The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The HIPAA Security Rule requirements are limited to protecting health information in electronic form.
Briefly, HIPAA requires Covered Entities to:
- Assign HIPAA responsibility to a designated person to serve as the HIPAA privacy and security officer.
- Know the use and disclosure rules for protected health information.
- Know the rights of individual patients.
- Implement and maintain written Privacy and Security policies.
- Develop compliant forms such as authorizations to release PHI and notice of privacy practices.
- Execute appropriate business associate agreements.
- Perform and document a risk analysis of PHI maintained in electronic form
- Implement required safeguards.
- Train workforce.
- Respond immediately to any violation or breach.
- Report breaches in a timely manner.
- Document actions.
- Beware of more stringent laws.
To help pediatric practices meet the above responsibilities, the Academy provides sample HIPAA Privacy and Security Compliance Manuals that are downloadable for free to AAP members.
Disclaimer: This information is general in scope and educational in nature. It is not intended as legal advice. If you require legal advice, contact an attorney.
The recommendations in this publication do not indicate an exclusive course of treatment or serve as a standard of medical care. Variations, taking into account individual circumstances, may be appropriate. This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired.