Blogs Home
Tuesday, August 23, 2022 12:00 PM

HIPAA Refresher and Frequently Asked Questions

Written by Shon Barrier, Vice President of Research & Development


Both new and well-known regulations alike were updated during the COVID-19 pandemic to better support healthcare providers. The Health Insurance Portability and Accountability Act (HIPAA) has seen some modest relaxing of some of its components but remains largely unchanged.

Here is a quick refresher of the fundamentals of HIPAA and answers to some of the most frequently asked questions.

Q. What does the HIPAA Privacy Rule do?

A. There are two main components to HIPAA: the Privacy Rule and the Security Rule.

The Privacy Rule:

  • Protects patients’ health information
  • Provides patients’ access to their medical records
  • Maintains patient confidentiality
  • Holds violators accountable with civil and criminal penalties
  • Discloses the minimum necessary PHI for the purpose of treatment, payment, and healthcare operations
  • Designates a privacy officer responsible for the implementation and oversight of HIPAA within the healthcare organization

The Security Rule:

  • Encompasses all data created in an electronic format (ePHI)
  • Ensures the confidentiality, integrity, and availability (CIA) of ePHI that the covered entity creates, receives, maintains, or transmits
  • Protects against any reasonably anticipated uses or disclosures of ePHI which are not permitted by the Privacy Rule
  • Ensures that the practice and its workforce, including business associates, understand and comply with the Security Rule’s requirements

Q. Who is responsible for maintaining a secure environment and patient privacy?

A. Everyone in your healthcare organization.


Q. What patient information is confidential?

A. Any data that could be used to identify a patient is considered confidential. Some common identifiers are patient names, Social Security numbers, driver’s license numbers, insurance details, and birth dates, and includes health records, health histories, lab test results, and medical bills.


Q. Who may access PHI?

A. Only the people who need access for reasons such as treatment, payment, or operations may access a patient’s PHI.


Q. If I have access to view my own medical record electronically is that considered a HIPAA violation?

A. No. It is not a HIPAA violation to view your own medical record. A best practice is to notify the hospital’s privacy officer of any self-access to avoid unnecessary investigations.


Q. May I access a family member’s information?

A. No. Accessing any person’s information without their consent is a HIPAA violation.


Q. May I discuss patients with anyone?

A. No. Sharing any patient information outside the necessary minimum for the purpose of treatment, payment, and healthcare operations is a violation.


Q. Who are privacy and security officers?

A. Privacy and security officers are responsible for the overall protection of patient privacy and the security of all our information, whether electronically, on paper, or in conversation. It’s a best practice to learn who your hospital has identified as your privacy and security officer(s), and reach out with questions.


Q. Why are privacy and security officers important?

A. Privacy and security officers help providers stay up to date on the latest HIPAA regulations and educate the organization on new policies and procedures. For patients, privacy and security officers monitor all PHI access to ensure their information remains safe, and act quickly in the event of a potential breach.

Q. What can organizations do today to ensure they are compliant?

A. Here are some tips:

  • Stay up to date on HIPAA Privacy and Security Rules
  • Develop policies and procedures
  • Educate providers on how the Privacy Rule affects each role
  • Implement safeguards
  • Investigate violations

Q. How can iatricSystems help?

. iatricSystems developed the patient privacy monitoring solution Haystack™ iS to help healthcare organizations remain HIPAA compliant. The goal of Haystack™ iS is not only to spot suspicious activity but also to streamline privacy team’s workflows so they can instead focus on more strategic privacy and security initiatives.

Being compliant with HIPAA regulations is not just about avoiding breaches and the related financial penalties that come with it; it is also about maintaining your reputation and trust with your patients. For more information about how our patient privacy solution Haystack™ iS keeps our organization compliant or for any questions, please contact us at