American Osteopathic Association

Advancing the distinctive philosophy and practice of osteopathic medicine

Five Questions on HIPAA Compliance with the AOA Department of Practice Management and Delivery Innovations

Sept. 23, 3013

Today is the deadline for physicians and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to comply with the new privacy and security requirements announced in the Jan. 25 Federal Register. The new rules enhance patients’ privacy rights and safeguard patients’ health information as the health care industry transitions to a digital world. The new rules also give the Office for Civil Rights increased authority to monitor and fine those who do not comply.

  1. What must physician practices do to remain HIPAA-compliant under the new rules?
    The primary things physician practices must do are to update their business associate agreements; update and post their notices of privacy practices; revise policies and procedures; and educate all staff and patients on the new rules.

  2. What can happen if I don’t make the changes?
    If you do not make the necessary changes, you will be subject to civil penalties of between $100 (per violation) and $25,000 for identical violations during a calendar year. Privacy breaches are subject to penalties of up to $1.5 million.

  3. What constitutes a privacy breach?
    Any breach or disclosure of a patient’s protected health information (PHI) is now reportable unless, after completing a risk analysis, you are able to establish there is minimal risk to the patient due to the breach. The risk analysis must consider four factors: who received the unauthorized PHI and if that person will protect its confidentiality; the type and extent of the PHI released (e.g., the level of sensitivity, either financial or clinical, and the likelihood that the patient can be identified by the information released); whether the PHI was actually viewed or accessed; and whether the recipient took appropriate mitigating action.

  4. Are there changes to patients’ rights that my practice needs to know about?
    Yes. Patients now can instruct physicians not to disclose services the patient pays out of pocket to their insurers. Practices will need to determine how they will then flag this out-of-pocket service to prevent an insurer from finding out. Aside from Notice of Privacy Practices (NPP), the recent changes to HIPAA also expand a patient’s right to obtain a digital copy, as opposed to a paper copy, of his or her electronic health record.

  5. Where can I find additional details from trusted public and private websites?
    Visit the HIPAA section on to access a business associate agreement template, NPP documents, and an explanatory webinar on the changes to HIPAA. You may also visit the U.S. Department of Health and Human Services website.  

If you have questions about how to make sure your practice is HIPAA-compliant, contact the AOA at (312) 202-8000 or (888) 62-MY-AOA (888-626-9262).

The above information was compiled from the Federal Register, the January 2013 news release and the HIPAA section.  


 Share This