Practicing Medicine Business of Medicine HIPAA Final Rule

HIPAA Final Rule

Security Matters

A guide to protecting patient data and ensuring health information security

The HIPAA final rule aims to increase patient privacy and secure health data. Learn how to ensure full compliance in your practice.

Exclusively for members, the AOA has published two comprehensive guides focused on HIPAA privacy and security rules, complete with step-by-step instructions for bringing your practice into compliance.

For sale on the AOA Store: Privacy & security manual

Easy-to-use descriptions, checklists, guides and sample documents to ensure compliance with HIPAA

Buy now

HIPAA Privacy Manual

A step-by-step guide to implementing and complying with the HIPAA Security Rule

Buy now

HIPAA Security Manual


Does the AOA provide guidance on HIPAA compliance?

Yes, The AOA has published two comprehensive guides available exclusively to AOA members. The guides focus on the HIPAA privacy and security rules and provide step-by-step instructions on how to bring your practice into compliance.

Do I need a business association agreement with pharmacies that fill my prescriptions?

No. If you are communicating with covered entities regarding payment or treatment, they are not considered business associates (BAs). They are simply covered directly by the HIPAA rules for covered entities.

Is an EHR vendor considered a BA requiring a BA agreement?

If you have a cloud-based EHR or an EHR on your office computer, but an external company uses the EHR in ways that they would access PHI, then they are absolutely business associates and you need to have a BA agreement with them.  Ensure that all agreements are in place and up-to-date because they are also directly liable under HIPAA.

Is an answering service a BA?

Yes, the answering service is granted access to PHI when patients disclose medical concerns that prompt them to call.

Do medical practices need a BA agreement with their janitor or cleaning service?

Business associate agreements are only required for third parties who are not employees of the medical practice, but provide a function on behalf of the practice and require the use of patients’ PHI. Cleaning personnel do not need to have access to PHI in order to clean the medical practice. Practices must implement administrative, technical and physical safeguards to protect PHI; therefore, the practice’s policies should work to prevent such exposures (e.g., appropriate document destruction, locked file cabinets, secured computers, etc.)

How many days does a business associate have to notify a covered entity of a breach?

It depends on your BA agreement and whether the BA is your agent or an independent contractor. If the BA is your agent, you should be alerted to a breach at the same time as the BA. If the BA is an independent contractor, the BA must follow the timeframe specified in the BA agreement. The timeframe to be notified by your contractor should always be considered when drafting the agreement.

How should a physician obtain consent from elderly patients who may not be able to make decisions for themselves and don’t have a caregiver with them?

Try to contact relatives (i.e. spouses, children) or a caretaker to confirm consent, particularly for a course of treatment. This issue is not relegated to HIPAA concerns because once a person can no longer appoint a decision maker; the situation becomes complicated for the patient, their loved ones and physician.

Is a signed request required to obtain immunization records from another health care facility?

When in doubt, obtain a signed HIPAA-compliant authorization form to eliminate any ambiguity. If the school asks you to provide information about the child’s immunization, you do not need formal written authorization, but should document that you provided the information.

According to state laws, physicians must provide insurance companies with requested patient records within 14 days. What should a physician do if the patient doesn’t want the record sent and has paid cash?

Under the new HIPAA rule, if the patient has paid cash and does not want their information shared with their health insurer, you do not have to provide that patient’s information.

What if a patient pays cash for certain visits but used insurance for other visits? Does a physician pick and choose what their office sends?

As soon as you provide a covered service and submit a bill to the health plan, this information is included in the medical record and all rules applicable to the health plan apply. For example, a patient may ask to pay for a particular test out-of-pocket and request that you not communicate about it. But if the patient requires further treatment following a test, the patient may decide they can’t afford to pay out-of-pocket; and subsequent treatments are billed to the health plan. Those records will disclose the fact that the original test was performed, but the patient elected not to inform the insurer. You may want to discuss this with your patients at such decision points.

Can patients change their minds about releasing all records including all cash services at any time?

Yes, patients can maintain confidential records and then change their minds. For instance, a patient may say “I’ve moved and I’m getting a new doctor and I want your practice to send all my records to that office.” You are obligated to fulfill the patient’s request.

Our office policy states that patients are not obligated to buy products in the office. If we sell supplements for a profit, is this considered marketing?

Although patients can provide their written authorization to receive information and material marketed to them, discussions and subsequent recommendations about such product may be considered marketing.

If a physician speaks in promotional programs for pharmaceutical companies, is that considered marketing? If so, does their patients need to acknowledge, in writing, that they understand the physician is recommending a treatment he/she has previously promoted?

Under the rule, face-to-face communications are protected as well as discussions about prescription drugs that you are recommending, but only to the extent that you do not receive a profit from that patient’s prescription. Physicians should talk to the pharmaceutical company to clarify whether promotional discussions for prescriptions affect individual discussions with their patients. The pharmaceutical company from whom you’re receiving those funds should absolutely give you a definitive legal opinion on the impact to your personal practice.

Are there any specific guidelines for using paper shredders to protect PHI?

Cross-cut shredders are recommended. Under the law, you must ensure your PHI has been completely destroyed. If shredded information can be pieced back together to view the original document, the shredder is not adequate and it is far better to use a cross-cut shredder.

How does the rule apply to overseas dictation services and the internet transfer of audio files?

Overseas transcription is a very significant issue and presents many problems of its own. A standard email transmission is not secure because the transfer is not secure. For instance, hackers can access the system or information can be accidentally sent to the wrong recipient. Also, you are not able to enforce protections if information is breached. Physicians must consider the value of the service versus the penalties and associated risks.

If coding staff occasionally takes home records to complete and that information is misplaced, is that willful neglect?

Yes. You have an obligation to shut down processes that you know are problematic. If you can’t manage a process for taking records home for coding that will reduce the likelihood of a breach to zero or close to zero, you probably should not continue to allow staff to take records home.

If a practice’s contract with a new EHR company specifies they can "scrub and use" information gathered from the patient portal, is this allowed?

EHR vendors cannot sell or de-identify medical information without an agreement with the practice.  Extensive rules specify how a company might “scrub and use data.” You should clarify how the EHR vendor interprets this clause and verify whether their proposal complies with the HIPAA rule.

Can practices be penalized for a logistical delay in transferring records if the records are lost or misplaced?

Yes. If you miss the deadline, you’re liable and it doesn’t matter if you did or did not know about it; even if there was nothing you could do about it, you’re still held responsible. The law also states if you were negligent and fixed the problem within 30 days, you won’t face a civil monetary penalty. You need to do everything in your power to transfer records in a timely fashion; otherwise, you should rectify the delay within 30 days.

Back To Top