Is Telling a Story about a Patient a HIPAA Violation?
Whether telling a story about a patient is a HIPAA violation depends on who is telling the story, why the story is being told, what information about the patient is revealed in the story, and whether a patient has authorized a disclosure of PHI or exercised their right to restrict disclosures. One of the objectives of the HIPAA Privacy Rule is to protect patient privacy. The HIPAA Privacy Rule tries to achieve this objective by stipulating which uses and disclosures of Protected Health Information (PHI) are permissible, which a patient should be given an opportunity to object to, and which require an authorization from the patient or their personal representative. However, the HIPAA Privacy Rule does not apply to everybody. If a healthcare provider is not a covered entity, not a member of a covered entity’s workforce, or not a member of a business associate’s workforce, telling a story about a patient is not a HIPAA violation – even if health information about the patient is disclosed, because HIPAA does not apply to the healthcare provider. Similarly, if an employee of a...
HIPAA Privacy Rule
The HIPAA Privacy Rule provides a federal floor of privacy standards that protects individuals’ health information and other identifying information by limiting the permissible uses and disclosure of such information by “covered entities” and “business associates” without authorization. The HIPAA Privacy Rule also gives individuals the rights to control how their health information is used and disclosed, to request copies of information maintained about them, and request corrections when omissions or errors exist. This guide to the HIPAA Privacy Rule explains why it exists, who it applies to, what it protects, and how to maintain compliance. It should be used in conjunction with our free easy-to-use HIPAA Privacy Rule Checklist PDF which can be ordered by using any form on this page. What is the Privacy Rule in the Context of HIPAA? In the context of HIPAA, the Privacy Rule is a subpart of the Administrative Simplifications Regulations (45 CFR Parts 160,162, and 164). However, the protections provided by the Privacy Rule to individually identifiable health information apply...
HIPAA Encryption Requirements
The HIPAA encryption requirements have increased in relevance since an amendment to the HITECH Act in 2021 gave HHS’ Office for Civil Rights the discretion to refrain from enforcing penalties for HIPAA violations when covered entities and business associates can demonstrate at least twelve months HIPAA compliance with a recognized security framework. The HIPAA encryption requirements only occupy a small section of the Technical Safeguards in the HIPAA Security Rule (45 CFR §164.312), yet they are some of the most significant requirements in terms of maintaining the confidentiality of electronic Protected Health Information (ePHI) and for determining whether a data breach is a notifiable incident under the HIPAA Breach Notification Rule. In addition to being significant requirements, when encryption solutions are implemented that comply with NIST SP 800-111 for data at rest and NIST SP 800-52 for data in transit, the encryption solutions contribute toward compliance with a recognized security framework as required by the 2021 amendment to the HITECH Act (HR 7898). For this reason,...
Can Medical Records be Subpoenaed?
Medical records can be subpoenaed because every type of record can be subpoenaed, and a more relevant question would be “how should healthcare providers respond to a subpoena for medical records”? In most states, there are three types of subpoenas – a “witness subpoena” that requires an entity to appear in court to give evidence, a “deposition subpoena” that requires an entity to provide copies of records and/or attend a deposition hearing, and a “subpoena duces tecum” that requires an entity to provide copies of records and/or attend a court hearing. All three types of subpoenas can be used to subpoena medical records or require a healthcare provider to answer questions/testify about a medical record. Although not exclusive to any particular type of case, a witness subpoena will most likely be used in a legal action where both a patient and a healthcare provider are the parties in a case (i.e., a medical negligence claim). The other two types of subpoenas will most commonly involve cases in which the healthcare provider is not a party in a civil or criminal action (i.e., an injury...
HIPAA Compliance for Medical Coding Services
HIPAA compliance for medical coding services requires protecting patient health information while translating clinical documentation into standardized codes, ensuring that access, use, and transmission of PHI are tightly controlled throughout the coding workflow. How HIPAA Applies to Medical Coding Services Medical coding companies and independent coders routinely review clinical notes, diagnostic reports, operative summaries, and other records that contain detailed PHI. When coding is performed for a healthcare provider or billing organization, the coding service is typically acting as a HIPAA Business Associate and must comply with applicable HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements. Compliance is about more than accuracy in coding. It is about safeguarding the underlying patient information at every stage of review, storage, and transmission. HIPAA Training for Business Associates Our training includes specific lessons covering the unique HIPAA-challenges faced by staff at Business Associates. View Training The Gold Standard in...



