CategoriesState Verses Federal Law
What is HIPAA?
What should a practice do to implement HIPAA provisions?
What is a Privacy Notice?
What has to be in a Notice of Privacy Practices (NPP)?
Once I get this Privacy Notice written, what do I do with it?
What if I forget to give the Privacy Notice to a patient when he/she comes in?
Can a patient ask to have their health related communications handled in a confidential manner?
Authorization (any authorization from a patient to use or disclose their PHI), and authorization is not necessary for anything related to treatment, payment or healthcare operations.
What is the requirement for an authorization?
Are there specific elements that must be in an authorization to make it valid?
Is there a requirement about language?
Can an authorization be verbal?
Can we accept a copy of an authorization instead of the original?
Is there a requirement to verify the identity of the individual signing the authorization?
Are there any special requirements to revoke an authorization?
Are there special requirements for authorization for research purposes?
Is there any easier way to obtain authorization for research purposes?
Are there any exceptions to the requirement for an authorization for disclosure for marketing purposes?
Under HIPAA, can patients change their medical records?
Can the practice deny the request to amend the record?
Is there any time limitation for response to a request to amend a record?
Are there requirements if a request to amend a record is approved?
Under what circumstances can I use and disclose protected health information (PHI) without authorization?
Do I have to tell a patient that I have disclosed his/her protected health information (PHI) without authorization?
What if a patient asks for frequent accounts of disclosure?
Can a patient restrict the use or disclosure of his/her protected health information (PHI)?
Do the doctors have to allow patients to read their own charts?
Are there any exceptions to the provisions allowing patients to read their own charts?
Can the doctors deny patients access to their charts?
Does the patient have the right to appeal a denial?
Are there exceptions to the right to appeal a denial?
If access is denied, are there any other requirements to be met by the practice?
Can a summary of the information instead of the complete record be provided and meet the access requirement?
Can I charge patients for copies of their health care record?
Can I provide access to information from another health care provider that is part of my health care record?
Are we required to have a formal privacy complaint process related to privacy issues?
Are there specific requirements about notification?
Do I have to keep a record of complaints?
Can the individual elect to complain to the Regional Office for Civil Rights , US Department of Health and Human Services (HSS) without first complaining to me, as the practice?
What could happen if the Regional Office for Civil Rights, US Department of Health and Human Services (HSS) found the complaint to substantiate a violation?
What is the intent or purpose of the privacy official?
What steps or activities should be privacy official take to assure compliance?
What if information is misused or improperly released?
What qualifications and responsibilities should a privacy official’s job description contain?
What is the intent of the minimum necessary requirement?
Are there exceptions to the minimum necessary requirement?
What is the significance (within the minimum necessary standard) of an individual authorizing release of protected health information (PHI)?
Can information be released for continuity of care concerns to another provider without an individual authorizing release of protected health information (PHI)?
Psychotherapy Notes (not relevant most of the time, but in case you have these records in your possession for some reason, you need this information)
What about an individual authorizing release of protected health information (PHI) that includes psychotherapy notes?
What about releasing protected health information (PHI) not made in a routine and recurring manner?
What is the intent of business associate agreements?
Who qualifies as a business associate?
What types of functions do business associates typically perform?
Who doesn’t qualify as a business associate?
What about when information is shared for treatment purposes?
Do I need a business associate agreement for my cleaning service?
Since I already have an attorney-client relationship with counsel, do I need a business associate agreement?
What about organizations that act merely as a conduit of protected health information (PHI)?
What is the requirement for the return or destruction of protected health information (PHI)?
What are the requirements for training my staff and who needs to be trained?
What does my staff need to know about HIPAA?
How do I prove training took place?
Three categories that the security standards
Required and Addressable
Security Incident Procedures
What is HIPAA Security?
What is the HIPAA Security compliance date?
Who must comply?
Why HIPAA Security?
What is the difference between the HIPAA Privacy and the HIPAA Security Rules?
What is a covered entity?
How is it determined that the specification is reasonable and appropriate?
What does “Implementation Specifications” mean? Sometimes referred to in this manual as “specifications”
What is the minimum process that is required of covered entities?
What does “flexible and scalable standards” mean?
What does “technology neutral standards” mean?
What are the implementation specifications in the Security Management Process?
What is the importance of Risk Analysis and Risk Management?
What is system vulnerability?
What is the importance of an information system activity review?
How do I determine what level of access is required for each person in the clinic?
Are workforce clearance procedures required?
What should I look for in putting together termination procedures?
How do I ensure access is restricted within my clinic?
What must be included in security awareness and training?
What are my responsibilities in protecting health information from malicious software?
What is the purpose of the Log-In Monitoring specification?
Do I need a procedure for changing passwords on my computer?
What are the contingency plan standards?
What is required for a data backup plan?
What is required for a disaster recovery plan?
What is required of an emergency mode operation plan?
What is required of testing and revision procedures?
What is required of an application and data criticality analysis?
What does it mean that facility access controls are addressable?
What are the implementation specifications of Facility Access Controls?
What does “contingency operations” mean?
What does “facility security plan” mean?
What does “workstation use” mean?
Does “workstation” apply to the workstation I use at home?
What are the implementation specifications for Device and Media Controls?
What is my main concern with disposing of electronic media?
What does “media re-use” mean?
What is required for data backup and storage?
What implementation specifications are associated with the Access Control standard?
Am I required to have a unique user identification specified for each user of my computer system?
Am I required to establish emergency access procedures?
Am I required to have automatic log off that terminates a session after a predetermined time of inactivity?
What does it mean to protect the integrity of protected health information?
What is the penalty for not complying with the HIPAA Security Rule?
What is the most important thing I should do to start protecting electronic protected health information?