obligations of clients that services are being provided to.
- [HIPAA Privacy Laws](https://www.hipaajournal.com/hipaa-privacy-laws/) - The HIPAA privacy laws were first enacted in 2002 with the objective of protecting the confidentiality of patients´ healthcare information without handicapping the flow of information that was required to provide treatment.
- [HIPAA Security Rule Checklist](https://www.hipaajournal.com/hipaa-security-rule-checklist/) - A HIPAA Security Rule checklist helps covered entities, business associates, and other organizations subject to HIPAA compliance to fulfil the requirements of the Security Standards for the Protection of Electronic Protected Health Information (better known as the HIPAA Security Rule). Complying with the Security Rule Standards can reduce the likelihood of HIPAA violations and data breaches attributable to human error and bad actors.
- [What did the HIPAA Omnibus Rule Mandate?](https://www.hipaajournal.com/hipaa-omnibus-rule/) - The HIPAA Omnibus Rule mandated modifications to the Privacy, Security, and Enforcement Rules in order to adopt measures passed in the HITECH Act, finalized the Breach Notification Rule, and added standards to account for the passage of the GINA Act. The key provisions of the HIPAA Omnibus Rule were:
- [Is QuickBooks HIPAA Compliant?](https://www.hipaajournal.com/is-quickbooks-hipaa-compliant/) - QuickBooks is not HIPAA compliant and cannot be used to create, collect, store, or transmit Protected Health Information unless the desktop version of the software is used via a third party hosting service that supports HIPAA compliance. However, due to the cost of deploying QuickBooks Desktop on a third party hosting service, it may be better for healthcare providers to use a HIPAA compliant QuickBooks alternative.
- [Is JotForm HIPAA Compliant?](https://www.hipaajournal.com/jotform-hipaa-compliant/) - JotForm is HIPAA compliant and can be used to collect, store, and share Protected Health Information (PHI) provided businesses subscribe to a Gold or Enterprise plan and agree to the terms of JotForm’s Business Associate Agreement. Existing subscribers with a Starter, Bronze, or Silver plan must upgrade their plan to use JotForm in compliance with HIPAA.
- [What Happens if You Violate HIPAA?](https://www.hipaajournal.com/what-happens-if-you-violate-hipaa/) - What happens if you violate HIPAA depends on the nature and consequences of the violation, the motive for the violation, and whether you knew – or should have known – that the violation was indeed a violation. What happens if you violate HIPAA can also depend on if or how the violation is identified.
- [Examples of HIPAA Violations by Employers](https://www.hipaajournal.com/examples-of-hipaa-violations-by-employers/) - Examples of HIPAA violations by employers are easy to find because almost every avoidable HIPAA violation is indirectly attributable to an employer’s failure to implement adequate privacy and security measures, failure to effectively train members of the workforce, or failure to monitor HIPAA compliance. Over the next few years, these failures may become expensive for employers in – or providing a service to – the healthcare industry.
- [HIPAA Administrative Safeguards](https://www.hipaajournal.com/hipaa-safeguards/) - Compared to the specific HIPAA administrative safeguards of the Security Rule (the Administrative, Physical, and Technical Safeguards), most other references to safeguards in the text of HIPAA are intentionally flexible to accommodate the different types of covered entities and business associates that have to comply with them. While this flexibility means it can be easier for some organizations to comply with the HIPAA safeguards, other organizations may find the lack of direct guidance unhelpful.
- [What are the HIPAA Administrative Simplification Regulations?](https://www.hipaajournal.com/hipaa-administrative-simplification-regulations/) - The HIPAA Administrative Simplification Regulations are the regulations adopted “to improve the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information” (42 USC §1320d).
- [What is PHI in HIPAA?](https://www.hipaajournal.com/what-is-phi-in-hipaa/) - PHI in HIPAA is an acronym for Protected Health Information – health information that is created, collected, maintained, or transmitted by a covered entity that relates to an individual’s past, present, or future physical or mental condition, treatment for the condition, or payment for the treatment, and that is protected by HIPAA from impermissible uses and disclosures.
- [HIPAA Compliance for Medical Centers](https://www.hipaajournal.com/hipaa-compliance-for-medical-centers/) - HIPAA compliance for medical centers consists of complying with the Administrative Simplification standards of the Health Insurance Portability and Accountability Act (HIPAA).
- [HIPAA Compliance for Medical Software Applications](https://www.hipaajournal.com/hipaa-compliance-for-medical-software-applications/) - HIPAA compliance for medical software applications can be a complicated issue to understand.
- [Is Google Chat HIPAA Compliant?](https://www.hipaajournal.com/is-google-chat-hipaa-compliant/) - Google Chat is HIPAA compliant when it is used as part of a Google Workspace plan that includes the necessary controls to protect the confidentiality, integrity, and availability of Protected Health Information (PHI) used and disclosed via this communication channel. To make Google Chat HIPAA compliant, it is also necessary to agree to Google’s Business Associate Addendum to the Workspace Terms of Service.
- [HIPAA Compliance Regulations](https://www.hipaajournal.com/hipaa-compliance-regulations/) - HIPAA Compliance Regulations The latest version of the HIPAA compliance regulations were enacted in the Final Omnibus Rule of 2013.
- [HIPAA Compliance for Pediatricians](https://www.hipaajournal.com/hipaa-compliance-for-pediatricians/) - HIPAA compliance for pediatricians is complicated by the provisions of the Privacy Rule relating to personal representatives of unemancipated minors and the data sharing requirements of the 21st Century Cures Act Interoperability Final Rule. 
- [HIPAA Compliance Plan](https://www.hipaajournal.com/hipaa-compliance-plan/) - A HIPAA compliance plan starts life as a framework for using and disclosing Protected Health Information as required or permitted by the HIPAA Privacy Rule, and as a set of safeguards for protecting the confidentiality, integrity, and availability of electronic Protected Health Information as required by the HIPAA Security Rule.
- [Is iCloud HIPAA Compliant?](https://www.hipaajournal.com/icloud-hipaa-compliant/) - iCloud is not HIPAA compliant and cannot be used to store, sync, or share media containing Protected Health Information (PHI) as – in its Terms of Service – Apple prohibits any use of iCloud services that would make it a business associate of a covered entity. However, covered entities can still use iCloud for other purposes than storing, syncing, or sharing media containing PHI.
- [What is a HIPAA Subpoena?](https://www.hipaajournal.com/hipaa-subpoena/) - A HIPAA subpoena is a legal document that compels HIPAA-regulated entities to release information such as patient medical records that they would otherwise not be permitted to disclose due to Privacy Rule restrictions on uses and disclosures. The HIPAA Privacy Rule permits disclosures of protected health information (PHI) if compelled to do so by a valid subpoena.
- [When does State Privacy Law Supersede HIPAA?](https://www.hipaajournal.com/when-does-state-privacy-law-supersede-hipaa/) - State privacy law supersedes HIPAA when a state law provides greater privacy protections for individually identifiable health information than HIPAA or when a state law provides individuals with more privacy rights than HIPAA. In such cases, the superseding standard or clause applies rather than the whole of the state privacy law.
- [Is Dropbox HIPAA Compliant?](https://www.hipaajournal.com/is-dropbox-hipaa-compliant-8882/) - Dropbox is HIPAA compliant and can be used to store, sync, and share Protected Health Information provided organizations subscribe to a Business or Business Plus Plan, configure Dropbox’s controls to support HIPAA compliance, and train members of the workforce on it’s compliant use. It will also be necessary to enter into a Business Associate Agreement with Dropbox.
- [Nurse Patient Communication](https://www.hipaajournal.com/nurse-patient-communication/) - Nurse patient communication is not only important for the identification of symptoms and feedback on treatments, but it can also help improve the patient experience, increase the prospects of recovery, and reduce readmissions – saving healthcare facilities money through CMS’ Hospitals Readmission Reduction program.
- [HIPAA Compliance for Behavioral Health Practices](https://www.hipaajournal.com/hipaa-compliance-for-behavioral-health-practices/) - HIPAA compliance for behavioral health practices not only consists of complying with the HIPAA Privacy, Security, and Breach Notification Rules, but also with any other federal or state regulations that preempt HIPAA’s “federal floor” of privacy protections. These regulations include (for example) the Part 2 “SUD” regulations and the Texas Medical Records Privacy Act.
- [HIPAA Compliance for HR Departments](https://www.hipaajournal.com/hipaa-compliance-for-hr-departments/) - HIPAA compliance for HR departments consists of understanding what HIPAA standards are applicable to the department’s activities, and implementing policies and procedures to ensure the privacy and security of individually identifiable health information where appropriate – not forgetting that state privacy and security regulations may also apply.
- [HIPAA Compliance for Emergency Care](https://www.hipaajournal.com/hipaa-compliance-for-emergency-care/) - HIPAA compliance for emergency care professionals can be harder than for other healthcare professionals due to the variety of emergency events they attend and the behaviors of patients and their families during emergency events. We look at why this is the case and what Covered Entities can do to prevent unintentional HIPAA violations in emergencies.
- [HIPAA Compliance Solutions](https://www.hipaajournal.com/hipaa-compliance-solutions/) - If you conduct an Internet search for HIPAA compliance solutions, you will get thousands of results.
- [Is WebEx HIPAA Compliant?](https://www.hipaajournal.com/cisco-webex-hipaa-compliant/) - Webex is HIPAA compliant and, provided policies relating to disclosures are complied with, can be used to disclose PHI during videoconference calls between healthcare providers or during telehealth calls between providers and patients. It is also important the platform is configured to support HIPAA compliance and that a Business Associate Agreement is in place with Webex by Cisco.
- [HIPAA Permitted Disclosures](https://www.hipaajournal.com/hipaa-permitted-disclosures/) - The HIPAA permitted disclosures of PHI are summarized in §164.502 of the Privacy Rule, with more details about each type of permitted disclosure (i.e., to Business Associates, etc.) being provided in §§164.504-164.514 of the Privacy Rule. It is important for covered entities and business associates to be aware of HIPAA permitted disclosures to avoid unintentional violations of HIPAA.
- [HIPAA Compliance for Insurance Brokers](https://www.hipaajournal.com/hipaa-compliance-for-insurance-brokers/) - HIPAA compliance for insurance brokers acting on behalf of a HIPAA-covered health plan consists of complying with the HIPAA Security and Breach Notification Rules and any parts of the HIPAA Administrative Simplification Regulations relevant to their activities on behalf of a health plan.
- [HIPAA Consulting](https://www.hipaajournal.com/hipaa-consulting/) - HIPAA consulting firms are most often firms of compliance experts with a deep understanding of the Health Insurance Portability and Accountability Act and associated legislation that can provide advice to HIPAA-regulated entities about HIPAA and HITECH compliance. Usually, each firm has a team of consultants specializing in various aspects of the Act, with their areas of expertise including risk assessments, training, and incident management.
- [Who Do You Report HIPAA Violations To?](https://www.hipaajournal.com/report-hipaa-violations/) - Who you report HIPAA violations to can vary depending on whether – for example – you are a patient reporting a violation of your privacy rights, a member of the workforce reporting a violation by a colleague, or a covered entity reporting a violation that has resulted in a data breach. In all cases, the quicker HIPAA violations are reported, the quicker they can be resolved and prevented from happening again in the future.
- [When Was HIPAA Enacted?](https://www.hipaajournal.com/when-was-hipaa-enacted/) - HIPAA was enacted at various stages following the passage of the Health Insurance Portability and Accountability Act in 1996, with some measures effective immediately, others enacted within 90 days, and those relating to the privacy and security of health information taking several years.
- [HIPAA Training for Dental Offices](https://www.hipaajournal.com/hipaa-training-dental-offices/) - HIPAA training for dental offices consists of the same Privacy Rule and Security Rule training as required by other healthcare facilities, with additional considerations for multi-tasking employees, state licensing requirements, and the disposition of clients attending dental offices. Despite these additional considerations, it is important that the basics of HIPAA are still included in HIPAA training programs for dental office employees.
- [Is Box HIPAA Compliant?](https://www.hipaajournal.com/box-hipaa-compliant/) - Box is HIPAA compliant and can be used to store, manage, and share files and folders containing Protected Health Information provided an organization subscribes to an Enterprise or Enterprise Plus Plan, configures Box to support HIPAA compliance, and enforces organizational policies to meet HIPAA compliance requirements. In addition, it will be necessary to agree to Box’s Business Associate Agreement in order to make the use of Box HIPAA compliant.
- [What Does PHI Stand For?](https://www.hipaajournal.com/what-does-phi-stand-for/) - PHI stands for Protected Health Information – a term is commonly referred to in connection with the Health Insurance Portability and Accountability Act (HIPAA) and associated legislation such as the Health Information Technology for Economic and Clinical Health Act (HITECH). Generally, PHI stands for any data relating to a patient, a patient´s healthcare, or the payment for that healthcare that is created, received, stored, or transmitted by HIPAA-covered entities and their business associates.
- [Is SharePoint HIPAA Compliant?](https://www.hipaajournal.com/sharepoint-hipaa-compliant/) - SharePoint is HIPAA compliant and can be used to maintain and share PHI when used as part of an Office 365 or Microsoft 365 Enterprise plan that supports HIPAA compliance, if the online storage service is configured to comply with the HIPAA access control requirements, and a Business Associate Agreement is entered into with Microsoft. This post explains more about what is necessary to make SharePoint HIPAA compliant and suitable for use in the healthcare industry.
- [HIPAA Compliance for SaaS](https://www.hipaajournal.com/hipaa-compliance-for-saas/) - HIPAA compliance for SaaS consists of ensuring the software product or service complies with all applicable Security Rule standards, and that the product or service includes capabilities that can be configured to support end-user HIPAA compliance.  
- [Is SurveyMonkey HIPAA Compliant?](https://www.hipaajournal.com/is-surveymonkey-hipaa-compliant/) - SurveyMonkey is HIPAA compliant and – when organizations subscribe to an Enterprise Plan and agree to SurveyMonkey’s Business Associate Agreement – Survey Monkey can be used to collect, store, and analyze Protected Health Information (PHI). Organizations that do not wish to subscribe to an Enterprise Plan can still use the service, but not to collect, store, and analyze PHI.
- [HIPAA Compliance for Hospitals](https://www.hipaajournal.com/hipaa-compliance-for-hospitals/) - There is no one-size-fits-all approach HIPAA compliance for hospitals because of the many different types of hospitals, the different types of challenges, and the different types of laws other than HIPAA hospitals have to comply with depending on the nature of their activities. However, HIPAA compliance checklists that account for existing compliance efforts can help hospitals cover the basics of HIPAA compliance.
- [HIPAA Compliance for Optometrists](https://www.hipaajournal.com/hipaa-compliance-for-optometrists/) - HIPAA compliance for optometrists is mandatory for most optometry professionals; however, the responsibility for HIPAA compliance can vary depending on whether the optometry professional is a solo practitioner or works in a group practice. If an optometrist works in a group practice, whether patient records are individually “owned” or pooled between practitioners can also make a difference.
- [What Does HIPAA Cover?](https://www.hipaajournal.com/what-does-hipaa-cover/) - HIPAA – via the Administrative Simplification Regulations – covers the privacy of individually identifiable health information when it is created, received, maintained, or transmitted by an entity covered by HIPAA or a third party service provider working for or on behalf of a covered entity.
- [Florida HIPAA Laws](https://www.hipaajournal.com/florida-hipaa-laws/) - Florida HIPAA laws are the laws that apply in Florida to Covered Entities and Business Associates that preempt, or are additional to, HIPAA. It is important to be aware when Florida HIPAA laws apply in order to avoid fines and possible jail terms for non-compliance.
- [Psychotherapy Notes and HIPAA](https://www.hipaajournal.com/psychotherapy-notes-and-hipaa/) - The relationship between psychotherapy notes and HIPAA is more complex than with most other types of health information because, under HIPAA, psychotherapy notes are PHI not usually required for treatment, payment, or health care operations other than by the healthcare professional who created them.
- [What to do if Accused of a HIPAA Violation](https://www.hipaajournal.com/accused-of-a-hipaa-violation/) - What you should do if accused of a HIPAA violation can depend on the nature of the violation, whether you work for an organization covered by HIPAA, what your role in the organization is, who is making the accusation, and what their role is. Whatever the circumstances, it is important that you do not ignore the accusation; and, if in any doubt about its validity, seek advice.
- [Can You Make WordPress HIPAA Compliant?](https://www.hipaajournal.com/wordpress-hipaa-compliant/) - You can make WordPress HIPAA compliant by installing plug-ins into a WordPress site that collect and secure Protected Health Information (PHI) in compliance with HIPAA and by implementing additional safeguards to secure the transmission of PHI from the site to a database. Before explaining how it is possible to make WordPress HIPAA compliant, it is worthwhile covering how HIPAA applies to websites.
- [HIPAA Compliant Hosting](https://www.hipaajournal.com/hipaa-compliant-hosting/) - HIPAA compliant hosting is a service most often provided by cloud service providers that enables covered entities and business associates to take advantage of a hosting environment that complies with the HIPAA Security Rule standards. Most often, a HIPAA compliant hosting service includes access controls, data encryption, operating system security, and segregated servers.
- [HIPAA Compliance for Home Health Care](https://www.hipaajournal.com/hipaa-compliance-for-home-health-care/) - HIPAA compliance for home health care workers consists of complying with the Privacy Rule and Security Rule in circumstances that can be testing due to the unique challenges healthcare workers can encounter in the community that do not exist in brick-and-mortar hospitals.
- [HITECH Compliance Checklist](https://www.hipaajournal.com/hitech-compliance/) - Any businesses subject to HIPAA compliance are advised to use a HITECH compliance checklist to help ensure they meet the requirements of the Health Information Technology for Economic and Clinical Health Act – an Act passed in 2009 to facilitate the adoption and Meaningful Use of EHRs and to better protect PHI maintained on, or transmitted between, health IT systems. 
- [The Difficulty in Complying with HIPAA California Law](https://www.hipaajournal.com/hipaa-california-law/) - The difficulty in complying with HIPAA California law is that there are three significant Acts of legislation that healthcare organizations and their Business Associates have to comply with – the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA – as amended by the California Privacy Rights Act) and the Confidentiality of Medical Information Act (CMIA).
- [What is the Maximum Penalty for Violating HIPAA?](https://www.hipaajournal.com/what-is-the-maximum-penalty-for-violating-hipaa/) - The maximum penalty for violating HIPAA is currently $68,928 (December 2023) for a violation that is attributable to willful neglect and, despite being alerted to the violation by HHS’ Office for Civil Rights, is not corrected within 30 days. However, this figure represents the maximum penalty per violation, and Covered Entities and Business Associates found guilty of multiple violations can expect to pay up to $2,067,813 per violation “type” per year.
- [What is a HIPAA Confidentiality Agreement for Employees?](https://www.hipaajournal.com/hipaa-confidentiality-agreement-for-employees/) - A HIPAA confidentiality agreement for employees is similar to a non-disclosure agreement inasmuch as members of the workforce agree not to disclose any confidential information they encounter in the performance of their functions – unless the disclosure is permissible by the Privacy Rule, relevant to the function they are performing, and limited to the minimum necessary.
- [Who Enforces HIPAA?](https://www.hipaajournal.com/who-enforces-hipaa/) - HIPAA is enforced by multiple federal agencies including the Department of Health and Human Services, the Department of Labor, the Department of the Treasury, and the Federal Trade Commission. State Attorney Generals can also enforce HIPAA; while, within each organization subject to the Administrative Simplification provisions, HIPAA compliance should be enforced by a Privacy Officer and a Security Officer.
- [Can HIPAA be Waived?](https://www.hipaajournal.com/can-hipaa-be-waived/) - Although HIPAA cannot be waived in its entirety, some provisions of the Privacy Rule can be waived in certain circumstances for a limited time – either locally or nationally, or for certain types of medical facilities during certain types of event.
- [Why is HIPAA Important to Patients?](https://www.hipaajournal.com/why-is-hipaa-important-patients/) - HIPAA is important for patients because it provides a federal floor of privacy and security standards for their health data, requires covered entities to notify them if their data is accessed or disclosed impermissibly, and enables them to take more control over how their data is used. However, some patients misunderstand which organizations are required to comply with the Health Insurance Portability and Accountability Act (HIPAA).
- [HIPAA Guidelines for Nursing Students](https://www.hipaajournal.com/hipaa-guidelines-for-nursing-students/) - The HIPAA guidelines for nursing students are that nursing students should understand what HIPAA is and what it protects to ensure HIPAA compliance training provided by an employer is better understood and better absorbed. Because student training can take many years to complete, it is also advisable for nursing students to undertake periodic refresher training.
- [What is the Texas Medical Records Privacy Act?](https://www.hipaajournal.com/texas-medical-records-privacy-act/) - The Texas Medical Records Privacy Act is a law passed by the Texas legislature in 2001 that created Chapter 181 of the Texas Health and Safety Code. Subsequent amendments to the Act have strengthened its privacy protections and increased the penalties for non-compliance. Importantly, the Act can apply to organizations located outside the state of Texas.
- [Is Google Drive HIPAA Compliant?](https://www.hipaajournal.com/is-google-drive-hipaa-compliant/) - Google Drive is HIPAA compliant if it is used as part of a paid-for Google Workspace plan with the capabilities to support HIPAA compliance, or if it is used as part of a Google Workspace plan that is combined with other security measures to support HIPAA compliance. The free version of Google Drive cannot be used to store or share Protected Health Information (PHI)
- [Is G Suite HIPAA Compliant?](https://www.hipaajournal.com/g-suite-hipaa-compliant/) - G Suite is HIPAA compliant provided organizations subscribe to a Google Workspace Business Account that includes the capabilities to support HIPAA compliance and provided the capabilities are configured to support compliance with HIPAA. It will also be necessary for a system administrator to agree to Google’s Business Associate Addendum to the Service Agreement.
- [HIPAA Compliance for Hospices](https://www.hipaajournal.com/hipaa-compliance-for-hospices/) - HIPAA compliance for hospices has to take into account that many members of the workforce may be volunteers or clergy who are less familiar with compliance requirements, yet who may be placed under extreme emotional pressures from the families of patients they are caring for.
- [HIPAA Security Rule](https://www.hipaajournal.com/hipaa-security-rule/) - The HIPAA Security Rule is a subpart of the HIPAA Privacy Rule inasmuch as the Privacy Rule applies to all Protected Health Information (PHI) created, received, stored, or transmitted by a covered entity or business associate, whereas the Security Rule applies to PHI created, received, stored, or transmitted electronically (ePHI). The reason for their being a separate Security Rule is because ePHI is more vulnerable to remote attacks.
- [HIPAA Compliant Remote Access Software](https://www.hipaajournal.com/hipaa-compliant-remote-access-software/) - HIPAA compliant remote access software provides HIPAA-covered entities and their busines associates with a secure way of remotely accessing systems containing electronic protected health information (ePHI) and simplifies the management of remote access. Healthcare organizations can have dozens of vendors who require remote access to servers, applications, and healthcare data, and oftentimes several different methods are used to provide access to vendors. Without a single solution, management of remote access is time consuming, complex, and difficult to carefully control.
- [OCR Reminds HealthCare Orgs of Importance of a Sanctions Policy](https://www.hipaajournal.com/ocr-hipaa-sanctions-policy/) - In its October 2023 cybersecurity newsletter, the HHS’ Office for Civil Rights reminds HIPAA-regulated entities of the importance of sanctions policies. Sanctions policies help covered entities develop a culture of compliance, improve cybersecurity vigilance, and prevent common HIPAA violations.
- [HIPAA Compliance for Call Centers](https://www.hipaajournal.com/hipaa-compliance-for-call-centers/) - HIPAA compliance for call centers that operate as business associates for covered entities consists of complying with the Security and Breach Notification Rule and the sections of the Privacy Rule relating to permissible uses and disclosures and the minimum necessary standard.
- [What are the HIPAA Technical Safeguards?](https://www.hipaajournal.com/hipaa-technical-safeguards/) - The HIPAA Technical Safeguards consist of five Security Rule standards that are designed to protect ePHI and control who has access to it. All covered entities and business associates are required to comply with the five standards or adopt equally effective measures. However, evidence suggests many covered entities and business associates fail to comply with the HIPAA Technical Safeguards.
- [Is Google Docs HIPAA Compliant?](https://www.hipaajournal.com/google-docs-hipaa-compliant/) - Google Docs is HIPAA compliant provided that, before using the service to create, receive, maintain, or transmit PHI, organizations subscribe to a Google Workspace business plan, configure the service to comply with HIPAA, and sign Google’s Business Associate Addendum. It is not possible to use a free Google Docs account to create, receive, maintain, or transmit PHI as the free service does not include the features required to support HIPAA compliance.
- [HIPAA Compliant SFTP Server](https://www.hipaajournal.com/hipaa-compliant-sftp-server/) - If FTP is required to transfer protected health information, healthcare providers, health plans, healthcare clearinghouses and business associates of HIPAA-covered entities must ensure their service provider uses a HIPAA compliant sFTP server.
- [HITECH Act and Meaningful Use](https://www.hipaajournal.com/hitech-act-meaningful-use/) - When the HITECH ACT and Meaningful Use incentive program was enacted in 2009, it was described as “the most important piece of healthcare legislation to be passed in the last 20 to 30 years” and “the foundation for health care reform”. Not only did the HITECH Act and Meaningful Use incentive program aim to have every US citizen´s health information electronically accessible within five years, it also introduced new measures to protect the integrity of electronic Protected Health Information (ePHI).
- [What Happens after a HIPAA Complaint is Filed?](https://www.hipaajournal.com/what-happens-after-a-hipaa-complaint-is-filed/) - What happens after a HIPAA complaint is filed can vary according to who it is filed with, whether or not the complaint is justified, and the nature of the complaint.
- [Is Airdroid Business HIPAA Compliant?](https://www.hipaajournal.com/is-airdroid-business-hipaa-compliant/) - Airdroid is a HIPAA-compliant all-in-one Android Mobile Device Management (MDM) solution for small businesses and enterprises that can be used by HIPAA-covered entities and their business associates to improve privacy and comply with many provisions of the HIPAA Security Rule. 
- [Can a Nurse be Fired for a HIPAA Violation?](https://www.hipaajournal.com/nurse-fired-hipaa-violation/) - A nurse can be fired for a HIPAA violation if the nature of the violation is sufficiently serious to warrant a termination of contract or if the nurse has demonstrated a pattern of noncompliance through a series of HIPAA violations. Whether or not a nurse will be fired for a HIPAA violation depends on the terms of their employer’s sanctions policy.
- [When Did HIPAA Take Effect?](https://www.hipaajournal.com/when-did-hipaa-take-effect/) - HIPAA took effect in various stages following the passage of the Health Insurance Portability and Accountability Act in 1996, with some changes enacted by HIPAA taking effect immediately, most taking effected 90 days after the passage of HIPAA, and those relating to the privacy and security of healthcare data taking up to ten years to take effect. Even then, HIPAA was not effectively enforced until after the HIPAA Omnibus Final Rule took effect in September 2013.
- [21st Century Cures Act Compliance for HIPAA Covered Entities](https://www.hipaajournal.com/cures-act-compliance/) - Although the 21st Century Cures Act did not directly amend HIPAA, subsequently Rulemaking could create Cures Act compliance challenges for HIPAA covered entitieswith regards to individuals’  access to ePHI via APIs and the security risks that may involve. This article looks at some of the potential challenges and discusses what covered entities can do to overcome them.
- [What is the Texas OIG Exclusions Database?](https://www.hipaajournal.com/texas-oig-exclusions/) - The Texas OIG exclusions database is a list of excluded individuals and entities similar to the federal HHS OIG exclusion database. The primary difference between the two databases is that the Texas OIG exclusions database contains the names of individuals and entities that have violated state law as well as those that have violated federal law.
- [What are HHS OIG Federal Exclusions?](https://www.hipaajournal.com/oig-federal-exclusions/) - HHS OIG federal exclusions are sanctions on individuals and organizations that have violated a clause in §1128 of the Social Security Act. Being excluded prohibits an individual or organization from participating in any federal health care program, or from providing goods or services for healthcare providers that participate in a federal health program.
- [What is HIPAA Enforcement Discretion?](https://www.hipaajournal.com/hipaa-enforcement-discretion/) - HIPAA enforcement discretion occurs when the Secretary for Health and Human Services (HHS) announces the Department will exercise discretion in the enforcement of HIPAA Rules. The discretion can be temporary or permanent, region-specific or nationwide, or apply to some Rules but not others.
- [Is Paubox HIPAA Compliant?](https://www.hipaajournal.com/paubox-hipaa-compliant/) - Paubox is HIPAA compliant and as an email encryption solution supports HIPAA compliance and can be used by Covered Entities and Business Associates to communicate Protected Health Information in emails without violating the standards of the HIPAA Privacy or Security Rules.
- [Is Qualtrics HIPAA Compliant?](https://www.hipaajournal.com/is-qualtrics-hipaa-compliant/) - The issue with answering the question is Qualtrics HIPAA compliant is that, although the “experience management” platform appears to support HIPAA compliance, configuring and using the platform in a HIPAA compliant manner looks more complicated than some Covered Entities will be comfortable with.
- [Will a HIPAA Violation Show Up on a Background Check?](https://www.hipaajournal.com/hipaa-violation-background-check/) - Whether or not a HIPAA violation will show up on a background check depends on the nature of the violation, the consequences of the violation, and the motive for the violation. While it is currently rare for a HIPAA violation to show up on a background check, this may change due to a proposed update to the Privacy Rule. 
- [HIPAA Compliance Guidelines](https://www.hipaajournal.com/hipaa-compliance-guidelines/) - The HIPAA compliance guidelines provide a comprehensive starting point for HIPAA compliance in three distinct sections.
- [Is Disclosing a Pregnancy a HIPAA Violation?](https://www.hipaajournal.com/is-disclosing-a-pregnancy-a-hipaa-violation/) - Whether disclosing a pregnancy is a HIPAA violation depends on who is disclosing the information, the purpose of the disclosure, who the disclosure is made to, and whether any required consent, authorization, or attestation has been obtained. How the disclosure is made can also determine whether it constitutes a HIPAA violation.
- [HIPAA Compliance for Dermatologists](https://www.hipaajournal.com/hipaa-compliance-for-dermatologists/) - A number of sources discussing HIPAA compliance for dermatologists suggest all dermatologists are required to comply with HIPAA because they have access to personal health information. This is not correct, and it may be the case that some dermatologists have implemented HIPAA privacy and security safeguards unnecessarily.
- [Does HIPAA Apply to Minors?](https://www.hipaajournal.com/does-hipaa-apply-to-minors/) - The privacy standards of HIPAA apply to minors inasmuch as a minor’s health information is subject to the same Privacy Rule protections as an adult’s health information and must be secured in the same way against threats to its confidentiality, integrity, and availability. However, there are differences in the application of HIPAA rights when an individual is an unemancipated minor. 
- [What Are HIPAA Laws?](https://www.hipaajournal.com/what-are-hipaa-laws/) - The main objective of HIPAA law is to protect the privacy of an individuals’ health information while at the same time permitting needed information to be disclosed for patient care and other purposes such as billing. This balance helps protect the rights of patients while ensuring smooth operation of the healthcare system.
- [Video: Why HIPAA Compliance is Important for Healthcare Professionals](https://www.hipaajournal.com/why-hipaa-compliance-is-important-for-healthcare-professionals/) - Many sources explaining why HIPAA compliance is important for healthcare professionals tend to focus on the purpose of HIPAA regulations rather than the benefits of compliance for healthcare professionals. The same sources also tend to focus on how noncompliance affects patients and employers, rather than the impact it can have on healthcare professionals´ lives.
- [HIPAA Meaning of Protected Health Information](https://www.hipaajournal.com/hipaa-meaning/) - According to HHS’ Enforcement Highlights web page, the most common issue alleged in complaints to the Office for Civil Rights (OCR) is impermissible uses and disclosures of Protected Health Information. This is often interpreted as a failure to understand which uses and disclosures are permissible without patient authorizations; however, it could be just as likely there is a failure to understand the HIPAA meaning of Protected Health Information.
- [The HIPAA Breach Notification Rule](https://www.hipaajournal.com/hipaa-breach-notification-rule/) - The Health Insurance Portability and Accountability Act of 1996 is one of the most important pieces of legislation to affect the healthcare industry, yet many healthcare providers and insurers are unaware of HIPAA obligations, in particular those relating to the HIPAA Breach Notification Rule.
- [Are Email Addresses Protected by HIPAA?](https://www.hipaajournal.com/are-email-addresses-protected-by-hipaa/) - Email addresses are protected by HIPAA when they are maintained by or on behalf of a HIPAA covered entity in designated record sets containing individually identifiable health information and the email addresses could identify – or be used to identify – the subject of the individually identifiable health information. However, there are many scenarios in which email addresses are not protected by HIPAA.
- [What is the New HIPAA Safe Harbor Law?](https://www.hipaajournal.com/hipaa-safe-harbor-law/) - The new HIPAA Safe Harbor Law (HR 7898) is an amendment to the HITECH Act which instructs the Secretary of Health and Human Services to take into account existing security practices when determining penalties for HIPAA violations. Organizations that have adopted a recognized security framework will also benefit from less disruptive investigations and corrective action plans.
- [What Does HIPAA Mean?](https://www.hipaajournal.com/what-does-hipaa-mean/) - HIPAA stands for the Health Insurance Portability and Accountability Act – an Act passed by Congress in 1996 with the primary objectives of reforming the health insurance industry, enabling health insurance portability between jobs, and prohibiting practices that denied or limited access to health care benefits for employees with pre-existing conditions.
- [What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity](https://www.hipaajournal.com/differences-hipaa-business-associate-hipaa-covered-entity/) - The terms covered entity and business associate are used widely through HIPAA legislation, but what are the differences between a HIPAA business associate and HIPAA-covered entity?
- [Is it a HIPAA Violation to Ask for Proof of Vaccine Status?](https://www.hipaajournal.com/is-it-a-hipaa-violation-to-ask-for-proof-of-vaccine-status/) - According to several media sources, there appears to be a degree of confusion about the purpose of HIPAA, who it applies to, and whether asking someone if they have had a COVID-19 vaccine constitutes a HIPAA violation.
- [Meaningful Use Stage 1 Requirements](https://www.hipaajournal.com/meaningful-use-stage-1-requirements/) - The Meaningful Use Stage 1 Requirements are that providers must adopt certified Electronic Health Records (EHRs) and use the EHRs to collect patient data in four categories – core objectives, menu set, clinical quality measures, and additional quality care measures. Not all categories of data collection need to be fully completed in order to qualify for Meaningful Use incentive payments.