Wachler & Associates, PC | Serving healthcare providers nationwide for over 20 years

 

Home
Firm Overview
Practice Areas
Stark
Medicare Audits and Appeals & RAC Audits
HIPAA
Specialty Pages
Attorney Profiles
Publications
Newsletters
Seminars
Research Links
Office Directions
Contact Us

 

 

The Health Lawyers: We Focus on the BUSINESS of Healthcare

HIPAA information website provided by Wachler & Associates, P.C.

Welcome
HIPAA Frequently Asked Questions ("FAQs")
Practical Issues
Helpful Links
Publications

Speaking Engagements
Wachler & Associates, P.C. Home Page

Our firm writes and speaks regarding Health Insurance Portability and Accountability Act (HIPAA) issues on a national level. We were asked to analyze the HIPAA final privacy rule, the final electronic transaction rule, and the final security rule for The Health Lawyer, a publication of the American Bar Association, which is distributed to over 10,000 healthcare and business attorneys across the nation.
This website contains a compilation of our publications, helpful links, updates, and practical issues related to compliance with the HIPAA regulations.
Our firm has also developed a Workbook/Toolkit to help healthcare providers comply with the Privacy Rule, to order a copy of the Workbook/Toolkit or the Training Video, please click on the following link: Order form
*The following information is set forth for informational purposes only. It is not intended to be legal advice nor should it be interpreted as such.
Back to Top

HIPAA FAQs

What is HIPAA?

HIPAA is a legislative act that was passed in 1996. Among other topics, HIPAA addresses the electronic standardization, security, and privacy of health information.
Who must comply with HIPAA?
These rules generally apply to all healthcare plans, healthcare providers who transmit healthcare information in electronic form (using a standard transaction), and healthcare clearinghouses (including billing companies). These groups are referred to in the regulations as "covered entities."
What kind of information is protected by HIPAA?
"Protected health information" is defined by the Privacy Rules as "individually identifiable health information" that is transmitted electronically, maintained electronically, or transmitted or maintained in any other form or medium. It includes not only paper and electronic records but oral statements as well.
The Security Rule governs "electronic protected health information," and requires covered entities to ensure the confidentiality, integrity, and availability of all protected health information that is created, received, maintained or transmitted by the covered entity in electronic form.
What rights do individuals have under HIPAA?
In general, the HIPAA Privacy Rule gives individuals the right to request a restriction on uses and disclosures of their protected health information. The individual is also provided the right to request confidential communications or that a communication of protected health information be made by alternative means, such as sending correspondence to the individual's office instead of the individual's home.
With limited exceptions, individuals also have the right to inspect and obtain a copy of their own protected health information and to request amendments of their protected health information.
What do healthcare providers and other "covered entities" need to do in order to comply with the HIPAA Privacy Rule?
Examples of the issues that covered entities will need to address in order to comply with the Privacy Rule are: appointment of a privacy officer and contact person to receive complaints, development of consent, notice and authorization forms for patients, development of numerous required privacy policies and procedures, drafting of agreements with all business associates, and training of staff on privacy issues.
What does the HIPAA security rule require?
The rule requires covered entities to implement administrative procedures, physical safeguards, and technical security services to guard the integrity, confidentiality, and availability of patient data. The rule also requires covered entities to implement technical security mechanisms to prevent unauthorized access to patient data.
*This information is set forth for informational purposes only. It is not intended to be legal advice nor should it be interpreted as such.

Back to Top

Practical Issues

Privacy Rule - Are you HIPAA compliant?

The deadline for compliance with the HIPAA Privacy Rule was April 14, 2003. Some of the things you should be doing at this point include:

  • Providing a Notice of Privacy Practices to new patients containing all of the elements required by the Privacy Rule.
  • Posting your Notice of Privacy Practices in a prominent location and on your website.
  • Following written policies and procedures that are compliant with the HIPAA Privacy Rule when patients seek to exercise rights under HIPAA.
  • Obtaining authorization from the patients in a form that is compliant with HIPAA for all uses and disclosures that are not related to treatment, payment, or healthcare operations, or subject to one of the designated exceptions.
  • Entering into business associate agreements with individuals or entities that provide services on your behalf involving the use of protected health information.
  • Establishing a system for patient complaints.

Compliance with the Security Rule - where to begin?
In the final Security Rule, published on February 20, 2003, the Department of Health and Human Services ("DHHS") attempted to adopt a scalable and flexible approach to take into consideration the various sizes of organizations affected by the rule.
Because of the flexibility and scalability incorporated into the final Security Rule, covered entities should be cautious when dealing with vendors who market certain products as "required" by the Security Rule. The requirements will vary depending on each covered entity's situation, as identified by the covered entity's "risk analysis". Covered entities may want to consult with healthcare attorneys versed in the Security Rule requirements before making any major purchases.
The core structure of the Security Rule consists of eighteen standards, which are broken down into three basic categories: administrative safeguards, physical safeguards, and technical safeguards. Each standard also has certain "implementation specifications" that serve as the "instructions" for compliance. Thirteen of the implementation specifications are required, while the remaining specifications are "addressable".
If an implementation specification is required, the organizations must implement the specification as set forth in the Rule. For those specifications that are "addressable", the organization may implement an alternative specification instead of, or in combination with, the specification set forth in the Rule. If an alternative approach is taken, the covered entity must document its decision not to implement the Security Rule's specification, the rationale behind the decision, and the alternative approach that it has chosen.
In determining which specific technologies and security measures must be taken in order to meet the standards, an organization is permitted to take into account: its size, complexity, and capabilities; the costs of security measures; and the probability and criticality of potential risks to electronic protected health information.
In some situations, the covered entity may also decide that the implementation specification is inapplicable to its situation and that the standard may be met without the specification or an alternative. In these situations, the covered entity must document its decision not to implement the specification, the rationale behind that decision, and the manner in which the standard is being met.
The key to making appropriate determinations regarding the specific technologies and security measures to be implemented within any given organization is to conduct and document a thorough "risk analysis" of the organization. The risk analysis is one of the required implementation specifications of the security management process standard, which is considered by DHHS to be the foundation for the Security Rule.
In conducting a "risk analysis", covered entities must identify the risks and vulnerabilities of its electronic protected health information. This will require covered entities to take into account all "relevant losses" that would be expected if security measures were not in place, including losses that would be caused by unauthorized uses and disclosures and loss of data integrity.
In order to conduct a thorough and useful risk analysis, covered entities - regardless of size - should, at a minimum, do the following:

  • Identify all systems that house electronic protected health information or are used to transmit electronic protected health information (for example, include data repositories, electronic medical record systems, and e-mail systems that are used to maintain or transmit electronic protected health information).
  • Identify any known or possible threats to the information, including natural and human threats and determine the probability of each of these threats (for example, include natural disasters such as floods, environmental threats such as water pipe breaks or electrical fires, and human threats such as disgruntled employees or hackers).
  • Determine how vulnerable each system is to each identifiable threat, including any known or anticipated weaknesses of the system (for example, look at any past problems with the system that involved security breaches or loss of data, as well as any future potential problems that have been identified by IT personnel or vendors).
  • Identify the impact that the loss of information or the unauthorized use or disclosure of information would have on the organization (for example, how would daily functions of the organization and patient privacy be impacted by a loss of data or unauthorized access to the data).

Once the risk analysis has been complete, the organization will be in a better position to analyze which of the "addressable" specifications must be implemented and the specific technologies that will be required, taking into account the identified risks and vulnerabilities, as well as such factors as the size and resources of the covered entity.

Back to Top

Helpful Links:

Department of Health and Human Services Administrative Simplification Site: Provides links to text of the HIPAA statute, privacy and electronic transaction rules, the proposed security rule, instructions for subscribing to the HIPAA regulatory website, and links to other HIPAA related sites.
http://aspe.hhs.gov/admnsimp/
Department of Health and Human Services, Office for Civil Rights: The Office for Civil Rights is charged with enforcing the civil penalties under HIPAA.  The OCR HIPAA Page provides links to the final security rule and frequently asked questions.
http://www.cms.hhs.gov/hipaa/hipaa2

Back to Top

Publications

For publications on other healthcare law topics, please visit Wachler & Associates, P.C.'s Publications page.

Back to Top

Past Speaking Engagements:

  • Operationalizing HIPAA Privacy and Security, Society for Pain Practice Management, 2005
  • December 4-5, 2003: Andrew Wachler presented on HIPAA for United Communications Group in Las Vegas, NV.
  • May 5, 2004: the firm presented a HIPAA Security seminar to the Federated Ambulatory Surgery Association (FASA).
  • October 1-3, 2003: Abby Pendleton presented a conference on HIPAA to the United Communication Group in Washington D.C.
  • June 13, 2003: Mr. Wachler presented on HIPAA Privacy Liability Issues & Security to the ABA/AMA Physician Law Conference in Chicago.
  • April 11, 2003: Ms. Fehn presented on "Communicating with Patients With HIPAA in Mind" for United Communications Group in Boston.
  • May 2003: Mr. Wachler and Ms. Pendleton presented a HIPAA implementation workshop for the Federated Ambulatory Surgery Association (FASA) in Boston.
  • May 2003: Ms. Pendleton presented on HIPAA at the AAA section of the Medical Group Management Association in Montreal.
  • July 24, 2002: Ms. Pendleton and Ms. Fehn presented a HIPAA Seminar for the American Orthotic and Prosthetic Association (AOPA) in Las Vegas.
  • July 18-19, 2002: Mr. Wachler, Ms. Pendleton and Ms. Fehn presented a two day seminar/workshop on HIPAA for the Federated Ambulatory Surgery Association (FASA) in Chicago.
  • May/June 2002: Mr. Wachler, Ms. Pendleton and Ms. Fehn presented nine seminars throughout the state of Michigan on HIPAA compliance for the Michigan Osteopathic Association.
  • June 28, 2002: Mr. Wachler, Ms. Pendleton and Ms. Fehn presented a HIPAA seminar to the Michigan Orthotic and Prosthetic Association. 
  • May 4, 2002: Ms. Pendleton and Ms. Fehn presented a HIPAA seminar to the American Orthotics and Prosthetics Association in Boston.
  • April 24-25, 2002: Ms. Pendleton presented on HIPAA at United Communication Group's Pain Conference in Washington, D.C.  This Pain Conference was also held on October 7-9, 2002 in Chicago.
  • April 6-7: Mr. Wachler presented on HIPAA to the American Gastroenterological Association in Philadelphia.
  • February 26, 2002: Mr. Wachler presented on HIPAA to the Federated Ambulatory Surgery Association (FASA) in Washington, D.C.
  • January 30 - February 1, 2002: Mr. Wachler and Ms. Pendleton presented at United Communication Group's Pain Conference in Arizona on compliance and HIPAA for the pain management physician.
  • On December 7, 2001: presented an all-day seminar entitled "HIPAA - Administrative Simplification: A Practical Approach" in Lansing, Michigan.
  • December 3-5, 2001: Mr. Wachler spoke on HIPAA, Stark and other regulatory concerns at the 16th Annual Management and Leadership Conference sponsored by the National Hospice and Palliative Care Organization in Washington D.C.
  • November 17, 2001: Mr. Wachler presented on HIPAA at the Michigan Osteopathic Association's "HIPAA Update and Educational Seminar" in Lansing, Michigan.
  • On November 9, 2001: Mr. Wachler presented on HIPAA and Stark at a seminar for the Radiology Business Management Association, Michigan Chapter, in Lansing, Michigan.
  • August 22, 2001 - Okemos, MI: Mr. Wachler and Ms. Pendleton jointly conducted a workshop on the recent Health Insurance Portability and Accountability Act (HIPAA) regulations to the durable medical equipment (DME) members of the Michigan Home Health Association.

Back to Top