HIPAA FAQs - Index of Questions


Privacy Notice
  • What is a Privacy Notice?
  • What has to be in a Notice of Privacy Practices (NPP)?
  • Once I get this Privacy Notice written, what do I do with it?
  • What if I forget to give the Privacy Notice to a patient when he/she comes in? 


  • What is the requirement for an authorization?
  • Are there specific elements that must be in an authorization to make it valid?
  • Is there a requirement about language?
  • Can an authorization be verbal?
  • Can we accept a copy of an authorization instead of the original?
  • Is there a requirement to verify the identity of the individual signing the authorization?
  • Are there any special requirements to revoke an authorization?
  • Are there special requirements for authorization for research purposes?
  • Is there any easier way to obtain authorization for research purposes?
  • Are there any exceptions to the requirement for an authorization for disclosure for marketing purposes?


  • Under HIPAA, can patients change their medical records?
  • Can the practice deny the request to amend the record?
  • Is there any time limitation for response to a request to amend a record?
  • Are there requirements if a request to amend a record is approved?
  • What happens next if the request to amend the record is denied by the practice?

Uses and Disclosures of PHI

  • Under what circumstances can I use and disclose protected health information (PHI)?
  • When can protected health information (PHI) be disclosed without patient authorization (other than for treatment, payment, and health care operations (TPO)?
  • Do I have to tell a patient that I have disclosed his/her protected health information (PHI) without authorization?
  • What if a patient asks for frequent accounts of disclosure?

Restriction of Use

  • Can a patient restrict the use or disclosure of his/her protected health information (PHI)?

Patient Access

  • Do physicians have to allow patients to read their own charts?
  • Are there any exceptions to the provisions allowing patients to read their own charts?
  • Can physicians deny patients access to their charts?
  • Does the patient have the right to appeal a denial?
  • Are there exceptions to the right to appeal a denial?
  • If access is denied, are there any other requirements to be met by the practice?
  • Can a summary of the information instead of the complete record be provided and meet the access requirement?
  • Can I charge patients for copies of their medical record?
  • Can I provide access to information from another health care provider that is part of my medical record?


  • Are we required to have a formal privacy complaint process related to privacy issues?
  • Are there specific requirements about notification?
  • Do I have to keep a record of complaints?
  • Can the individual elect to complain to the Secretary of Health and Human Services (HSS) without first complaining to me, as the practice?
  • Are there specific requirements for filing a complaint with the Secretary of Health and Human Services (HSS)?
  • What could happen if the Secretary of Health and Human Services (HSS) found the complaint to substantiate a violation?

Privacy Officer

  • What is the intent or purpose of the privacy officer?
  • What steps or activities should be privacy officer take to assure compliance?
  • What if information is misused or improperly released?
  • What qualifications and responsibilities should a privacy officer’s job description contain?

Minimum Necessary

  • What is the intent of the minimum necessary requirement?
  • Are there exceptions to the minimum necessary requirement?
  • What is the significance of an individual authorizing release of protected health information (PHI)?
  • Can information be released for continuity of care concerns to another provider without an individual authorizing release of protected health information (PHI)?
  • What about an individual authorizing release of protected health information (PHI) that includes psychotherapy notes?
  • What should a practice do to implement HIPAA provisions?
  • What about releasing protected health information (PHI) not made in a routine and recurring manner?

Business Associates

  • What is the intent of business associate agreements?
  • Who qualifies as a business associate?
  • What types of functions do business associates typically perform?
  • Who doesn’t qualify as a business associate?
  • What about when information is shared for treatment purposes?
  • Do I need a business associate agreement for my cleaning service?
  • Since I already have an attorney-client relationship with counsel, do I need a business associate agreement?
  • What about organizations that act merely as a conduit of protected health information (PHI)?
  • What is the requirement for the return or destruction of protected health information (PHI)?


  • What are the requirements for training my staff and who needs to be trained?
  • What does my staff need to know about HIPAA?
  • How do I prove training took place?


  1. Who can handle a complaint on a possible violation of privacy?
  2. After the initial training, how often do I have to train office personnel on privacy issues?
  3. Do I have to monitor daily?
  4. What if the information requester is the medical board or a police officer?
  5. Who determines the “minimum necessary” when I receive a request for protected health information (PHI)?
  6. Do I, as the privacy officer, have to review all requests for protected health information (PHI)?
  7. We occasionally need to courier protected health information (PHI) such as original x-rays to another location. Do we need a business associate agreement with each courier service?
  8. As we develop additional contacts that require a business associate agreement, what exposure do we have if the business associate inappropriately releases protected health information (PHI)?
  9. Am I required to have business associate contracts with bio-medical equipment technicians or contractors such as plumbers, electricians, or office machines repair individuals who provide repair services?
  10. Mr. Green calls for a prescription renewal for his wife, Betty. He wants us to leave a message on his answering machine when the renewal has been called in to the pharmacy and what drug has been prescribed. He will be at work and not accessible by phone. His wife is too ill to take calls and he wants her to rest without trying to answer the phone. Is it okay to leave a message on his answering machine and can we tell him the name of the drug prescribed?
  11. Jill, one of the pharmaceutical reps. that service our office, is bringing in lunch for the doctors and staff. She will be providing a brief lecture on a new antibiotic. We usually have the lunches in our break room where the nurses are working on charts and next to the area our doctors dictate their visit notes. Is it okay to still have the rep. lunches (Jill always seemed very trustworthy)?
  12. Connie is my front desk receptionist. She has been with us for 10 years and has completed the HIPAA training. She continues to discuss with patients how they are doing and references the reason for their visit within earshot of the waiting room. Patients love her and I have not had a complaint. Is this a concern?
  13. Do I need to have a signed authorization to send records to another physician when I refer a patient to him/her? 
  14. Do I need to remodel my office so no one can see charts or overhear conversations?
  15. Can I still fax things to other offices?
  16. Can I leave information on a patient’s answering machine?
  17. An insurance company wants to evaluate our practice, including looking at a sample of our medical records. Do I need to get an authorization from the patient if his/her chart will be among those reviewed?
  18. Mr. Wheeler is a regular patient who comes in at least every month or so. He is very hard of hearing and we have to shout in order for him to understand. Are we breaching his privacy if other patients overhear something about his condition due to the loud conversational level?
  19. The office manager’s daughter volunteers in our office during winter break. She helps us with filing. Do we need a business associate agreement with her since she has access to protected health information (PHI)?


Back to Top