Author: AHIMA Professional Practice Team

Source: AHIMA Q and A

Publication Date: February 02, 2004

Q: Can you explain the difference between the terms “addressable” and “required” as they are used in the final security rule?
A: The final security rule and the privacy rule use the terms “standards” and “implementation specifications.” Standards....

Author: AHIMA Professional Practice Team

Source: AHIMA Q and A

Publication Date: June 02, 2003

Q: Under the privacy rule, how should a physician’s office handle a request from parents for a written statement recommending limitation of their child’s activities at school?

A: Most covered entities have policies requiring written requests or authorizations for disclosure of....

Author: AHIMA Professional Practice Team

Source: AHIMA Q and A

Publication Date: October 2002

Because HIPAA gives patients the right to copy their medical records, does my facility have to supply a copy machine for this purpose or allow patients to take their records to a copy center?
According to section 164.520 of the HIPAA final privacy rule, an individual has "the right to inspect....

Author: AHIMA Professional Practice Team

Source: AHIMA Q and A

Publication Date: September 02, 2003

Q: Under HIPAA, how should covered entities respond to requests from public health officials who state that they need protected health information (PHI) to carry out their duties?

A: The privacy rule recognizes that PHI may be needed to respond to threats to public health, including the....

Author: AHIMA Professional Practice Team

Source: AHIMA Q and A

Publication Date: April 02, 2003

Q: Is it legal for our facility to provide an individual with an abbreviated version of the notice of privacy practices with the full version available only upon request?

A: If an abbreviated version of the notice is given to an individual, it must contain all the required elements from....

Author: AHIMA Professional Practice Team

Source: AHIMA Q and A

Publication Date: January 02, 2003

Q: Is faxing patient information legal under HIPAA?
A: If the covered entity is permitted to release the information (for treatment purposes or by authorization, for example), then using a fax machine is allowed. The privacy rule requires the entity to provide appropriate administrative, techn....

Author: AHIMA Professional Practice Team

Source: AHIMA Q and A

Publication Date: November 02, 2004

Q: As a covered entity, do I need to have satisfactory assurance (as required by HIPAA) that an individual has been notified when I am served with a search warrant for a patient's protected health information (PHI)?
A: No. A search warrant is issued by a judge and is considered the same a....

Author: AHIMA Professional Practice Team

Source: AHIMA Q and A

Publication Date: January 02, 2003

Q: Does HIPAA allow clinicians in our home health facility to pull their own records?
A: Your facility must make a reasonable effort to limit the access of your clinicians to the PHI they need to perform their duties. You will have to determine what policies are reasonable. As employees, the c....

Author: AHIMA Professional Practice Team

Source: AHIMA Q and A

Publication Date: July 02, 2002

Q: I work in a clinic setting. An attorney has requested copies of a patient’s entire record. The record includes reports dictated by one of the clinic physicians at a local hospital during the patient’s hospitalization. The attorney has the patient’s permission. Are we allowed....

Author: AHIMA Professional Practice Team

Source: AHIMA Q and A

Publication Date: May 02, 2003

Q: What is an organized health care arrangement (OHCA) and what are its advantages?


A: The privacy rule defines an OHCA as:

a clinically integrated care setting in which individuals typically receive healthcare from more than one healthcare provider

an org....

Author: AHIMA Professional Practice Team

Source: AHIMA Q and A

Publication Date: April 02, 2003

Q: Does reporting cancer surveillance to the state have to be tracked under the accounting of disclosure requirement in the HIPAA privacy rule?

A: Reporting cancer surveillance to a state agency does require tracking under HIPAA. State laws should be checked to determine if the other typ....

Author: AHIMA Professional Practice Team

Source: AHIMA Q and A

Publication Date: June 02, 2003

Q: What are a covered entity’s legal responsibilities when a former employee breaches confidentiality of information gained during his or her employment period?

A: Individual state laws would affect the outcome of litigation if charges were pressed through civil action. If the organ....

Author: AHIMA Staff

Source: AHIMA Q and A

Publication Date: May 02, 2001

Q: Does the new HIPAA privacy rule require hospitals to obtain patient consent prior to sending copies of dictated reports and test results to the patient's physician?

A: Unless the HIPAA privacy rule published on December 28, 2000 (45 CFR Parts 160 through 164) is modified by the Bush ad....

Author: AHIMA Staff

Source: AHIMA Q and A

Publication Date: March 02, 2002

Q: We have a transcriptionist who picks up tapes, transcribes them off-site, and returns them each day. Is this practice legal under HIPAA?


A: The HIPAA privacy rule does not prohibit the use of tapes for dictation, nor the use of an outside transcription vendor. The privacy rule do....

Author: AHIMA Staff

Source: AHIMA Q and A

Publication Date: September 02, 2001

Q: Because HIPAA gives patients the right to copy their medical records, does my facility have to supply a copy machine for this purpose or allow patients to take their records to a copy center?

A: According to section 164.520 of the HIPAA final privacy rule, an individual has "the ri....

Author: AHIMA Staff

Source: AHIMA Q and A

Publication Date: September 02, 2001

Q: My facility's records contain a variety of psychiatric documentation including therapists' notes from their treatment sessions with patients. How can I determine what requires special protection under HIPAA? Do I need to separate some of the documentation from the medical record? Currently all p....

Author: AHIMA Staff

Source: AHIMA Q and A

Publication Date: November 02, 2001

Q: Where can I find the updated data elements and data definitions for the Uniform Hospital Discharge Data Set (UHDDS)?

A: At this time, the 1986 UHDDS data elements and definitions are not available electronically though the information is considered to be in the public domain. The fi....

Author: AHIMA Staff

Source: AHIMA sample form

Publication Date: October 23, 2002

Author: AHIMA Staff

Source: AHIMA sample form

Publication Date: October 23, 2002

Author: AHIMA Staff

Source: AHIMA Q and A

Publication Date: April 02, 2002

Q: I have been asked to identify all of my organization’s business associates so we can update their contracts prior to the April 2003 HIPAA privacy rule compliance date. Unfortunately, existing contracts are not maintained in one place. How should I tackle this project?


A: At....

Author: AHIMA Staff

Source: AHIMA Q and A

Publication Date: March 02, 2002

Q: Does the individual to whom a patient has granted durable power of attorney for financial matters have the right to access and authorize use or disclosure of the patient’s protected health information (PHI) under HIPAA?


A: An individual granted durable power of attorney for....

Author: AHIMA Staff

Source: AHIMA Q and A

Publication Date: June 02, 2002

Q: Our facility is developing our notice of privacy practices under HIPAA. We need to decide how we will communicate with individuals when we make changes to our notice. What are the acceptable methods for communicating with our patient population? Do we have to send a paper copy to everyone whose....

Author: AHIMA Staff

Source: AHIMA Q and A

Publication Date: May 02, 2002

Q: In light of HIPAA restrictions on protected health information, I’m concerned about our HIM department’s practice of accepting HIM students for professional practice experience. What should be considered in deciding whether to continue this practice?


A: HIPAA’s pr....

Author: AHIMA Staff

Source: AHIMA Q and A

Publication Date: November 02, 2001

Q: Where can I find an easy-to-use glossary for terms in the HIPAA regulations?


A: The Workgroup for Electronic Data Interchange (WEDI) has compiled an alphabetic glossary of HIPAA terms and definitions. It is approximately 24 pages long and can be downloaded from the WEDI Web sit....

Author: AHIMA Work Group

Source: AHIMA practice brief

Publication Date: October 2016

This update supersedes the November 2013 practice brief, Guidelines for a Compliant Business Associate Agreement.



The Privacy Rule portion of the Health Insurance Portability and Accountability Act (HIPAA) defines a "business associate (BA) as a person or entity that performs....

Author: AHIMA Work Group

Source: AHIMA practice brief | Journal of AHIMA

Publication Date: April 2014

Covered entities should already have in place the mechanisms for limiting PHI under minimum necessary policies and procedures. This Practice Brief provides guidance to assist organizations in complying with the 2013 HITECH-HIPAA Omnibus Rule’s new disclosure restriction requirements.

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: June 2001

If your physicians’ attitude toward patients requesting to amend their medical record is "I’d tell them to take a hike and then call my attorney," your environment is not unique. These words, in fact, are the verbatim response of a physician upon hearing the HIPAA privacy r....

Author: Amatayakul, Margret

Source: AHIMA practice brief | Journal of AHIMA

Publication Date: October 2003

This practice brief has been updated. See the latest version here. This version is made available for historical purposes only.

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: November 2001

With tighter rules and greater penalties, many hospitals are reassessing their disclosure practices, release of information functions, and copy service contracts. What are the issues to be concerned about?

What Rules Apply?


The entire set of privacy standards relate....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: July 2003

October 16, 2003, is just a few months away. Has your organization addressed all the code set issues that are part of the HIPAA financial and administrative transactions and code sets requirements?


Because providers are accustomed to using many of the medical code sets required....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: September 2002

The HIPAA transactions, security, and privacy regulations identify five agreements and relationships that can be established between healthcare entities to achieve economies of scale and lessen HIPAA's administrative burden. They are: affiliated covered entity (ACE)

business associa....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: April 2001

The qualifying "perhaps" recognizes that today, more than ever before, information flows through our organizations at lightning speed. More people within an organization can easily print healthcare documents, automatically send a fax, and e-mail attachments. The risk of even well-int....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: July 2004

Many covered entities are just now starting to approach the compliance aspects of the HIPAA security rule. Why discuss “compliance aspects” and not standards or controls, as we did when preparing for the privacy rule? Privacy and security are long-standing concepts to healthcare,....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: February 2003

Whether your privacy rule compliance efforts began two years ago or yesterday, you’re probably concerned about the April 14, 2003, implementation date. In this article, we’ll explore some of the ways you can make the most of the time remaining.

Don’t Skip the Assessm....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: November 2004

The HIPAA security rule includes a requirement for audit controls and to monitor and manage ongoing security for a variety of processes. But the requirement for internal audit was changed to “information security activity review,” and there is no other specific reference to auditin....

Author: Amatayakul, Margret

Source: External web site

Publication Date: 2003

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: October 2004

The 2004 Phoenix Health System/HIMSS HIPAA compliance survey indicates that providers find audit controls the most difficult of the HIPAA security standards to implement.
While it is recognized that every organization must conduct a risk analysis to determine the systems or activities th....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: October 2003

Shadow charts, independent databases, or “orphan systems,” as they are sometimes called, are among the most controversial and difficult to manage forms of protected health information (PHI) that exist. Yet some providers are having success using HIPAA’s privacy and security stan....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: January 2005

As healthcare organizations put the finishing touches on their HIPAA security compliance plans, many are finding that updating access controls is not easy. Clinicians often scoff at the word “control” in general and at “access control” in particular. Not all products ar....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: September 2001

HIPAA's administrative simplification regulations appear to be anything but simple. Part of the Health Insurance Portability and Accountability Act of 1996, these provisions are intended to achieve efficiency and effectiveness and promote use of information systems. There are definite....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: March 2005

HIPAA requires covered entities “implement policies and procedures to address security incidents.” There is one implementation specification: to “identify and respond to suspected or known security incidents; mitigate, to the extent practical, harmful effects of security inci....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: September 2003

Direct caregivers have long been concerned about balancing patient protections with “customer” relations: Who do you talk to and how much do you tell? This was an issue long before HIPAA, and has only become more complex with HIPAA. And while HIPAA provides guidance, there are still....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: May 2003

What do members of your work force say when:

a patient asks what the notice of privacy practices is

an individual states that her mother already signed the notice of privacy practices

a physician office claims that authorization from the patient isn’t need....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: April 2000

What do the proposed privacy regulations mean to HIM professionals—and what can you do now to begin to prepare? The author takes an in-depth look at the proposed rules.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is bringing significant changes to the ma....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: May 2004

Many information security officials are barraged with requests for the latest security tools. Such shopping lists often do not reflect a structured plan or a true risk analysis to justify their cost or human resource requirements. This column describes some of the latest tools, how you can ev....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: November 2003

Many healthcare organizations met the compliance date of April 14, 2003, for HIPAA privacy by addressing the most visible features—implementing a notice of privacy practices, assigning an information privacy official (IPO), and conducting training sessions.


But a review of....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: June 2004

Encryption is an addressable implementation specification under HIPAA’s access control and transmission security standards. Many providers are grappling with just how to address these specifications:
Is there a difference between the two specifications, and if so, what is the diff....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: January 2004

Many of us struggled to understand the HIPAA privacy rule and initially had few resources to turn to for help. As your organization begins planning for security rule compliance, however, many of you may be finding that you’re overwhelmed with the volume of potential resources available.....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: January 2003

HIPAA presents special challenges to providers who perform research. According to the Institute of Medicine, approximately 80,000 biomedical research studies using about 23 million volunteers are conducted per year. Most have some federal funding either through National Institutes of Health or....

Author: Amatayakul, Margret

Source: Journal of AHIMA

Publication Date: April 2003

Most HIPAA project managers are putting finishing touches on policies and procedures, getting them approved, and preparing training materials to meet the April 14, 2003, compliance deadline for privacy rule implementation. But it’s not enough to just write policies and procedures: policie....