HIPAA FAQ

General

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that establishes national standards for protecting the privacy and security of individuals' health information. It applies to healthcare providers, health plans, healthcare clearinghouses, and their business associates.

Who must comply with HIPAA?

Three categories of organisations: covered entities (healthcare providers, health plans, and clearinghouses), business associates (vendors who handle PHI on behalf of covered entities), and subcontractors of business associates.

Is there a HIPAA certification?

No. There is no officially recognised HIPAA certification programme. Compliance is self-assessed through risk analyses, policy implementation, and ongoing monitoring. Third-party audits can demonstrate due diligence but do not constitute official certification.

What is the difference between HIPAA and HITECH?

HIPAA is the foundational law. The HITECH Act of 2009 strengthened HIPAA by extending requirements to business associates, establishing the Breach Notification Rule, increasing penalties, and promoting the adoption of electronic health records.

Protected Health Information

What counts as PHI?

Any individually identifiable health information — information that can be used to identify a specific person and relates to their health condition, treatment, or payment. HIPAA defines 18 specific identifiers, including names, dates, Social Security numbers, email addresses, and biometric data.

Is an IP address considered PHI?

Yes, when it is associated with health information. If a patient visits a healthcare website and their IP address is logged alongside health-related pages they viewed, that IP address becomes PHI.

Are email addresses PHI?

Yes, when they are associated with health information. A patient's email address in your billing system or health records is PHI. A general newsletter mailing list where no health information is linked is not.

Is de-identified data still PHI?

No. Data that has been properly de-identified using the HIPAA Safe Harbor method (removal of all 18 identifiers) or Expert Determination method is no longer considered PHI and is not subject to HIPAA restrictions.

Compliance Requirements

How often should we conduct a risk analysis?

At minimum, annually. You should also conduct a new risk analysis whenever there are significant changes to your systems, operations, or environment — such as implementing a new EHR, moving to cloud hosting, or opening a new location.

What is the minimum necessary standard?

The principle that covered entities should use, disclose, or request only the minimum amount of PHI necessary to accomplish the intended purpose. Not every workforce member needs access to every patient's complete record.

Do we need a BAA with our email provider?

If your email service transmits or stores PHI — for example, if patients send health information to your practice via email — then yes, you need a BAA with that provider.

How long must we retain HIPAA documentation?

HIPAA requires retention of policies, procedures, and related documentation for six years from the date of creation or the date when the document was last in effect, whichever is later.

Breach Notification

What qualifies as a breach?

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the information.

How quickly must we notify individuals of a breach?

Without unreasonable delay and no later than 60 calendar days from the date the breach was discovered.

When must we notify HHS?

For breaches affecting fewer than 500 individuals, submit notification to HHS annually. For breaches affecting 500 or more individuals, notify HHS within 60 days of discovery.

When must we notify the media?

If a breach affects 500 or more individuals in a single state or jurisdiction, the covered entity must notify prominent media outlets serving that state or jurisdiction.

Penalties

What are the penalty tiers?

HIPAA has four civil penalty tiers based on culpability: unknowing ($145–$36,506 per violation), reasonable cause ($1,460–$51,107), willful neglect corrected ($14,602–$73,011), and willful neglect not corrected ($14,602–$2,190,294). Annual caps range from $1.5 to $2.2 million per violation category.

Can individuals be personally fined?

Yes. Criminal penalties can apply to individuals who knowingly violate HIPAA, with fines up to $250,000 and imprisonment up to ten years for violations committed for personal gain or malicious harm.

Can patients sue for HIPAA violations?

There is no private right of action under HIPAA — patients cannot sue directly for HIPAA violations in federal court. However, they can file complaints with OCR, and HIPAA violations can be used as evidence of negligence in state court lawsuits.

Training

How often must employees receive HIPAA training?

HIPAA requires periodic training. Best practice is annual refresher training for all workforce members, with additional training when policies change or security incidents occur.

What should HIPAA training cover?

At minimum: privacy and security rule basics, your organisation's specific policies, how to identify and report potential breaches, proper handling of PHI, and current security threats such as phishing and social engineering.

Do volunteers need HIPAA training?

Yes. HIPAA defines the workforce to include employees, volunteers, trainees, and anyone under the direct control of the covered entity — regardless of whether they are paid.