Frequently Asked Questions (FAQs)

What is considered Protected Health Information (PHI)?

 

Protected Health Information (PHI) includes any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or its business associates. This information may include demographic data, medical history, test results, insurance information, and other data that can be used to identify an individual's health status or provision of healthcare services. PHI is subject to strict privacy and security regulations under HIPAA.

 

​

How often should HIPAA training be conducted?

 

HIPAA training should be conducted regularly to ensure that employees remain informed about their responsibilities and obligations under the HIPAA Privacy and Security Rules. While the HIPAA regulations do not specify a specific frequency for training, it is recommended that training sessions be held periodically, such as annually or biannually, and whenever significant changes occur to the HIPAA regulations or organizational policies.

 

​

What are the consequences of HIPAA non-compliance?

 

Non-compliance with HIPAA regulations can result in severe consequences for healthcare organizations, including financial penalties, reputational damage, and legal liability. The Department of Health and Human Services' Office for Civil Rights (OCR) is responsible for enforcing HIPAA regulations and may impose civil monetary penalties for violations. In addition to monetary fines, organizations may also face corrective action plans, audits, and increased oversight from regulatory authorities.

 

​

How can I ensure the security of electronic Protected Health Information (ePHI)?

 

Protecting electronic Protected Health Information (ePHI) requires implementing robust security measures to safeguard data against unauthorized access, disclosure, and breaches. This includes measures such as encryption of data at rest and in transit, access controls to limit who can access ePHI, regular security assessments and audits, employee training on cybersecurity best practices, and the implementation of policies and procedures to govern the use and transmission of ePHI. Additionally, healthcare organizations should ensure compliance with the HIPAA Security Rule requirements for the protection of ePHI.

 

​

Is HIPAA about privacy or security?

 

HIPAA covers both privacy and security aspects. Approximately 40% of the regulations focus on privacy issues, while the remaining 60% are dedicated to security measures. This balanced approach ensures that robust security measures are in place to protect individual privacy effectively.

 

​

We run on an old IT system - is that okay?

 

Operating on an outdated IT system poses a higher risk of security breaches and intrusions. It's essential to prioritize security by applying available patches promptly. Additionally, plans to update outdated IT systems, as financial resources allow, should be considered to mitigate risks effectively.

 

​

What can we post on social media?

 

Clear guidelines regarding acceptable social media usage should be established in documented policies and procedures. Caution should be exercised, as social media platforms pose various risks to privacy and confidentiality. It's crucial to obtain signed permissions for specified official uses of social media and to remain vigilant about protecting sensitive information.

 

​

Can I share PHI with other health providers?

 

Yes, you may share Protected Health Information (PHI) with other healthcare providers under certain conditions. It is permissible if the provider is a healthcare professional or clinician bound by HIPAA regulations, and there exists a past or present relationship with the individual whose information is being shared. Moreover, the disclosed information should be relevant to the treatment relationship, and only the minimum necessary information should be shared to facilitate treatment.