HIPAA overview

Updates to the Health Insurance Portability and Accountability Act (HIPAA), which took effect on March 26, 2013, include a number of provisions that will affect dermatology practices. Practices and other entities affected had to be in compliance with the final rule by Sept. 23, 2013.

Among the provisions that affect dermatology practices is one that requires any improper use or disclosure of personal health information to be considered a breach that triggers official notification requirements, unless the organization in question carries out a risk assessment and determines otherwise.

In addition, the final rule:
  • Extends the requirements of the privacy and security rules to physicians' business associates and their subcontractors;
  • Establishes new limitations on the use of personal health information for marketing and fund-raising purposes;
  • Prohibits the sale of a patient's personal health information without specific individual authorization to do so;
  • Expands patients' rights to request and receive electronic copies of their personal health information; and
  • Broadens patients' ability to restrict, in some instances, disclosure of their personal health information to health insurance plans.


 hipaa video promo

HIPAA compliance video series

Watch a series of videos related to HIPAA compliance presented by Louis Kuchnir, MD.

Business associates

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the rules' requirements to protect the privacy and security of health information and must provide patients with certain rights with respect to their health information.

If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that:

  1. Establishes specifically what the business associate has been engaged to do, and
  2. Requires the business associate to comply with the rules’ requirements to protect the privacy and security of protected health information.

In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA rules. Under the U.S. Department of Health and Human Services (HHS) definition, "business associates" may include health care data-miners and health information technology service providers.

HIPAA-covered entities

The term "covered entity" under the HIPAA Privacy Rule refers to three specific groups, including health plans, health care clearinghouses, and health care providers who transmit health information electronically.


Covered entities under the HIPAA Privacy Rule must comply with the Rule's requirements for safeguarding the privacy of protected health information. Below is a more detailed list of those who fall under the covered entity category under HIPAA. Covered entities can fall into one or more of the following three categories:

Health care provider
Health plan
Business associates*
Doctor Health insurance company
Clinic HMO Data miners
Psychologist Company health plan
HIT service providers
Dentist Government program
Health care attorneys
Pharmacy   Accountants
Nursing home

*List not inclusive, other vendors may be affected. ”Business associate” refers specifically to a person or organization that conducts business with the covered entity that involves the use or disclosure of individually identifiable health information.

Notice of privacy practice

The rule also requires covered entities to modify and redistribute their individual notice of privacy practices. The Department of Health and Human Services (HHS) has not released an updated “Notice of Privacy Practices” to include the new Omnibus rule at the time of this publication. Please check periodically for the updated Notice of Privacy Practices. This new information will be available either on form release on this AAD HIPAA Web page or on the HHS website at www.hhs.gov.

Additional resources

A Guide to HIPAA and HITECH for Dermatology outlines new HIPAA compliance obligations and provides model policies and procedures.

HIPAA and Omnibus Final Rule is a three-part on-demand webinar series explaining the history of HIPAA and identifying steps dermatology practices should take to prepare for the compliance deadline.



New! Choosing a Practice Model Toolkit

This free AAD resource is designed to help dermatologists discern viable practice models, business pathways, and alignment options that can lead to financial stability and ensure long-term success. Access the toolkit.


Additional AAD resources

Maintaining compliance manual Maintaining Compliance in Dermatology: Safeguarding Against Financial Risk
dermpath ebook Compliance Guide for Dermatopathology eBook
HIPAA manualA Guide to HIPAA and HITECH for Dermatologists
Office policy manual Office Policy and Procedure Manual: A Guide for Dermatology Practices
webinar image Listing of webinars on practice management and coding topics.