Understanding HIPAA for Dummies

Understanding HIPAA for Dummies


  • Medical Transcription Work and HIPAA

  • Medical Transcription For Dummies Cheat Sheet

  • Five References Every Medical Transcriptionist Needs

  • Avoid Medical Transcriptionist Job Scams

  • Medical Transcription Certifications

Load more

  1. Careers
  2. Medical Careers
  3. Medical Transcription
  4. Medical Transcription Work and HIPAA

Medical Transcription Work and HIPAA

Related Book

Medical Transcription For Dummies

By Anne Martinez

As a medical transcriptionist, you’ll be entrusted with sensitive patient data. Legally speaking, you won’t get very far down the medical transcription trail before you run into HIPAA (pronounced hip-uh). You have a legal, moral, and ethical duty to protect patient data. Besides, it’s the right thing to do.

HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. The key component that medical transcriptionists must be up on is the Privacy Rule. That’s the part that defines a set of national standards for protection and disclosure of certain types of individual health information, called protected health information (PHI). In a nutshell, if PHI gets out in violation of the Privacy Rule, heads will roll.

This is a boiled-down, summary of key information extracted from hundreds of pages of legislation. It’s intended to give you the big picture, not a definitive legal determination about how HIPAA applies to you.

HIPAA is a federal statute that made sweeping changes to healthcare laws. Although it was enacted in 1996, it wasn’t fully implemented until 2003. Since then, additional laws have been passed that modified regulations and added enforcement provisions.

HIPAA’s primary purpose was to help workers continue health insurance coverage when they change jobs or become unemployed. It also included another section, called Administration Simplification (AS), which is the part that has substantially impacted the medical transcription profession. The AS section of HIPAA gives patients greater control of (and access to) their own medical records and how their personal health information is used.

That form you now sign every time you visit a new health provider confirming that they’ve given you a copy of their patient privacy policy comes from this section.

It also includes the Privacy Rule and the Security Rule, which together regulate how particular members of the healthcare industry must manage individual health information. You can think of it as the who, what, how, and “or else” of protecting personal health information.

The Privacy Rule applies to all PHI, including paper and electronic. The Security Rule deals specifically with standards for the security of electronic protected health information (e-PHI). It defines administrative, physical, and technical safeguards that must be employed.

Failure to comply with HIPAA can lead to stiff penalties. Civil penalties go from $100 per violation to $25,000 per calendar year, and criminal penalties top out at ten years’ imprisonment and a $250,000 fine. Now that’s an “or else” with some teeth to it!

HIPAA laws apply to

  • Health plans

  • Healthcare clearinghouses (entities that facilitate handling electronic healthcare transactions)

  • Healthcare providers who transmit health information in electronic form for certain types of transactions, such as submitting insurance claims

  • Business associates of the preceding (potentially including you)

The first three are collectively referred to as covered entities. Business associates is a term used to described third parties that covered entities disclose PHI to, such as medical transcription services.

Before a covered entity can disclose PHI to a business associate, there must be a written contract in place that ensures the associate will appropriately safeguard the information. The contract is called a business associate agreement, and medical transcriptionists who contract with medical transcription service organizations (MTSOs) can expect to sign one.

Originally, business associates were accountable to the covered entity through these contracts, and the covered entity was accountable to the federal government for HIPAA compliance. The Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009, included provisions that made business associates directly liable to the government for HIPAA violations.

The Privacy Rule and Security Rule are enforced by the Office of Civil Rights (OCR). In 2010, the OCR issued a Notice of Proposed Rulemaking (NPRM) that expands the definition of business associate to include subcontractors, a category that includes medical transcriptionist independent contractors (ICs) who work for MTSOs. The NPRM potentially makes medical transcriptionist ICs directly liable to the federal government for failure to comply with HIPAA regulations.

In summary, HIPAA + HITECH + NPRM = MT ICs must preserve, protect, and defend the privacy and confidentiality of the records (voice files, transcribed reports, logs, and so on) handled during the transcription process, and prevent theft or loss of protected health information.

If you’re aching for further, intricate details, visit the following websites:

  • The health information privacy information website of the U.S. Department of Health and Human Services provides extensive information about the HIPAA Privacy Rule and Security Rule . It also includes business associate contract examples.

  • For an overview of HIPAA from the big-picture perspective, not just the patient privacy components, Wikipedia is a good place to start.

HIPAA is a federal law, but it doesn’t override state laws regarding patient privacy. Some states have different laws regulating patient privacy. It’s best to be aware of both and comply with the most stringent requirements.

Skip to main content

Healthy Aging Home

  • News
  • Reference
  • Slideshows
  • Quizzes
  • Videos
  • Questions & Answers

Healthy Aging Guide

  • Healthy Aging Basics
  • Preventive Care
  • Relationships & Sex
  • Caregiving
  • Planning for the Future

Related to Healthy Aging

  • Depression
  • Drug Interaction Checker
  • Fitness & Exercise
  • Healthy Retirement
  • Insurance & Medicare
  • Menopause
  • Eye Health Assessment
  • Palliative Care
  • Weight Loss & Diet Plans
  • More Related Topics
  • Healthy Aging

  • News

HIPAA Rules Explained

New Medical Privacy Rules Meant to Protect Your Health Records

By Daniel J. DeNoon

April 22, 2003 — HIPAA forms. You got them from your doctor. You got them from your pharmacist. You got them from your insurance company and maybe even from your employer. What’s up?

Blame a deadline for the flurry of forms. On April 14, 2003, healthcare providers had to comply with HIPAA rules. On that date, everybody with access to your medical records had to be able to prove they had a plan for keeping those records private.

You had to sign a form agreeing that they told you they had a plan, and that they’ll show it to you if you want to see it. And if you work for a company involved in keeping medical records, you had to show that you understood the new HIPAA rules.

Other than the forms, what’s truly new? Don’t look to the name for an explanation. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. The original idea was to force the healthcare industry to save money by computerizing paper records. That led to concerns over privacy — and new privacy regulations from the Department of Health and Human Services (HHS).

Here’s the bottom line: HIPAA rules give you new rights to know about — and to control — how your health information gets used.

  • Your healthcare provider and your insurance company have to explain how they’ll use and disclose health information.
  • You can ask for copies of all this information, and make appropriate changes to it. You can also ask for a history of any unusual disclosures.
  • If someone wants to share your health information, you have to give your formal consent.
  • You have the right to complain to HHS about violations of HIPAA rules.
  • Health information is to be used only for health purposes. Without your consent, it can’t be used to help banks decide whether to give you a loan, or by potential employers to decide whether to give you a job.
  • When your health information gets shared, only the minimum necessary amount of information should be disclosed.
  • Psychotherapy records get an extra level of protection.


WebMD asked Kimberly Rask, MD, PhD, director the center on health outcomes and quality at Emory University’s Rollins School of Public Health, to put HIPAA rules into perspective.

Q: What does HIPAA mean to the average person? What has changed?

Rask: The intent is to protect the privacy of your health information. What’s different is that HIPAA puts some very specific rules in place about when, how, and what kind of information can be shared. Also, it makes sure that the person whose information is being shared is aware of that possibility.

Q: What will happen when we see our doctors?

Rask: There are two things patients will see. First, doctors’ offices will ask patients to sign papers saying they are aware the office has privacy policies in place. They can review those policies if they like. Second, patients may be asked to sign forms that authorize sharing of medical information with other healthcare providers involved in their care. They may be required to sign separate forms for each provider.

Q: Is this really going to make our medical records more private?

Rask: I think actually, from a privacy perspective, having these regulations in place guarantees a higher level of privacy. I don’t think there’s a downside here.

Q: What’s not to like?

Rask: Where there is a downside is in bigger issues that don’t relate to individual patients. Example one: In order to comply, many doctors, hospitals, etc. are spending enormous amounts [of money] to become compliant. Dollars that go to this are not dollars that go elsewhere. It is important to think about the costs of making this paperwork trail. At a time when we are having so much trouble providing minimal healthcare to so much of our population, I would like to see more of an emphasis on care than on paperwork. But that is a trade-off we are making to ensure better privacy.

The second problem I have is that we aren’t just concerned with the care given to an individual patient. We also are concerned about the quality of care we provide and about patient safety. For these larger issues, researchers need to be able to look at patient information. We need to be able to tell when things went wrong and when they went right. The more we restrict this research, the more we restrict our ability to describe and improve what is going on in the healthcare system. That is a trade-off, too. Some people would feel that the privacy of an individual outweighs any other benefit. On the other hand, it is very difficult to change or improve healthcare if we can’t look at what is being done.


Q: Are computerized records really more secure than paper records?

There are very good ways to protect data electronically. Although it sounds scary, it makes data more protected than current paper records. For example, think about someone looking at your medical chart in the hospital. It has a record of all that is happening — lab results, doctor consultations, nursing notes, orders, prescriptions , etc. Anybody who opens it for whatever reason can see all of this information. But if the chart is an electronic record, it’s easy to limit access to any of that. So a physical therapist writing physical therapy notes can only see information related to physical therapy. There is an opportunity with electronic records to limit information to those who really need to see it. It could in many ways allow more privacy than current paper records.

Q: What else needs to be done?

We need discussion of why it might be useful — for all of us — to do some sharing of health information for the broader purpose of monitoring and improving the quality of healthcare. There is a value to this. The crux of the issue is how do you balance this? How do you make sure that the specific information researchers want to know is available while preventing inappropriate access to personal information? HIPAA is trying to protect us from inappropriate use of our medical records. In doing that, it also restricts some appropriate uses.


Top Picks

  • 9 Things Nobody Tells You About Aging
  • How Your Hands Change as You Age
  • Keep the Sizzle in Your Love Life
  • The Surprising Secret to Healthy Aging
  • What Is Normal Aging?
  • Weird Things That Happen to Your Skin as You Age

Today on WebMD


The Longevity Diet

Eating for a longer, healthier life.

woman biking

Aging Gracefully

How to stay vital in your 50s and beyond.

womans finger tied with string

How’s Your Memory Holding Up?

Learn how we remember, and why we forget.

doctor in lab

How Diverse Are Clinical Trials?

FDA report sheds light on tests for new drugs.

Recommended for You

fast healthy snack ideas

50 Foods to Help Lower Cholesterol

senior woman knitting

What Happens to Your Hands as You Age?

doctor holding syringe

Vaccines: Are Yours Up-to-Date?

champagne toast

18 Secrets for a Longer Life

woman grocery shopping

The Longevity Diet

two senior women laughing

Secrets to Aging With Grace

Two women wearing white leotards back to back

How Our Bodies Change as We Age

reminder string on senior mans finger

Forgetfulness and Aging: What’s Normal?

Tools & Resources

  • Low-Impact Exercises
  • What is Pulsatile Tinnitus?
  • Yoga for Seniors
  • Tips for Healthy Joints
  • Genes vs. Lifestyle
  • Dieting After 40

Health Solutions

  • Nutritious Milk Substitute
  • Open Heart Alternatives
  • Cancer: Second Opinions
  • Penis Curved When Erect
  • Diarrhea Solutions
  • Severe Aortic Stenosis?
  • Benefits of Probiotics
  • Get Help with ED
  • Diabetes Management
  • Probiotic Supplements
  • Low Sugar Dairy Drink
  • How Drugs Rewire Brains
  • Affordable ED Meds
  • Improving Digestion
  • Valve Disease Treatment
  • Tips to Beat Heartburn

More from WebMD

  • Test Your Eye Health
  • Live Better With MS Assessment
  • What Is Endometriosis?
  • Yeast Infection Assessment
  • How Does Chemo Work?
  • Tips to Prevent Heartburn
  • Food After Chemo
  • What Meningitis Does to Your Body
  • Managing Diabetes at Work
  • Remedies for Heartburn
  • Avoid Allergy Triggers
  • Treating Advanced Prostate Cancer
  • Protect Yourself from a Bone Fracture
  • Test Your MS Care Routine
  • What’s New in Psoriasis Research
  • Sex When You Have Genital Psoriasis


Answering your HIPAA questions

Understanding HIPAA for Dummies

Posted By: hipaanswers
September 26, 2017

  • Facebook

  • Twitter

  • Google+

  • LinkedIn

HIPAA Simplified History

Legislators originally proposed HIPAA in 1996 as a means of addressing the concerns regarding the privacy and security of patient healthcare information and risks brought by novel technologies. Since then, the Act has expanded into an act of legislation. Broadly, HIPAA governs health insurance fraud and tax provisions for medical savings accounts, and ensures acceptance of workers with pre-existing conditions into occupational healthcare insurance schemes.

In the two decades since its creation, HIPAA (via the HITECH Act) has also been responsible for encouraging the healthcare industry to computerize paper records. This led to concerns over unauthorized disclosures of “Protected Health Information” (PHI). In response to these potential threats, HIPAA has been updated with new privacy and security regulations, most recently in 2013. The regulations addressed technological advances in the healthcare industry since the original legislation was passed, and expanded responsibility for the integrity of PHI to Business Associates.

The HIPAA regulations are enforced by the U.S. Department of Health & Human Services´ Office for Civil Rights. State Attorney Generals can also act against parties discovered to be violating HIPAA. The Office for Civil Rights has the authority to impose fines on Covered Entities and Business Associates for breaches of PHI unless the offending party can demonstrate a low probability that patient health information was compromised.

Simplified HIPAA Overview

There has been some debate as to what constitutes as PHI. Below, there is a list of eighteen so-called “personal identifiers”. Any one of these items could be used to identify a which patient is connected to the PHI. If an unauthorised individual gets access to any of these identifies, then the integrity of the patient’s medical history or payment history is compromised.

Names or part of namesAny other unique identifying characteristic
Geographical identifiersDates directly related to an individual
Phone numbersFax numbers
Email addressesSocial Security numbers
Medical record numbersHealth insurance beneficiary numbers
Account numbersCertificate or license numbers
Vehicle license plate numbersDevice identifiers and serial numbers
Web URLsIP addresses
Fingerprints, retinal and voice printsFull face or any comparable photographic images

Who must comply with HIPAA?

Unless unique circumstances apply, all health plans, health care clearinghouses, health care providers and endorsed sponsors of the Medicare prescription drug discount card are “HIPAA Covered Entities” under the Act. These entities regularly handle Protected Health Information, and must take care to comply with HIPAA.

“Business Associates” are also covered by HIPAA. These are entities who do not create, receive, maintain or transmit Protected Health Information in their primary occupation, but who provide third party services and activities for Covered Entities during which they will encounter PHI. Prior to undertaking a service or activity on behalf of a Covered Entity, a Business Associate must sign a Business Associate Agreement guaranteeing to ensure the integrity of any PHI to which it has access.

Clarity is needed when considering self-insured single employer group health plans and employers who act as intermediaries between employees and health care providers. HIPAA states employers are not Covered Entities unless the nature of their business falls within the criteria to be a Covered Entity. For example, an organising employing at a Medical Center would be a Covered Entity. However, as self-insuring and intermediary employers handle PHI that is protected by the HIPAA Privacy Rule, they are considered “Virtual Entities” and subject to HIPAA compliance.

Changes to HIPAA Since 2013

The Final Omnibus Rule was enacted within HIPAA in 2013. This introduced new guidelines on how PHI must be accessed and communicated in a medical-related environment. The revised Act gives patients further rights to know and control how their health information is used. It also extends the controls on HIPAA-covered entities and Business Associates to how patient information is accessed and communicated.

HIPAA requires covered entities and Business Associates must implement mechanisms in their data handling to restrict the flow of information to within a private network, monitor activity on the network and take measures to prevent the unauthorized disclosure of PHI beyond the network´s boundaries. CEs are expected to conduct thorough risk assessments, and new reporting procedures have been developed to cover data breaches.

Revisions to the HIPAA Security Rule explicitly state that safeguards must be implemented for HIPAA-compliant storage and the communication of ePHI. These safeguards are described in the HIPAA Security Rule as either “required” or “addressable”. Despite this wording, all the safeguards are generally required for a CE to remain HIPAA compliant.

The Office for Civil Rights (OCR) conducts audits on HIPAA-covered entities to ensure they comply with the regulations. When avoidable breaches of ePHI are discovered, the OCR has the authority to impose financial penalties and bring criminal charges against the negligent entity. The fines are calculated per year, per violation and with consideration of how cooperative the CE is with the OCR.

HIPAA Safeguards Explained

One area of HIPAA that has led to some confusion is the difference between “required” and “addressable” safeguards. Each safeguard is “required” unless there is a justifiable reason not to implement the safeguard. If the CE finds a reason not to implement a certain “required” safeguard, then appropriate alternative to the safeguard must be implemented that achieves the same objective.

A scenario in which the implementation of an addressable safeguard could be unnecessary is the encryption of email. Emails containing PHI – either in the body or as an attachment – are only required to be encrypted if they are sent beyond a firewalled, internal server. However, if a healthcare organization only uses email as an internal form of communication – or has an authorization from a patient to send their information unencrypted – there is no need to implement this addressable safeguard.

The decision not to implement email encryption will have to be supported by a risk assessment and documented in writing. Therefore, if there is a breach of PHI, then there is a trail of accountability. Other factors that must be considered is the organization´s risk mitigation strategy and other safeguards put in place to protect the integrity of PHI. In general, the encryption of PHI at rest and in transit is recommended.

HIPAA and Patients

The goal of HIPAA is for patient’s healthcare information to be treated more sensitively and to be readily accessed by their healthcare providers. Electronically stored health information is far more secure than paper records, and healthcare organizations that have implemented mechanisms to comply with HIPAA regulations are witnessing an improved efficiency. Overall, as well as greatly increasing the security of PHI, there is a general higher standard of healthcare.

Along with these benefits, there are some disadvantages to ePHI. Alongside improving the standard of patient care, healthcare organizations are motivated to increase the services they can provide and improve patient safety through research. However, research is restricted by HIPAA and restricted access to PHI has the potential to slow down the rate at which improvements can be made in health care.

Healthcare organisations must invest resources into creating an improved data security system. The enactment of the Meaningful Use program provided financial incentives for healthcare providers to computerize paper records, implementing the necessary controls to secure ePHI can carry a substantial cost. Increasing funding for compliance has the potential to reduce the level of patient care, while the administrative burden that HIPAA-compliance places of healthcare organizations furthers strains the limited resources available.

Explaining HIPAA to Patients

Healthcare providers are now required by law to give patients a notice of their Privacy Policy. Therefore, it is necessary explain HIPAA to patients in clear and concise manner. Patients must sign a copy of the policy to say they have received this information about their rights. The best way to explain HIPAA to patients is to put the relevant information in the Privacy Policy, and then give the patients a synopsis of what the policy contains.

Key points to explain to the patient include:

  • They have the right to request their medical records whenever they like.
  • They have the right to request you amend their medical records when appropriate.
  • They have the right to limit who has access to their personal health information.
  • They have to right to choose how healthcare providers communicate with them.
  • They also have the right to complain about the unauthorized disclosure of their PHI.

Unless the patient has suffered a physical or financial harm due to the unauthorized disclosure of their PHI, they will not be able to bring a civil action against the negligent party. However, Covered Entities and Business Associates who violate HIPAA for personal gain, false pretences or other personal gain will have criminal penalties imposed upon them by the Office for Civil Rights that could result in up to ten years´ imprisonment.

The Implications of HIPAA to Healthcare Organizations

The Office for Civil Rights can issue fines for non-compliance against organisations who violate HIPAA. Preventable data breaches are likely to see considerable financial penalties issued. Under the penalty structure introduced by HITECH, violations can result in fines up to $1.5 million being issued by the OCR. Furthermore, lawsuits can be filed by both attorney generals and the victims of data breaches.

Healthcare organizations have increasingly been the targets for cybercriminals. Each data breach comes with huge costs attached. To comply with HIPAA, CEs must issue breach notification letters, offer credit monitoring services and cover the OCR fines. Therefore, while the initial cost of investment in the necessary technical, physical and administrative safeguards to secure patient data may be high, the improvements can result in cost savings over time because of improved efficiency.

Organizations that have already implemented mechanisms to comply with HIPAA have seen their employee´s workflows streamlined, less time is wasted playing “phone tag” and the workforce has become more productive allowing healthcare organizations to reinvest their savings and deliver a higher standard of healthcare to patients.

Explaining HIPAA to Employees

The employees of Covered Entities and Business Associates are required to know HIPAA legislation far more thoroughly than patients. Ignorance of HIPAA is not deemed an excuse if a breach were to occur. To comply with HIPAA, Covered Entities and Business Associates must compile privacy and security policies for their workforces, and a sanctions policy for employees who fail to comply with the requirements.

CEs are recommended to hold special compliance training sessions with their employees about HIPAA compliance. Although the HIPAA regulations state training should be provided annually, it is generally suggested, due to the complexity of HIPAA, that compliance training sessions should be short and frequent. Trying to explain HIPAA to employees in a four-hour training session will likely be unsuccessful.

Must of the training will revolve around maintaining the integrity of PHI, and how this is implemented. For example, employees will be unable to discuss patient healthcare via their mobile device unless the communications are encrypted. Due to the number of healthcare facilities implementing BYOD policies, this will mean employees must download secure communication apps to their personal mobile devices.

New Technology and HIPAA Privacy and Security Rules

There has been a push in recent years for technology to be developed to protect the integrity of PHI. Compliance with the HIPAA Privacy and Security Rules is becoming simple to implement due to innovations such as web filtering, secure email archiving and secure message solutions.

Web filtering is an excellent mechanism to mitigate the risks from malware – particularly surveillance malware that can record keystrokes to obtain usernames and passwords. Several recent data breaches that have targeted large healthcare firms have been the result of malware downloads. Had a web filtering mechanism been implemented, such breaches would not have occurred.

Secure email archiving is simple security measure which healthcare organizations can improve their online security posture. Maintaining many years of emails can create a storage problem. However, by using a third-party secure email archiving service, healthcare organizations release resources within their own IT structure while complying with the HIPAA Privacy and Security Rules.

Secure messaging solutions also provide a smart, simple-to-use and cost-effective way of maintaining the integrity of PHI. See our other technology-based articles for more information.