A summary of the HIPAA law is included in Find-A-Code's specialty specific Reimbursement Guides as well as the ChiroCode DeskBook
A more thorough explanation can be found in the Complete & Easy HIPAA Compliance book which also includes editable and sample forms
HIPAA Articles
Click the article title to view a summary and link to the full article.
Small Breaches Can Be Subject to Large Penalties
June 21st, 2019
By Namas | Published June 21st, 2019 - Last Review/Update June 27th, 2019
Small Breaches Can Be Subject to Large Penalties
We may have heard about the large fines issued by the Office for Civil Rights (OCR) against big organizations like Anthem or the University of Texas MD Anderson Cancer Center. These organizations have been in the news due to privacy breaches that constituted violations ...
By Wyn Staheli, Director of Research | Published May 6th, 2019
On April 30, 2019 The Department of Health and Human Services (HHS) announced that “HHS will apply a different cumulative annual CMP limit for each of the four penalties tiers in the HITECH Act.” Unlike other notices which require a proposed rule with a comment period, this notice will take ...
By Wyn Staheli, Director of Research | Published April 15th, 2019
In Chapter 3 — Compliance of the ChiroCode DeskBook, we warn about the dangers of disgruntled people (pages 172-173). Even if we think that we are a wonderful healthcare provider and office, there are those individuals who can and will create problems. As frustrating as it may be, there are ...
By Wyn Staheli, Director of Research | Published December 18th, 2018
On December 14, 2018, the Office for Civil Rights (OCR) issued a Request for Information (RFI). They are considering making changes to some of the HIPAA regulations. Earlier this year at the HIMSS (Healthcare Information and Management Systems Society) meeting, Roger Severino, the head of the Office for Civil Rights ...
HIPAA Handling Patient Requests for Medical Record Restriction
September 26th, 2018
By BC Advantage | Published September 26th, 2018 - Last Review/Update October 17th, 2018
Healthcare compliance professionals frequently face confusing situations about sharing of protected health information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) supports the protection of privacy of medical records. However, even when a patient does not authorize sharing of his record, there are permitted uses and disclosures, such as...
Finalized Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
August 31st, 2018
By Wyn Staheli, Director of Research | Published August 31st, 2018
In January, the U.S. Department of Health and Human Services (HHS) issued updates to the privacy regulations regarding the confidentiality of patient information of substance use disorder patients (42 CFR Part 2). This notice included references to better alignment with HIPAA regulations, but did state that Part 2 is more protective ...
By Sean M. Weiss & Frank Cohen | Published May 30th, 2018 - Last Review/Update June 4th, 2018
This year (2018), healthcare organizations (Hospitals, Health Systems, and Physician Groups/Practices) must focus on the criticality of creating a culture of compliance to ensure effectiveness and efficiency. Focusing on "compliance"-only approaches leaves healthcare organizations exposed to areas of liability oftentimes far more than what they could ever imagine or even...
By Rachel V. Rose, JD, MBA | Published May 30th, 2018 - Last Review/Update June 4th, 2018
Whether I am assisting clients or presenting, I am often asked about legal holds and e-discovery. The transition from paper to electronic records, which include emails, computer faxes, protected health information ("PHI"), personally identifiable information ("PII") and documents that are created, received, maintained or transmitted in an electronic format created...
Q/A: How Do I Respond to a Patient's Request to Not Submit the Claim to Their Insurance?
May 7th, 2018
By Wyn Staheli, Director of Research | Published May 7th, 2018 - Last Review/Update January 30th, 2019
A number of patients now have high deductible plans. Sometimes, deductibles can be $5000 or $10,000. My payer contract states that I must submit all claims to insurance for covered services. However, sometimes patients with these high deductibles come to my office and state that they would prefer to receive a modest discount for paying cash and in turn, not have their services submitted to insurance. As a doctor, this places me in a tough situation. Do I follow the patient's wishes or the payer contract?
By Dugan MadduxDugan Maddux, MD, FACP & Dr. Ahmad SharifAhmad Sharif, MD, MPH | Published April 24th, 2018 - Last Review/Update May 2nd, 2018
Like a moth to a flame, we periodically have to take a close look at FHIR. As mentioned in the March 26 blog post, interoperability was the hot topic at HIMSS, and FHIR is at the blazing edge of interoperability...
Q/A: Someone Broke into My Office. What do I do Now?
April 23rd, 2018
By Wyn Staheli, Director of Research | Published April 23rd, 2018 - Last Review/Update January 24th, 2019
My office was broken into last night. I use electronic health records, but we do store some protected health information for my patients in paper files. These files are not secured, so the burglars did have access to them. It did not appear that the files were touched as the burglars were looking for cash. What responsibilities to I have to my patients in a situation like this? Do I need to contact them and advise them that their PHI could have been compromised?
Health Information Exchange and Trusted Exchange Frameworks
February 27th, 2018
By Dugan Maddux, MD, FACP | Published February 27th, 2018 - Last Review/Update April 12th, 2018
Despite progress in health IT, Health Information Exchange (HIE) remains squarely in toll booth mode, with gated stops and slowdowns that may or may not permit information to move forward. ...
HIPAA Breach Settlements and Ransomware Attacks - Is Your Practice Secure?
February 5th, 2018
By Wyn Staheli, Director of Research | Published February 5th, 2018
Two recent reports should make providers stop, take notice and make sure their practice's policies and procedures are up-to-date.
The first one involves a HIPAA Breach settlement of a company with facilities in several states. The OCR memo stated "In addition to a $3.5 million monetary settlement, a corrective action plan ...
By Wyn Staheli, Director of Research | Published February 1st, 2018
Healthcare providers must be vigilant in ensuring that software upgrades, also known as patches, are kept current. Failure to do so can lead to a HIPAA Security Breach with all its associated penalties. For example Windows XP no longer has security updates and should not be used in healthcare settings.
On ...
HIPAA Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification
October 6th, 2017
By Wyn Staheli | Published October 6th, 2017
In light of recent tragic events, the OIG has released a reminder that HIPAA allows for certain disclosures in these types of situations. The reminder dated October 3, 2017 states the following:
Following the recent mass shooting in Las Vegas, the HHS Office for Civil Rights (OCR) is taking this opportunity ...
Case Law Update: Just Because HIPAA Does Not Provide a Private Right of Action, Doesn't Mean that Other Avenues Exist
August 16th, 2017
By NAMAS | Published August 16th, 2017 - Last Review/Update September 13th, 2017
August 4, 2017
Case Law Update: Just Because HIPAA Does Not Provide a Private Right of Action, Doesn't Mean that Other Avenues Exist
Simply stated, the Health Information Portability and Accountability Act (HIPAA) does not provide a private cause of action[1]. And, prior to the 2009 passage of the Health Information Technology ...
By Wyn Staheli, Director of Research | Published August 4th, 2017
An article by Medical Economics highlights the June report of the Health Care Industry Cybersecurity Task Force. Their report confirmed once again that healthcare providers are not adequately addressing cybersecurity as part of the compliance programs. The threat of hackers is very real and providers need to ensure that they have taken ...
Case Law Update: Just Because HIPAA Does Not Provide a Private Right of Action, Doesn't Mean that Other Avenues Exist
August 4th, 2017
By NAMAS | Published August 4th, 2017 - Last Review/Update August 16th, 2017
Simply stated, the Health Information Portability and Accountability Act (HIPAA) does not provide a private cause of action[1]. And, prior to the 2009 passage of the Health Information Technology for Economic and Clinical Health Act (HITECH Act)[2] and the more robust chain of liability (e.g. covered entities, business associates and ...
How to Properly Dispose Protected Health Information (PHI)
February 27th, 2017
By InstaCode Institute | Published February 27th, 2017
HIPAA requires covered entities to properly dispose of Protected Health Information (PHI) in the following manner:
Paper, film, or other hard copy media has been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.
Electronic media has been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media ...
By Wyn Staheli, Director of Research | Published February 22nd, 2017
Mobile devices are one of the most problematic areas for HIPAA security. Their ease of portability also makes it easy for them to be stolen or hacked. Because so many of the HIPAA breaches reported involved mobile devices, additional guidance has been issued by HealthIT.gov. Their informative web page offers additional ...
By Wyn Staheli, Director of Research | Published February 2nd, 2017
Of special interest to all behavioral health practitioners (both Covered Entities and NON-covered entities) is HIPAA's provision for psychotherapy notes. The privacy rule recognizes that psychotherapy notes need more protection than other types of PHI. Even if you are not a covered entity, we recommend understanding and implementing office procedures ...
By Wyn Staheli, Director of Research | Published January 23rd, 2017
It is a common misconception that every doctor’s office is (or must become) a HIPAA covered entity; however, the list of those who still qualify for exemption from HIPAA is rapidly shrinking. There are exceptions to the HIPAA requirements; if a practice sends or receives no transactions electronically, it is ...
Companies who regularly handle such sensitive information as patient medical records have a particular responsibility to maintain the confidentiality of the data. Failure to exercise the appropriate degree of care – whether intentional or not – can have a significant adverse financial impact on your firm.
The Federal Health Insurance Portability ...
By ChiroCode | Published September 22nd, 2016 - Last Review/Update March 5th, 2019
We're flying through the last quarter of 2016! Before we know it, we'll be ringing in the new year, so we'd better be ready!
As always, there are end of the year things that we must be sure to complete so as to best prepare for the future and protect ...
The Health Insurance Portability and Accountability Act (HIPAA) has been around for quite some time. There are many misconceptions about HIPAA compliance that our office still gets calls about. This page is to help clear up some of these misconceptions.
By Dr. Ray Foxworth, Certified Medical Compliance Specialist and President of ChiroHealthUSA | Published May 26th, 2016 - Last Review/Update March 5th, 2019
Our team is frequently asked if it is legal for chiropractic offices to offer coupons or Groupons. We’re not allowed, as a profession, to dramatically discount our services, offer free treatments, or provide gifts or free meals for potential patients. Any one of these things can be considered an “inducement.” Practices that improperly induce patients to seek care or services, for example, by providing coupons for care or supplies, may find that they are in violation of the law if they aren’t careful.
So what will that mean to you and your practice? It isn’t pretty.
An Important Rule that You're Probably Not Following
April 28th, 2016
By ChiroCode | Published April 28th, 2016 - Last Review/Update March 5th, 2019
The HIPAA Security Rule requires that covered entities (your practice) conduct a Security Risk Assessment (SRA) for your organization, at a minimum of once per year. It is critical that practices perform the Security Risk Assessment for multiple of reasons. Not only is it important to comply with rules and regulations, but also, for what you may consider to be a more motivational reason, to protect your practice (and bank account) from what could become disabling fines and penalties.
HIPAA Proposed Rule to Update Substance Abuse Confidentiality Regulations
April 13th, 2016
By Wyn Staheli, Director of Research | Published April 13th, 2016
On February, 9, 2016 HHS published proposed revisions (81 FR 6988) to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, 42 CFR Part 2. Find out what changes are being considered.
Lack of Business Associate Agreement (BAA) Costs Non-Profit 1.55 Million
April 13th, 2016
By Wyn Staheli, Director of Research | Published April 13th, 2016
Failure to have a properly executed Business Associate Agreements (BAA) costs one organization $1.55 Million. In today's highly technological environment, it is too easy to skip the necessary precautions and easy for electronic devices to get lost or stolen. Are you prepared?
By Instacode Institute | Published April 6th, 2016
It's not just the names and addresses that matter -- It's the compliance. If you can demonstrate that you are hleping yourself to maintain HIPAA compliance by careful documentation and proper procedures, you can go a long way toward avoiding being fined by the HIPAA squads.
Complete & Easy HIPAA Compliance is a clear, simple “Just help me do what I have to do!” workbook that contains all the things the designated security officer must do to instantiate a robust HIPAA compliance program. It comes complete with over 45 forms and letters which can be used to state the office policies, spell out procedures, and ensure that each patient will be protected in their rights under HIPAA policy. It also can help demonstrate that a compliance program is in progress.
Protected Health Information De-Identification Standards
March 16th, 2016
By Instacode Institute | Published March 16th, 2016 - Last Review/Update January 27th, 2017
This article contains detailed information on the OCR guidance regarding the de-identification of Protected Health Information (PHI). Avoid HIPAA violations and learn specifically what de-identification is.
Employee Exclusions Screenings Must be High Priority
February 24th, 2016
By Wyn Staheli | Published February 24th, 2016
Many healthcare organizations are not aware of how critically important it is to screen their employees against ALL state and federal exclusions databases. This article has important information for organization to ensure compliance.
What are the Rules for Safeguarding Patient Records?
February 11th, 2016
By ChiroCode | Published February 11th, 2016 - Last Review/Update March 5th, 2019
Secure medical records is a broad topic that should be addressed in detail by all practices. There are multiple items to consider when meeting standards to best safeguard protected health information (PHI).
Appointments, Reminders, Text Messaging, and HIPAA
August 10th, 2015
By ChiroCode | Published August 10th, 2015 - Last Review/Update January 27th, 2017
As more and more people are using mobile and wireless devices, a new term - mHealth - has emerged. According to a National Institute of Health consensus group, mHealth is “the use of mobile and wireless devices to improve health outcomes, healthcare services and health research.” Historically, the biggest gaps and HIPAA violations have been linked to ...
(Rev. 3086, Issued: 10-03-14, Effective: ICD-10: Upon Implementation of ICD-10, ASC X12: January 1, 2012, Implementation ICD-10: Upon Implementation of ICD- 10; ASC X12: November 4, 2014)
The standards adopted under HIPAA include both a transaction standard and an implementation guide.
Claims sent electronically to Medicare must abide by the HIPAA standards ...
By Chris Woolstenhulme, QCC, CMCS, CPC, CMRS | Published March 18th, 2015 - Last Review/Update June 9th, 2016
At HIPAA Summit, OCR head Jocelyn Samuels also outlines forthcoming efforts with ONC, FDA.
Phase II of the federal HIPAA audit program remains "under development," Jocelyn Samuels, director of the Health and Human Services Department's Office for Civil Rights, said Monday at the 23rd National HIPAA Summit in the District of Columbia.
Read ...
By Wyn Staheli, Director of Research | Published February 9th, 2015 - Last Review/Update June 9th, 2016
How secure is your computer? Do you have a password on your computer? Do you have the automatic log offs turned on? Is your computer encrypted? Are your off-site storage files encrypted?
This document is designed to give some basic information about making your office a little more secure. It is not ...
By Instacode Institute | Published January 20th, 2015 - Last Review/Update March 5th, 2019
The Health Insurance Portability and Accountability Act (HIPAA) has been around for quite some time. There are many misconceptions about HIPAA compliance that our office still gets calls about. This page is to help clear up some of these misconceptions.
All mental health providers will benefit from the common-sense approach and ...
By Evan M. Gwilliam DC MBA BS CPC CCPC QCC CPC-I MCS-P CPMA CMHP | Published October 24th, 2014 - Last Review/Update January 30th, 2017
Straight from the Office of Civil Rights:
Q: Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?
A: Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply ...
4Medapproved Partner and Find-A-Code's first Mini-Course Workshop
October 20th, 2014
By Chris Woolstenhulme, QCC, CMCS, CPC, CMRS | Published October 20th, 2014 - Last Review/Update March 2nd, 2016
Find-A-Code is now a 4Medapproved Partner and we are announcing our first Mini-Course workshop.
PROGRAM ANNOUNCEMENT 10/17/2014 Our first mini-course workshop will be presented by Brian Johnson, CHSP, CHSA:
HIPAA Workforce Certificate for Professionals LIVE Accelerated Workshop (1 Day/1 Hour)
LIVE ONLINE: Oct 29, 2014 at Noon EST, 11am CST, 10am MST and ...
By Evan M. Gwilliam DC MBA BS CPC CCPC QCC CPC-I MCS-P CPMA CMHP | Published October 16th, 2014 - Last Review/Update January 23rd, 2017
In October of 2000 in the Federal Register the Office of the Inspector General (who investigates fraud against the federal government on behalf of the Department of Health and Human Services) offered general guidelines for health care facilities to set up a “Compliance Program”. This advice has long been pushed ...
Basic Fact Sheet on HIPPA Privacy and Security for Providers - CMS
October 16th, 2014
By Chris Woolstenhulme, QCC, CMCS, CPC, CMRS | Published October 16th, 2014 - Last Review/Update January 30th, 2017
CMS has a released a fact sheet on HIPAA Privacy and Security basics for providers. Designed to provide education on covered entities and Business Associates under the HIPPA Privacy Rule.
Examples of a Covered Entity would be:
Doctors
Clinics
Psychologists
Dentists
Chiropractors
Nursing Homes
Pharmacies
Health Plans
Clearing houses
Any person or organization assisting in transmitting a transaction in electronic form, ...
According to HIPAA, who are my Business Associates?
September 11th, 2014
By Brandy Brimhall, CPC, CMCO, CCCPC, CPCO, CPMA | Published September 11th, 2014 - Last Review/Update January 30th, 2017
Providers work with many different groups and many of them have some interaction with Protected Health Information (PHI). In an effort to help us understand who qualifies as Business Associates the Department of Health & Human Services has provided some resources.
But first … what is PHI or individually identifiable health information? ...
Cyber Insurance? What kind of Insurance Policy it that?
September 9th, 2014
By Chris Woolstenhulme, QCC, CMCS, CPC, CMRS | Published September 9th, 2014 - Last Review/Update January 30th, 2017
Due to the increase of medical transactions stored online and in the cloud, cyber intrusions will only increase.
Cyber insurance also known as privacy and network security insurance can help cover the costs incurred if your computer system is compromised, or after a data breach which can include a HIPAA ...
Do I Need Error and Omissions (E&O) Insurance for My Billing Company?
September 9th, 2014
By Chris Woolstenhulme, QCC, CMCS, CPC, CMRS | Published September 9th, 2014 - Last Review/Update January 30th, 2017
Do I Need Error and Omissions (E&O) Insurance for My Billing Company?
Over the years Medical billing has been considered low risk, now it has developed into a huge liability with HIPAA, E&O and Business Associate Agreements to name a few.
HIPAA has rocked the world for small businesses. Looking at the ...
By Chris Woolstenhulme, QCC, CMCS, CPC, CMRS | Published August 29th, 2014 - Last Review/Update January 30th, 2017
The associates in the provider’s world and healthcare society are filled with loads of potential business associates and endless Individual identifiable health information.
 We have had so many questions about business associates I thought I would go to the source and put together some information from HHS.gov, otherwise known as U.S. ...
By Wyn Staheli, Director of Research | Published July 16th, 2014 - Last Review/Update January 25th, 2017
For anyone who is not a computer techie, the announcement by Microsoft about discontinuing support for Windows XP may not mean much. However, from a HIPAA perspective, this is very important information because Section 164.308(a)(5)(ii)(B) of the HIPAA Security Rules includes an 'addressable' requirement of Protection from Malicious Software where ...
How the Internet is Reshaping Medical Coding and Billing
July 15th, 2014
By David Berky | Published July 15th, 2014 - Last Review/Update January 25th, 2017
Since the Internet is affecting (usually for better) every industry, why should it come as a surprise that medical coding and billing is now heavily dependent on the Internet? Actually, a number of important challenges and changes in the healthcare industry, and in technology as a whole, are pushing medical ...
How can I make sure new hires have not been in trouble with Medicare?
March 18th, 2014
By Christopher Anderson, DC MCS-P | Published March 18th, 2014 - Last Review/Update January 25th, 2017
To avoid liability, it is recommended to routinely check (every 3 months) the LEIE to ensure that new hires and current employees are not on the excluded list.
One of the many parts of the compliance program is to see if your current staff (including yourself, regular staff and associate doctors) have been placed on the OIG (Office of the Inspector General) List of Excluded Individuals and Entities (LEIE).
OIG has the authority to exclude individuals and entities from Federally funded health care programs and maintains a list (List of Excluded Individuals and Entities or LEIE)of all currently excluded individuals and entities. Anyone who hires an individual or entity on the LEIE may be subject to monetary penalties.
It’s as simple as 1…2…3..
Read More
By | Published February 19th, 2014 - Last Review/Update January 27th, 2017
As more and more people are using mobile and wireless devices, a new buzzword has emerged: mHealth. According to a National Institute of Health consensus group, mHealth is "the use of mobile and wireless devices to improve health outcomes, healthcare services and health research." Historically, the biggest gaps and HIPAA violations ...
By | Published September 30th, 2013 - Last Review/Update January 27th, 2017
September 23rd, 2013 was the deadline for HIPAA Omnibus Final Rule compliance. It seems to have just snuck up on everybody. ChiroCode has spoken with some clincis who say that they don't need to worry about it because ”they are just a small practice.” Please, do not wait any longer to ...
By | Published September 6th, 2013 - Last Review/Update January 27th, 2017
The official deadline for HIPAA covered entities to reach compliance with the provisions of the Omnibus Rule is officially set as September 23, 2013. This date is right around the corner and as a result, providers are concerned about meeting this deadline. The definition for a business associate has been ...
A simple and practical guide to implementing HIPAA, HITECH, and Omnibus Final Rule components. Includes the forms and policies and information you need to meet compliance requirements. Plus over 50 customizable forms!
Suggest a Resource
If you know of a resource that should be included here (links, data, etc.) please Contact Us.
Calculators
Documentation
Education & Training