HIPAA Starter

Introduction to HIPAA Compliance


HIPAA stands for Health Insurance Portability and Accountability Act. It was formed in 1996.  HIPAA was modified by the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, and more recently by the HIPAA Omnibus Rule in 2013.

HIPAA sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that Administrative, Technical, and Physical requirements are in place and followed.

This includes covered entities (CE), anyone who provides treatment, payment and operations in healthcare, and business associates (BA), anyone with access to patient information and provides support in treatment, payment or operations. Subcontractors, or business associates of business associates, must also be in compliance.

Three rules were established to safeguard PHI (protected health information) and provide individuals with certain rights to their health information:

   PRIVACY RULE – The Privacy Rule addresses the saving, accessing and sharing of health and personal information for any individual

   SECURITY RULE – The Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).

   BREACH NOTIFICATION RULE – The Breach Notification Rule requires HIPAA covered entities to notify the Department of Health & Human Services (HHS), affected individuals, and in some cases the media (and business associates to notify covered entities) of breaches of unsecured PHI

Today, HIPAA is important mainly because it protects the health and personal information of patients. Any individual or organization that has access to a patient’s health information must comply with HIPAA.

HIPAA applies to a dentist who has a single receptionist, but it also applies to billion-dollar corporations with thousands of employees. HIPAA is sometimes criticized for being vague and subject to interpretation, but it was designed to be flexible enough to apply to organizations of all sizes and types. HIPAA is flexible but also strict and failure to comply can result in large fines, lawsuits, and damage to reputation.


(Click question for answer)

WHO must be HIPAA compliant?

HIPAA rules apply to two groups:  covered entities and business associates.  A covered entity is a health plan, health care clearinghouse or health care provider who electronically transmits any health information.  And yes, HIPPA rules do apply to dental practices.

  EXAMPLES:  Doctors, Dentists, Pharmacies, Health Insurance Companies, Company Health plans

A business associate is a person or entity that performs certain functions or activities that involve  the use or disclosure of protected health information on behalf of, or provides services to a covered entity.

  EXAMPLES:  CPA, Attorney, IT Provider, Billing and Coding Services, Data Backup Vendor


Protected Health Information includes anything related to healthcare treatment, diagnosis, condition, or payment. However, to be classified as PHI, the health information must also be identifiable. A good way to think of PHI is any data related to the delivery of health care services and is tied to an individual patient. There are 18 identifiers, and inclusion of any one of them requires protection of the health information. Some identifiers include the patient’s name, phone number, address, email, birth date, and social security number.

WHEN does your practice need to comply with HIPAA?

Since 1996 when HIPAA was enacted. The HHS OCR has publicly expressed its intent to expand its audit program.  The proposed 2016 budget increases the OCR budget by $3.9 million – which is intended to help it set up a permanent HIPAA audit program.

Under the HITECH ACT, any loss or unauthorized release of PHI is classified as a breach. A breach of more than 500 records requires written notice to patients and the media. The Office of Civil Rights will then launch an investigation and will also publish the breach on a public website popularly known as the “Wall of Shame.”

Big picture thinking affirms that protecting your patients and your practice protected health information is equivalent to HIPAA Compliance – isn’t it? Whether an audit or a breach both would mandate compliance to HIPAA.

WHERE should health information be protected?

The easy answer is everywhere. But that misses the point of the compliance process. Dental practice’s need to perform a well documented and  thorough risk analysis to identify potential leaks and create safeguards to protect electronic Protected Health Information (ePHI). This gives your practice a defensible position that reasonable steps have been taken to cover all relevant data stores. That goes without saying. But an investigation into historical practices must be conducted as well, and confirmation that individual employees have been conforming to policy will be expected.

WHY comply with HIPAA?

Does being compliant during an audit mean that your company can’t be compromised? Let’s get real, perfect security is unattainable. But taking a rational and dependable approach to data security will significantly reduce the risk of a data breach while increasing your chances to a successful audit or investigation. Being prepared for an audit and complying with HIPAA will reduce the risk of a data breach.

  • Required by HIPAA and HITECH Act
  • Required for Meaningful Use Incentives
  • Hundreds of HIPAA audits and thousands of breach investigations occur each year
  • Civil fines could reach up to $1.5 million per violations plus penalties for failure to cooperate
  • Wall of Shame” and media coverage have destroyed reputations

HOW do malicious breaches occur?

Formalizing a HIPAA compliance program and creating a culture of compliance will significantly reduce the risk of violations. Well documented policies that are created with a focus on data security can achieve compliance with HIPAA/HITECH and deliver the experience that your patient’s and government expect.

  • Hackers exploit network vulnerabilities to gain unauthorized access.
  • Ransomware, phishing, or similar attacks enable infection by malware.
  • Stolen or easily guessed credentials enable unauthorized access.
  • Malicious insiders like a disgruntled employee.
  • Physical break-ins.
  • Even though you are the victim of a crime, it is still your fault and you are liable for the breach.

Your Practice is at Risk!

It is expected that random HIPAA audits will continue in 2017, along with audits of your practice’s business associates and your required agreements with them.  The Office of Civil Rights has indicated that SOME of the key questions they will be auditing include the following:

  • Has your practice appointed HIPAA Privacy and Security Officers?
  • Has your practice updated Policies and Procedures and properly trained employees?
  • Has your practice taken the mandatory 2017 HIPAA Risk Assessment?
  • Does your practice have updated Business Associate Agreements in place?

If you have not yet enrolled in the T2 Consulting approved program, 2017 is a good time to consider it. With the increasing rate of cyber-attacks specifically targeting the healthcare industry, T2 Consulting is concerned that many clients are not taking the proper precautions, and are unaware that the government strengthened its ability to enforce the law with fines reaching up to $50,000 per violation with a maximum $1.5 million annual penalty.

Every T2 Consulting Client will get a complimentary HIPAA Risk Assessment (a $599 value). You can take the Risk Assessment online and immediately receive your risk score with no further obligation. T2 Consulting encourages you to take 10 minutes as soon as possible to complete the Risk Assessment at https://ra.officesafe.com/#/123/t2. You’ll receive a 23-page Risk Analysis, and a 30-minute consultation that you can schedule online once you complete the assessment.

 Ted Takahashi

"Thank you for visiting the TedTakahashi.com website. You are encouraged to use this site as an honest resource for your technology. I'm someone who can help you!"  

Ted Takahashi
Phone: 952.261.9205
Contact Us

Link to my Facebook Page
Link to my Linkedin Page
Link to my Twitter Page