HIPAA Helps and FAQs

January 20th, 2015

The Health Insurance Portability and Accountability Act (HIPAA) has been around for quite some time. There are many misconceptions about HIPAA compliance that our office still gets calls about. This page is to help clear up some of these misconceptions.

All mental health providers will benefit from the common-sense approach and steps found in the Behavioral Health Reimbursement Guide. This book includes detailed information about the HIPAA Security Breach Notification Rules.

Complete & Easy HIPAA Compliance contains the forms and training you need in a easy to understand format. Of all the many HIPAA products we have reviewed, it is by far the best! It is extremely affordable and will save your office TONS of time and headaches.


Frequently Asked Questions About HIPAA

Q.  I just received a notice from XYZ Insurance company that I have to file Electronic Claims. I don't think I can afford that. Do I have to file electronically?

A.  HIPAA grants an exception for small companies (fewer than 10 full time employees). However, some states have passed legislation which over-rides this exception. State statues take precendence. If you have only two people in your office and your state does not have a law requiring electronic claims, then you do not have to file electronically. You may need to file an exemption with the specific company to minimize future hassles and problems.

Q.  How should we handle caller ID? Is it ok for our practice name to appear when we call a patient?

A.  Yes. HIPAA does not require you to block the name of your practice; however, if your practice treats specific diseases, such as cancer, it is a good idea to adhere to the “minimum necessary standard” by limiting the information listed on caller ID. For example, it is more appropriate to say “George Luther Treatment Center” than to say “George Luther Cancer Treatment Center.”

Q.  I’ve recently created a website for my practice. Do I have to post a notice of privacy practices on it?

A.  Yes. If a covered entity has a website, posting a Notice of Privacy Practices is required on the website. Privacy Notices can be purchased HERE.

Q.  If a patient wants to file a complaint about a security violation at my practice, what should I do?

A.  The first course of action is to try to resolve the issue yourself. If the issue is not resolvable by the practice, patients have the right to complain. For security and other non-privacy complaints, the appropriate form to use may be found at http://htct.hhs.gov. This is not the same form used for filing a privacy complaint. The privacy complaint form may be found at www.hhs.gov/ocr/privacy/hipaa/complaints/index.html

Q.  What’s the best way to dispose of old data on a computer? We just got new laptops and we want to donate the old desktops to a local charity.

A.  One of the best ways to ensure data from an old computer is protected is to take a sledgehammer to the hard drive. However, since you want to donate the equipment to a nonprofit, your best bet is to use software technology to permanently erase the information. Simply erasing files on your hard drive or even re-formatting the drive is not sufficient. There are many options out there that will perform a thorough job, including X-Ways SecurityBC WipeSuperShredder,WipeDrive and Acronis DriveCleanser. Make sure you document the method you use to erase the protected health information.

Q.  How should we verify the identity and authority of a law enforcement person before giving him/her PHI?

A.  It is important to verify the identity and authority of a law enforcement person before handing over PHI. Presentation of an agency identification badge, other official credentials or other proof of government status are all acceptable ways of verifying identity, if the request is made in person. As for verifying authority, you may reasonably rely on a written statement of legal authority, an oral statement of legal authority (if a written statement is impractical) or a request made pursuant to legal process, warrant, subpoena, order or other legal process issued by a grand jury or judicial or administrative tribunal. For more information, go to section 164.514(h) Verification of the privacy rule.

Q.  What if we find out one of our business associates misuses our PHI?

A.  Although you are not required to actively monitor business associates (BAs), if you have substantial and credible evidence of a BA violation, you must take reasonable steps to mitigate the breach or end the violation. If such steps are unsuccessful, you must terminate the contract with the BA. If it is not feasible to end the contract with the BA, you are required to report the problem to HHS.

Q.  I’ve heard conflicting information about fax machines. Once and for all, are faxes considered electronic transactions?

A.  Traditional faxes sent from a fax machine are NOT considered electronic transactions. However, faxes sent from a computer ARE classified as electronic transactions.

Q.  What are the requirements for privacy and security training for employees?

A.  Once you have trained a staff member on HIPAA, there are only limited circumstances when additional training is required. Training is only needed beyond the initial training when there are significant changes to policies and procedures that impact the workforce or an individual changes responsibilities within the covered entity and needs to become familiar with new processes. In addition, if there has been a HIPAA violation, a mitigation action plan may have a retraining component.

Although “full blown” training isn’t required regarding security issues after initial training, the regulations do require regular discussion of security tips with staff at meetings or via e-mail. It is recommended that security tips be shared on a monthly basis with staff members, such as reminders about the importance of individual login and regular password changes. Such discussions should be documented in staff meeting minutes and/or copies of the e-mails should be saved.

How to stay HIPAA Updated

More Help for HIPAA Headaches

No one knows the HIPAA rules better than the makers of them.  For more information, we encourage you to contact the direct sources within the department of Health and Human Services (HHS).

Privacy standards have been assigned to the Office of Civil Rights (OCR) within (HHS).  

Transactions, Security, and Identifier standards are assigned to the Centers for Medicare and Medicaid Services (CMS) within HHS.

Security standards are available from the Centers for Medicare and Medicaid Services (CMS).

Affordable HIPAA help is available from InstaCode Institute www.instacode.com

HIPAA Helps and FAQs. (2015, January 20). Find-A-Code Articles. Retrieved from https://www.findacode.com/articles/hipaa-helps-and-faqs-34843.html

© InnoviHealth Systems Inc

Article Tags  (click on a tag to see related articles)

Publish this Article on your Website, Blog or Newsletter

This article is available for publishing on websites, blogs, and newsletters. The article must be published in its entirety - all links must be active. If you would like to publish this article, please contact us and let us know where you will be publishing it. The easiest way to get the text of the article is to highlight and copy. Or use your browser's "View Source" option to capture the HTML formatted code.

If you would like a specific article written on a medical coding and billing topic, please Contact Us.


innoviHealth Systems, Inc.
62 East 300 North
Spanish Fork, UT 84660
Phone: 801-770-4203 (8-5 Mountain)
free demo
request yours today
free subscription
for any budget

Thank you for choosing Find-A-Code, please Sign In to remove ads.