HIPAA consists of a complex set of rules and regulations that can be difficult to understand when you’re not a regulatory lawyer. Since HIPAA has been updated several times since the initial law went into effect in 1996, many professionals are still asking some of the most basic questions. We at Telehealth.org, therefore, provide answers to several basic HIPAA questions in our HIPAA FAQs below.
HIPAA FAQs: Understanding Basic HIPAA Requirements
Several questions are frequently asked about HIPAA. HIPAA FAQs generally relate to what HIPAA is, how it applies to different healthcare organizations, and how to comply with its standards.
What Are the Basic HIPAA Rules?
There are three basic HIPAA rules: the Privacy, Security, and Breach Notification Rules.
- Privacy Rule: Dictates the proper uses and disclosures of protected health information (PHI).
- Security Rule: Requires the confidentiality, integrity, and availability of PHI.
- Breach Notification Rule: Requires PHI breaches to be reported to affected patients, the Department of Health and Human Services (HHS), and for larger breaches, the media.
How Does HIPAA Apply to Behavioral Health Providers?
Behavioral health providers are considered covered entities under HIPAA. As a HIPAA-covered entity, behavioral health providers must comply with all of the standards set forth by the HIPAA Privacy, Security, and Breach Notification Rules. It is important to note that technology vendors are not covered entities, and there are able to sell you technology that doesn’t meet the needed requirements. For a list of basic HIPAA questions to ask any video company, see the Telehealth.org report, called, Videoconferencing Checklist: 30 Questions to Ask Each of Your Potential Video Vendors.
For example, when sending email through Gmail, either as the sender or the recipient, you need to buy the paid version of Gmail, which is known as Gsuite. See this Telehealth.org article entitled, HIPAA Compliance with a Google BAA for details.
How Do Professionals Become HIPAA Compliant?
To become HIPAA compliant, certain requirements must be met. These include:
- Conducting annual self-audits
- Remediating compliance gaps
- Implementing HIPAA Privacy, Security, and Breach Notification policies and procedures
- Conducting employee HIPAA training
- Signing business associate agreements
- Implementing an incident response strategy
What Is a HIPAA Risk Assessment?
A HIPAA risk assessment, also known as a security risk analysis, enables you to assess the risks and vulnerabilities in their security protections regarding electronically protected health information. The HIPAA Security Rule requires organizations to conduct a risk assessment annually to account for any changes in business practices. By conducting a risk assessment, gaps in compliance are identified. To be HIPAA compliant, these compliance gaps must be addressed with remediation efforts.
What Is a Business Associate and a Business Associate Agreement?
Business associates are entities that create, receive, store, transmit, or maintain PHI on behalf of their covered entity clients. Some examples of business associates include billing services, electronic health record providers, and software providers. As a covered entity the healthcare professionals in the United States are mandated by HIPAA to only buy their technology from vendors who offer business associate agreements (BAA)
Who Needs a Business Associate Agreement?
A business associate agreement (BAA) is a legal document that must be signed between covered entities and their business associates. BAAs must be signed before PHI may be shared with business associate vendors. A BAA limits the liability of both signing parties as they require each to be HIPAA compliant and be responsible for maintaining their compliance.
What Are Basic HIPAA Training Requirements?
HIPAA requires all employees that have the potential to access PHI to be trained. Training must include an overview of HIPAA, cybersecurity best practices, and their organization’s internal HIPAA policies and procedures. To comply with HIPAA standards, employees must be trained upon hire and retrained annually thereafter.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management
Whether you are practicing telemedicine, telehealth, or teletherapy, this course is essential to understanding the how and why of legal telepractice today. Must-know definitions, concepts, and their applications to common telepractice situations are offered to identify common dilemmas and their solutions. Relevant rules, regulations, and risk management strategies are put in context so you understand how regulatory systems are wired, and to give you a sense of where to go to ask which question. For example, differences between clinical guidelines security guidelines are explained so that you can attend to each as needed. Key telehealth issues are reviewed, including inter-jurisdictional practice; psychotherapy note-taking; email; text-messaging, security and privacy laws (HIPAA, PIPEDA, other privacy laws for vulnerable populations such as children); testimonials; and considerations for purchasing malpractice insurance. How and when to hire an attorney for your telepractice is also reviewed in detail.
PLEASE NOTE: the Telebehavioral Health Institute (TBHI) has recently been rebranded and is now known as Telehealth.org
TO COMMENT OR ASK QUESTIONS: Please go to our Twitter page: Telehealth.org