Skip to main content
This is archived HHS content.
HHS
.gov
Health Information Privacy
Search
U.S. Department of Health & Human Services
Search
Close
A-Z Index
HIPAA for Individuals
Filing a Complaint
HIPAA for Professionals
Newsroom
Breadcrumb
HHS
>
HIPAA Home
>
For Professionals
>
FAQ
> Smaller Providers and Businesses
Text Resize
A
A
A
Print
Share
Authorizations (30)
Business Associates (41)
Compliance Dates (2)
Covered Entities (14)
Decedents (8)
Disclosures for Law Enforcement Purposes (5)
Disclosures for Rule Enforcement (1)
Disclosures in Emergency Situations (2)
Disclosures Required by Law (6)
Disclosures to Family and Friends (28)
Disposal of Protected Health Information (6)
Facility Directories (7)
Family Medical History Information (3)
FERPA and HIPAA (10)
Group Health Plans (3)
Health Information Technology (41)
Incidental Uses and Disclosures (10)
Judicial and Administrative Proceedings (8)
Limited Data Set (6)
Marketing (18)
Marketing - Refill Reminders (16)
Mental Health (35)
Minimum Necessary (14)
Notice of Privacy Practice (20)
Personal Representatives and Minors (12)
Preemption of State Law (10)
Privacy Rule: General Topics (12)
Protected Health Information (2)
Public Health Uses and Disclosures (13)
Research Uses and Disclosures (20)
Right to Access and Research (58)
Right to an Accounting of Disclosures (8)
Right to File a Complaint (1)
Right to Request a Restriction (3)
Safeguards (13)
Security Rule (24)
Smaller Providers and Businesses (145)
Student Immunizations (8)
Telehealth (11)
Transition Provisions (3)
Treatment, Payment, and Health Care Operations Disclosures (30)
Workers Compensation Disclosures (5)
Smaller Providers and Businesses
What does the HIPAA Privacy Rule do?
Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do?
Who must comply with HIPAA privacy standards?
When did covered entities have to meet these HIPAA privacy standards?
Will the Department of Health and Human Services (HHS) make future changes to the HIPAA Privacy Rule and, if so, how will these changes be made?
Can health care providers engage in confidential conversations with other providers or with patients, even if there is a possibility that they could be overheard?
Does the HIPAA Privacy Rule require hospitals and doctors' offices to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard?
May physician's offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients' homes?
May physician's offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?
Are physicians and doctor's offices prohibited from maintaining patient medical charts at bedside or outside of exam rooms, or from engaging in other customary practices where the potential exists for patient information to be incidentally disclosed to others?
A clinic customarily places patient charts in the plastic box outside an exam room. It does not want the record left unattended with the patient, and physicians want the record close by for fast review right before they walk into the exam room. Will the HIPAA Privacy Rule allow the clinic to continue this practice?
May mental health practitioners or other specialists provide therapy to patients in a group setting where other patients and family members are present?
Are covered entities required to document incidental disclosures permitted by the HIPAA Privacy Rule, in an accounting of disclosures provided to an individual?
Do the HIPAA Privacy Rule's provisions permitting certain incidental uses and disclosures apply only to treatment situations or discussions among health care providers?
Is a covered entity required to prevent any incidental use or disclosure of protected health information?
How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?
Won't the HIPAA Privacy Rule's minimum necessary restrictions impede the delivery of quality health care by preventing or hindering necessary exchanges of patient medical information among health care providers involved in treatment?
Do the HIPAA Privacy Rule's minimum necessary requirements prohibit medical residents, medical students, nursing students, and other medical trainees from accessing patient medical information in the course of their training?
Must the HIPAA Privacy Rule's minimum necessary standard to be applied to uses or disclosures that are authorized by an individual?
Are providers required to make a minimum necessary determination to disclose to Federal or state agencies, such as the Social Security Administration (SSA) or its affiliated agencies, for individuals' applications for federal or state benefits?
Doesn't the HIPAA Privacy Rule minimum necessary standard conflict with the HIPAA transaction standards?
Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of an entire medical record? If not, are case-by-case justifications required each time the entire medical record is disclosed?
A provider might have a patient's medical record that contains older portions of a medical record that were created by another previous provider. Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?
In limiting access, are covered entities required to completely restructure existing workflow systems, including redesigning office space and upgrading computer systems, in order to comply with the HIPAA Privacy Rule's minimum necessary requirements?
Is a covered entity required to apply the HIPAA Privacy Rule's minimum necessary standard to a disclosure of protected health information it makes to another covered entity?
Does the HIPAA Privacy Rule change the way in which a person can grant another person health care power of attorney?
If someone has a health care power of attorney for an individual, can they obtain access to that individual's medical record?
Can the personal representative of an adult or emancipated minor obtain access to the individual's medical record?
How can family members of a deceased individual obtain the deceased individual's protected health information that is relevant to their own health care?
Does the HIPAA Privacy Rule address when a person may not be the appropriate person to control an individual's protected health information?
May personal representatives access health information based on a non-health care power of attorney?
How does a covered entity identify an individual’s personal representative?
Does the HIPAA Privacy Rule allow parents the right to see their children’s medical records?
If a child receives emergency medical care without a parent's consent, can the parent get all information about the child's treatment and condition?
Does the HIPAA Privacy Rule provide rights for children to be treated without parental consent?
May a psychologist continue his practice to notify a parent before treating his or her minor child, even though the minor child is able to consent to such health care under state law?
Is a covered entity liable for, or required to monitor, the actions of its business associates?
Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule?
Is a business associate contract required for a covered entity to disclose protected health information to a researcher?
When is a health care provider a business associate of another health care provider?
May a covered entity share protected health information directly with another covered entity's business associate?
Are covered entities that engage in joint activities under an organized health care arrangement (OHCA) required to have business associate contracts with each other?
Is a business associate contract required with organizations or persons where inadvertent contact with protected health information may result - such as in the case of janitorial services?
Are the following entities considered "business associates" under the HIPAA Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?
Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information?
Do physicians with hospital privileges have to enter into business associate contracts with the hospital?
I want to hire the intended recipient of a limited data set to also create the limited data set as my business associate. Can I combine the data and use agreement and business associate contract?
If the only protected health information a business associate receives is a limited data set, does the HIPAA Privacy Rule require the covered entity to enter into both a business associate agreement and data use agreement with the business associate?
Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity's business associate as the minimum necessary?
Is a physician or other provider considered to be a business associate of a health plan or other payer?
Is a reinsurer a business associate of a health plan?
Is a software vendor a business associate of a covered entity?
How does the HIPAA Privacy Rule change the laws concerning consent for treatment?
Can a pharmacist use protected health information to fill a prescription that was telephoned in by a patient's physician without the patient's written consent if the patient is a new patient to the pharmacy?
Can health care providers, such as a specialist or hospital, to whom a patient is referred for the first time, use protected health information to set up appointments or schedule surgery or other procedures without the patient's written consent?
Are health care providers restricted from consulting with other providers about a patient’s condition without the patient’s written authorization?
Does the HIPAA Privacy Rule restrict pharmacists from giving advice about over-the-counter medicines to customers?
Can a patient have a friend or family member pick up a prescription for her?
What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?
May a health care provider disclose protected health information to a health plan for the plan's Health Plan Employer Data and Information Set (HEDIS)?
Does the HIPAA Privacy Rule permit a covered entity or its collection agency to communicate with parties other than the patient (e.g., spouses or guardians) regarding payment of a bill?
Does the HIPAA Privacy Rule prevent reporting to consumer credit reporting agencies or otherwise create any conflict with the Fair Credit Reporting Act (FCRA)?
Does the HIPAA Privacy Rule prevent health plans and providers from using debt collection agencies? Does the Privacy Rule conflict with the Fair Debt Collection Practices Act?
Does the HIPAA Privacy Rule permit an eye doctor to confirm a contact prescription received by a mail-order contact company?
Does a physician need a patient's written authorization to send a copy of the patient's medical record to a specialist or other health care provider who will treat the patient?
Is a hospital permitted to contact another hospital or health care facility, such as a nursing home, to which a patient will be transferred for continued care, without the patient's authorization?
When an ambulance service delivers a patient to a hospital, is it permitted to report its treatment of the patient and patient's medical history to the hospital, without the patient's authorization?
When is an authorization required from the patient before a provider or health plan engages in marketing to that individual?
How can I distinguish between activities for treatment or health care operations versus marketing activities?
Do disease management, health promotion, preventive care, and wellness programs fall under the HIPAA Privacy Rule's definition of "marketing"?
Is it marketing for a covered entity to describe products or services that are provided by the covered entity to its patients, or to describe products or services that are included in the health plan's plan of benefits of the health plan?
Is it marketing for a covered entity to describe the entities participating in a health care provider network or a health plan network?
Is it marketing for an insurance plan or health plan to send enrollees notices about changes, replacements, or improvements to existing plans?
Can health plans communicate about health-related products or services to enrollees that add value to, but are not part of, a plan of benefits?
Can a doctor or pharmacy be paid to make a prescription refill reminder without a prior authorization under the HIPAA Privacy Rule?
Are appointment reminders allowed under the HIPAA Privacy Rule without authorizations?
What are examples of "alternative treatments" that are excepted from the HIPAA Privacy Rule's definition of "marketing"?
Are prior authorizations required when a doctor or health plan distributes promotional gifts of nominal value?
Are health care providers required to seek a prior authorization before discussing a product or service with a patient, or giving a product or service to a patient, in a face-to-face encounter?
Must insurance agents that are business associates of a health plan seek a prior authorization before talking to a customer in a face-to-face encounter about the insurance company's other lines of business?
What effect do the “marketing” provisions of the HIPAA Privacy Rule have on Federal or State fraud and abuse statutes?
May covered entities use information regarding specific clinical conditions of individuals in order to communicate about products or services for such conditions without a prior authorization?
Are communications concerning information to beneficiaries about government programs or government-sponsored programs "marketing" under the HIPAA Privacy Rule?
Must a health care provider or other covered entity obtain permission from a patient prior to notifying public health authorities of the occurrence of a reportable disease?
Does the public health provision of the HIPAA Privacy Rule require covered entities to make public health disclosures?
May covered entities disclose facially identifiable protected health information, such as name, address, and social security number, for public health purposes?
Does the HIPAA Privacy Rule's public health provision permit covered entities to disclose protected health information to authorities such as the National Institutes of Health (NIH)?
To whom may covered entities make public health disclosures regarding a product regulated by the Food and Drug Administration (FDA) when more than one person is identified on the product label?
Is a covered entity permitted to disclose protected health information under the HIPAA Privacy Rule's public health provision when the link between an averse event and a product regulated by the Food and Drug Administration (FDA) is only suspected?
Does the HIPAA Privacy Rule's public health provision permit covered entities to disclose protected health information without authorization to a manufacturer of a product regulated by the Food and Drug Administration (FDA) for use by the manufacturer to assess the effectiveness of its marketing campaign?
Does the HIPAA Privacy Rule's public health provision permit covered health care providers to disclose protected health information concerning the findings of pre-employment physicals, drug tests, or fitness-for-duty examinations to an individuals employer?
Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?
Does an individual have a right under the HIPAA Privacy Rule to restrict the protected health information his or her health care provider discloses for workers' compensation purposes?
Does the HIPAA Privacy Rule permit a health care provider to disclose an injured or ill worker's protected health information without his or her authorization when requested for purposes of adjudicating the individual's workers' compensation claim?
I am a health care provider and my state law says I have to provide a workers' compensation insurer, upon request, with an injured workers' records that related to treatment or hospitalization for which compensation is being sought. Am I permitted to disclose the information required by my state law?
My state law says I may disclose records, relating to the treatment I provided to an injured worker, to a workers' compensation insurer for purposes of determining the amount of or entitlement to payment under the workers' compensation system. Am I allowed to share this information under the HIPAA Privacy Rule?
My state law says I may provide information regarding an injured workers' previous condition, which is not directly related to the claim for compensation, to an employer or insurer if I obtain the workers' written release. Am I permitted to make this disclosure under the HIPAA Privacy Rule?
Are hospitals or other health care providers required to provide their notices to patients they treat in an emergency?
If a health care provider chooses to obtain an individual's consent to use or disclose protected health information about them, does the provider also have to make a good faith effort to obtain the individual's acknowledgement of the notice?
Can covered entities distribute their notices as part of other mailings or distributions?
Does the HIPAA Privacy Rule require a health care provider to obtain a new acknowledgement of receipt of the notice from patients if the facility changes its privacy policy?
Does the HIPAA Privacy Rule permit health care providers to obtain an electronic acknowledgement of the notice from individuals?
Are covered entities permitted to give individuals a “layered” notice?
Are health plans required to make a good faith effort to obtain from their enrollees a written acknowledgement of receipt of the notice?
How are health care providers supposed to provide the notice to individuals and obtain their written acknowledgement of the notice when the first treatment encounter is over the phone or in some other manner that is not face-to-face?
We participate in an organized health care arrangement (OHCA). How are we to comply with the HIPAA Privacy Rule's requirements for providing notices and obtaining individuals' acknowledgements of the notice?
Does a health plan have to provide a copy of its notice to each dependent receiving coverage under a policy?
For group health plan products, can the health plan send its notice to the administrator of the group product or the plan sponsor for them to distribute to each employee enrolled in the plan?
As a pediatrician, am I required to give my notice of privacy practices to the children I treat?
Are health care providers required by the HIPAA Privacy Rule to post their entire notice at their facility or may they post just a brief description of the notice?
Can a covered entity bypass obtaining an individual's authorization for a use or disclosure not permitted by the HIPAA Privacy Rule simply by informing individuals of the use or disclosure through it notice of privacy practices?
Is our medical practice required to notify patients through the mail of any changes to our notice?
Is a physician required to give her notice to every patient or can she just post the notice in her waiting room and give a copy to those patients who ask for it?
It is common for hospitals and other health care providers to collect preoperative information over the phone from a new patient prior to the day of surgery in order to determine whether the patient has any special medical concerns or issues that need to be addressed. Does the HIPAA Privacy Rule prohibit this practice if the patient has not yet received or acknowledged the provider's notice?
Is a pharmacist permitted to have a customer acknowledge receipt of the notice by signing or initialing the log book that they already sign when they pick up prescriptions?
If I believe that my privacy rights have been violated, when can I submit a complaint?
If patients request copies of their medical records as permitted by the Privacy Rule, are they required to pay for the copies?
Does the HIPAA Privacy Rule protect genetic information?
Can a physician’s office fax patient medical information to another physician’s office?
My state requires consent to use or disclose health information. Does the HIPAA Privacy Rule take away this protection?
Are the following types of insurance covered under HIPAA: long/short term disability; workers' compensation; automobile liability that includes coverage for medical payments?
Is an entity that is acting as a third party administrator to a group health plan a covered entity?
Was the Privacy Rule compliance date delayed by the Administrative Simplification Compliance Act (ASCA) that was enacted in December 2001?
Does the HIPAA Privacy Rule require that covered entities provide patients with access to oral information?
Does the HIPAA Privacy Rule require that covered entities document all oral communications?
Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?
Is a flexible spending account or a cafeteria plan a covered entity for purposes of the Privacy Rule and the other HIPAA, Title II, Administrative Simplification standards?
Does the Privacy Rule permit health plans to disclose protected health information to pharmaceutical manufacturers for the adjudication of drug rebate contracts?
Must a covered entity with a Notice of Privacy Practices that reflects more stringent state laws of multiple states, revise the whole Notice every time one state law materially changes?
Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization?
Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?
Were there Privacy Rule compliance deadlines in 2004?
Must all small health plans comply with the Privacy Rule?
I’m an employer that offers a fully insured group health plan for my employees. Is the fully insured group health plan subject to all of the Privacy Rule provisions?
As an employer, I sponsor a group health plan for my employees. Am I a covered entity under HIPAA?
Does the HIPAA Privacy Rule limit what a doctor can do with a family medical history?
May a covered entity disclose protected health information in response to a court order?
May a covered entity use or disclose protected health information for litigation?
May a covered entity that is a plaintiff or defendant in a legal proceeding use or disclose protected health information for the litigation?
What “satisfactory assurances” must a covered entity that is not a party to the litigation receive before it may respond to a subpoena without a court order?
For disclosures for judicial and administrative proceedings, can notice be provided to the individual's lawyer instead of the individual?
For disclosures for judicial and administrative proceedings, when is a copy of the subpoena itself sufficient satisfactory assurance of notice to the individual?
In providing legal services to a covered entity, must a lawyer who is a business associate require that those persons to whom it discloses protected health information agree to abide by the privacy restrictions and conditions that apply to the lawyer?
When must a covered entity account for disclosures of protected health information made during the course of litigation?
May a covered entity that is not a party to a legal proceeding disclose protected health information in response to a subpoena, discovery request, or other lawful process that is not accompanied by a court order?
Back to
T
op
This is archived HHS content.