HIPAA Compliance, an In-depth Overview

There are four HIPAA rules any one working with ePHI should know about.  They are:

1. HIPAA Privacy Rule
2. HIPAA Security Rule
3. HIPAA Enforcement Rule
4. HIPAA Breach Notification Rule

The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

For reference:

Business Associates, like SecureVideo, are directly accountable for uses and disclosures of ePHI that go beyond what’s covered under their BAA or the Privacy Rule itself.

The Privacy Rule asks BAA to do the following:

1. Not allow any off limit uses of ePHI.
2. Provide breach notification to the Covered Entity.
3. Provide either the individual or the Covered Entity access to ePHI.
4. Disclose ePHI to the Secretary of Health and Human Services, if obligated to do so.
5. Provide an accounting of disclosures.

HIPAA Security Rule

HIPAA established the Security Rule to ensure that all covered entities have implemented safeguards to protect the confidentiality, integrity, and access of PHI.

There are two types of implementation specifications: “required” and “addressable.”  Wherever the Security Rule reads “required,” that specification must be implemented; whereas, if it says “addressable,” there is some wiggle room in exactly how you comply with that specific standard.

The HIPAA Security Rule is by far the meatiest.  We’ve devoted a whole article to this rule in a previous blog post.  You can find a quick link to the article here.

HIPAA Enforcement Rule

HHS’ Office for Civil Rights is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. Since 2003, OCR’s enforcement activities have obtained significant results that have improved the privacy practices of covered entities. The corrective action obtained by OCR from covered entities have resulted in systemic change that has improved the privacy protection of health information for all individuals they serve. HIPAA covered entities were required to comply with the Security Rule beginning on April 20, 2005. OCR became responsible for enforcing the Security Rule on July 27, 2009.

For reference:

OCR enforces the Privacy and Security Rules in a few different ways:

1. By investigating filed complaints
2. Conducting compliance reviews
3. Outreach and education to encourage compliance with HIPAA requirements

HIPAA violations are costly, ranging from $100 to $50,000 per violation, with a maximum of $1.5 million per year on the same infraction. Violations may also carry criminal charges that can develop into jail time.

Violations worsen if there is willful neglect and go uncorrected. To give you a picture, this table shows how much penalty amounts range by level of awareness:


For reference:

Unencrypted Data

A large majority of breaches are due to lost or stolen data that was unencrypted. Please remember that addressable HIPAA regulations do not mean they are optional. Most are best practices in the field, anyway. You still have to implement those standards, only you have the flexibility to create them to tailor fit your workflows.

Employee Error

Employee training and adherence to protocol is very important. Breaches have occurred through employees losing unencrypted portable devices, or accidentally sending vendors sensitive information and it winding up on social media networks. These instances could’ve been avoided.

Data Stored on Devices

Be mindful of your laptops, smartphones, external hard drives, etc. Theft has resulted in about half of all breaches.

Business Associates

Be choosy about your partners. About two-thirds of all breaches had a business associate involved and some of the largest reported breaches at that.

Not all data breaches result in a fine, luckily. The key is to make sure you are putting forth reasonable effort to comply with HIPAA laws.

HIPAA Breach Notification Rule

The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. This rule also requires the entities to immediately notify HHS if there is any breach of unsecured ePHI, as well as notify the media and public if the breach affects more than 500 patients.

For reference:

In summary, HIPAA asks you to do the following:

  • Establish protections to safeguard ePHI.
  • Fairly check that sharing and use of ePHI to a minimum, only enough to accomplish the expected outcome.
  • Establish your Business Associate Agreements (BAAs) to ensure that your service providers will also preserve ePHI and only use it properly.
  • Put your policies and procedures in place to restrict who has access to ePHI.  Enroll yourself and your employees in a training program around ePHI safety.  Periodically review your procedures to assess how you are maintaining your ePHI secure.

There you have it!  It’s a lot to take in.  If after you’ve sat with this information you have questions, please email us at [email protected]  We’re happy to help.

SecureVideo For Any Professional

Did you know that is not just for people in the medical field that need to abide by HIPAA laws?

The truth is, anyone looking for an easy, secure, low-cost video conferencing connection could use SecureVideo.  Our meetings are peer-to-peer.   That means your video session isn’t routed through any servers and it can’t be saved or recorded by, nor subpoenaed from us.   Your meetings stay confidential, as if you were talking to a person face-to-face.

In general, much of our daily communication is nonverbal.  Unlike phone calls, you can read more of your clients’ or associates’ nonverbal cues through a videoconference call.  This comes in handy, especially since we spend so time communicating electronically, missing the tone and body language that accompany the actual text we read.

SecureVideo customers also benefit from the scheduler included with all SecureVideo plans and branding features you get with the Individual PLUS or Enterprise Plan.   These features enable more of your clients to keep their appointments with you.   Plus, your session invites appear to come from your own videoconferencing platform:   How cool is that?

Video conferencing has become a necessary tool for communication in any field.   For example, lawyers can use it to gather oral statements for a deposition, without involving expensive or lengthy travel.  Or allow loan officers to interview their borrowers remotely and process applications in collaboration with other bank branches.  It could also give Human Resource managers a way to conduct interviews with talented candidates, without restricting their choices to local applicants.

You know your workflow best.  When your business calls for secure, face-to-face communication, you have options.  Try us for free.

Can On-Line Therapy Cross State Lines and Remain HIPAA-Compliant?

Suppose a licensed therapist whose office is in Ironwood, Michigan, has a client, referred by the patient’s insurance company, who drives twice a week to her office from his home across the Montreal River and 20 miles down Highway 51 in Saxon, Wisconsin. She is the nearest therapist to his home. No problem getting paid or reimbursed, right?

But what if she wants to save her client two 40-mile round trips each week, and conduct her sessions via, while her client remains in his home in Wisconsin? Would she be paid or reimbursed? The answer may depend upon whether she is also licensed in Wisconsin, although under certain very limited circumstances, licencees from adjoining states may practice in facilities where an office is customarily provided for them.

Historically, under Article X of the United States Constitution, each state has the authority to regulate activities that affect the health, safety and welfare of its citizens, including the practice of the healing arts within its borders. Laws governing individual health care providers are enacted by state legislatures, with authority to implement the practice acts delegated to the respective state licensing boards. A practitioner must be licensed, or follow state reciprocity rules, in order to work in a state. In light of the increasing popularity of telemedicine, licensure requirements can be complicated. A practitioner has been deemed to be “practicing” in a state when he or she is interacting with a patient who is physically present in that state, while at the same time also “practicing” in the state in which the practitioner is located. Before employing video-conferencing in the practice of any of the healing arts, the practitioner needs to ensure that his or her activity is legally sanctioned and protected.

According to Telehealth Resource Centers®, if a licensed health care provider electronically interacts with a patient in another state, the provider must be licensed or registered (but verify State-specific regulations) in each state in which he or she electronically practices. Practicing telepsychology, or for that matter any of the healing arts, without the appropriate license in the State in which one is electronically practicing may incur civil and/or criminal penalties. As noted above, under certain circumstances, such as emergencies, an exception may be made to the requirements for state licensure.

It seems clear that if our hypothetical therapist using is licensed in both Michigan and Wisconsin, she can be reimbursed and/or paid under the Rules of both Medicare and Medicaid. The Veterans Administration has different rules, however, so that, generally, if a practitioner is performing his or her duties in the course of Federal service, he or she is only required to be licensed in one state, no matter where he or she practices.

But, as noted above, due to the increasing popularity of telemedicine, “special purpose” or “limited” licenses may allow health care professionals the option of licensure for the delivery of specific health care services under particular circumstances in addition to holding a full license in the state where they primarily practice. To date, approximately 10 states have adopted some version of a special purpose license for telepsychology practice.

Bottom line? If you are considering on-line therapy, or any of the healing arts, and you anticipate using fully-HIPAA-compliant when dealing with clients who reside in a state different from that in which you hold your license, you should check in with your attorney and/or your licensing authority before undertaking such a delivery of services.

Stephen C. Taylor
General Counsel