A fact sheet summarizes important provisions in HIPAA Administrative Simplification regulations designed to streamline and simplify health care transactions using standards, operating rules, unique identifiers, and code sets that save time and money. The fact sheet includes links to the regulations for easy reference.

Enforcement of HIPAA Telehealth Requirements

After exercising and temporarily extending enforcement discretion allowing the use of non-HIPAA-compliant communications technology for telehealth throughout the pandemic, HHS enforcement resumes as of August 9, 2023.  The April 11, 2023 HHS announcement included a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth.

Are You a Covered Entity?

Providers who electronically submit HIPAA transactions, like claims, are covered.  See the CMS site for details, including a decision tool.

CMS Administrative Simplification Fact Sheets

The Administrative Simplification Basics fact sheets are designed to help the health care industry understand the purpose of HIPAA adopted transactions and to explain which standards and operating rules govern each transaction.

HHS Updates Guidance on Disclosing PHI

The Department of Health and Human Services Office of Civil Rights (OCR) released guidance documents on how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits disclosures of protected health information (PHI).  HIPAA FAQs for Professionals are organized into several searchable categories.

In addition, OCR and the Office of the National Coordinator for Health Information Technology (ONC) released a fact sheet explaining how HIPAA permits disclosures of PHI to support public health activities conducted by public health agencies, as authorized by state or federal law. It provides examples of how to exchange PHI for scenarios such as:

  • Reporting of disease
  • Conducting public health surveillance
  • Public health investigations and interventions
  • Exchanges subject to Food and Drug Administration jurisdiction
  • Identifying patients exposed to a communicable disease
  • Supporting medical surveillance of the workplace
  • Using certified electronic health record technology

In August 2016, the Maryland Attorney General issued an opinion on a health care provider giving information to the parents or custodian of a person over the age of 18 who is having a mental health crisis.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA addresses several areas: health insurance continuity when a person changes employment, transmission and safeguarding of electronic health information, and protecting confidentiality of health care information.

HIPAA’s Privacy Rule establishes standards for use, disclosure, and protection of all (electronic, paper, oral) health information created by “covered entities.” The rule includes, for example, rights for patients to access and amend their own medical records.  Every physician who transmits health information electronically must comply. This includes psychiatrists on whose behalf someone else transmits data electronically, such as a billing service. A written agreement must be in place with all business associates, who are others with whom patient information is shared for such purposes as billing, fee collections, and the like.  Every patient must be given a written notice of privacy polices and practices at the time of the first professional service and attest to receipt of the notice. Copies of all authorizations must be kept for at least six years.  A record of releases of information must be kept and provided it to the patient upon request.

For more details, sample forms and notices and other resources, please visit the APA site.

A complete list of HIPAA medical privacy resources is available on the HHS website.