Go to AAD Home
Donate For Public and Patients Store Search

Go to AAD Home

HIPAA refresher: Privacy, security, and breaches

Answers in Practice

By Faiza Wasif, MPH, manager, practice management, October 1, 2020

Each month DermWorld tackles issues “in practice” for dermatologists. This month Faiza Wasif, MPH, the Academy’s practice management manager, explains HIPAA.

It seems that federal regulations are changing at a rapid speed, especially during the COVID-19 pandemic. While many new regulations have been passed or old regulations relaxed to support health care providers during this difficult time, some have remained largely the same, such as the Health Insurance Portability and Accountability Act (HIPAA). There has been a modest relaxing of some components of HIPAA, but overall, not much has changed. Here is a quick refresher.

What is HIPAA?

Passed by Congress in 1996, HIPAA mandates industry-wide standards for health care information on electronic billing and other processes and requires the protection and confidential handling of protected health information (PHI).

Do I have to comply?

Yes. As a dermatologist, you must comply with HIPAA and related federal privacy regulations if you perform any functions electronically.

How do I become HIPAA compliant?

As a first step, use the HIPAA security risk analysis tool.

HIPAA infographic
HIPAA infographic

There are two main parts to HIPAA: the Privacy Rule and the Security Rule.

The Privacy Rule mainly requires that your practice achieves the following:

  • Protect patients’ PHI;

  • Provide patients’ access to their medical records;

  • Maintain patient confidentiality;

  • Engage in limited, minimum necessary use and disclosure of patient PHI for the purposes of treatment, payment, and health care operations; and

  • Designate a privacy officer or responsible person in the practice who will be responsible for the implementation and oversight of the HIPAA Privacy Rule.

The Security Rule encompasses all data that is created in an electronic format with regard to PHI as addressed by the Privacy Rule. This rule applies only to electronic PHI (ePHI) — not oral or paper PHI — and mainly requires that your practice achieves the following:

  • Ensure the confidentiality, integrity, and availability (CIA) of ePHI that the covered entity creates, receives, maintains or transmits;

  • Protect against any reasonably anticipated uses or disclosures of ePHI which are not permitted by the Privacy Rule; and

  • Ensure that the practice and its workforce, including business associates, understand and comply with the Security Rule’s requirements.

Generally, patients have to give their permission for PHI to be shared, but physicians and other providers can share some PHI without the patient’s written consent if it is for treatment, payment, or operations.

How can I avoid a breach?

The primary purpose of HIPAA is to prevent breaches of PHI. Providers can protect themselves from breaches by implementing a few key measures.

  • Complete a Security Risk Analysis (SRA) to identify gaps in compliance.

  • Implement data encryption on any device that houses PHI. The reason this is so important is that the government does not require breach reporting if a lost or stolen device was encrypted.

  • Ensure that HIPAA policies and procedures are current and implemented, including an annual HIPAA compliance training for all staff with access to PHI (clinical and administrative). You can take the Academy’s HIPAA Training for Medical Office Module to comply with this requirement.

What flexibilities have been offered during COVID-19?

As it relates to expanded teledermatology services, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion to empower covered health care providers to use widely available communications applications without the risk of penalties imposed by the OCR for violations of HIPAA rules for the good faith provision of telehealth services (PDF download). Check out the Academy’s curated HIPAA-compliant telehealth apps.

What can I do today to ensure I am compliant?

The AAD has developed resources to help you identify gaps and provide targeted guidance to help become compliant. These tools will help you comply with HIPAA:

Being compliant with HIPAA regulations is not just about avoiding breaches and the related financial penalties that come with it; it is also about maintaining your reputation and trust with your patients. Being compliant ensures keeping that trust intact and preventing financial hardship.