HIPAA Basics

There are three compliance areas within HIPAA

1. The Privacy Rule:  covers entities and business associates use and disclosure of an individual's PHI (protected health information).  This includes things like filing electronic claims or checking eligibility electronically.  If you use a third party billing service or clearinghouse, they are also bound by HIPAA.  Business associates such as attorneys, accountants and consultants are all bound by HIPAA.  PHI or protected health information means individually identifiable information that is held or transmitted by covered entity whether electronic, paper, or oral that relates to past, present, or future physical or mental health of an individual.  The privacy rule also provides for individual rights such as a patient's right to access their PHI, restrict disclosures, and request amendments.  It gives patient's the right to complain without retaliation.

2. The Security Rule:  The Security Rule requires physician practices to implement a number of what are known as administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI.  This part of the rule covers information transmitted electronically only, not orally or in paper form.

3. The Breach Notification Rule:  requires physician practices to notify affected individuals, the Secretary of the U.S. Department of Health and Human Services, and in some cases, the media when they discover a breach of a patient's unsecured PHI.

Compliance Activities.  The following items should be part of your HIPAA policy.  You might want to create a binder to organize and store everything.

Compliance Official

Assign someone the primary responsibility for HIPAA compliance including the privacy, security and breach notification requirements.  Have a written plan for levels of authorization and supervision when it comes to HIPAA.  You might want to include the Security Official's name and level of access to patient records along with all employees and their levels of access when it comes to patients' PHI.

Policies and Procedures

Outline your policies and procedures.  Make sure they reflect the realities of your practice and meet the requirements of the current HIPAA law.

Patient Request

Have a documented policy on how to handle patient requests.  

1. Medical Record Access and copy requests:  When a patient asks you to provide the opportunity to look at their records or obtain a copy of their records, especially requests for electronic PHI.  

2. Disclosure Restrictions Requests: when a patient asks you to limit sharing their medical information.

3. Amendment Requests: when a patient asks you to make changes to the information in their medical record.

4. Accounting of Disclosure Requests: when a patient asks for a list of everyone who has come in contact with the patient's record.

5. Confidential Communication Channel Requests:  when a patient requests to receive information in a specific way or at a specific location.

Examples of these forms are in OD Link in the preferences tab.  If you have an older version of OD Link, you can contact us for these forms.

NPP "Notice of Privacy Practices"

There is a generic NPP in OD Link under preferences and HIPAA.  You can click into the area and customize it for your office.  A physician is required to provide the NPP to new patients and use their best efforts to obtain acknowledgment of receipt.  In OD Link you can have the patient sign for receipt of NPP at the same time they sign the forms.  To customize the message at the bottom of your forms go to Preference > Messages/Billing Defaults > Disclaimer for Visit Form.  You can add "I have been given the opportunity to read ABC Clinic's Notice of Privacy Practices".  An NPP should clearly detail how your practice will use and disclose PHI and your patients' rights, including their rights to prohibit the sale of their PHI or it's use for marketing purposes.  It should have information about how the patient can access their HPI and that they will receive notice of any breach.  You should post your NPP in a prominent location and on your website.  You should also have paper copies available if the patient requests a copy.


Your staff should be periodically trained to comply with your HIPAA policies and procedures.  The above is an example of an annual training log.  You will find this form in OD Link in preferences.


Make sure your practice has the appropriate administrative, technical and physical safeguards to protect the privacy and security of your patients' HPI.  Make sure these are clearly outlined in your HIPAA binder.


Your practice should have appropriate sanctions against members of the office workforce if they fail to comply with the HIPAA rules.

Business Associates

Business Associates

Your practice should enter into appropriate Business Associate Agreements with all associates who have access to patients' HPI to ensure those associates comply with HIPAA.  There is an associate agreement for OD Link in preferences > Setup > Setup Checklist.  


There should be a clear process for patients and staff to make complaints.  Complaints should be taken seriously with no retaliation.


The practice should encrypt all PHI and take steps to reduce the risk of any breach.  If a breach does occur, the practice should have appropriate policies for discovering and reporting.