FAQ’s
Answers to Your Most Common
HIPAA Questions
Organizations across the country rely on HIPAA EXPRESS® to achieve full compliance — faster, smarter, and stress-free.
Am I required to encrypt my emails?
It depends upon what you are emailing. If you are sending PHI, yes, you should encrypt. If you are sending records, you can easily encrypt through Winzip. Your other option is to put the document on a secure server that is encrypted. There are any number of Google Drive, GoDaddy, Dropbox, and others. Windows 7 and 10 include full drive encryption. You can also encrypt PDFs, CDs, and USB drives. Faxing is not considered an electronic communication under HIPAA and is therefore considered secure, though not infallible (e.g., faxing PHI to the wrong party).
I do not do electronic billing, but I do fax documents. Do I need to be HIPAA compliant?
No, faxing does not make you a Covered Entity (CE). However, you may be subject to other regulations around the privacy and security of PHI.
What about text messages?
Clients have the right to request alternate communication methods. If a client requests text messaging, explain the risks and obtain written permission. If a patient texts you, it’s reasonable to assume they understand the risks.
If text messages between providers contain PHI, they must be encrypted. Generic texts such as “your 4:00 canceled” do not need encryption.
How do I know I am getting reliable information about HIPAA?
Check the credentials of the consultant, company, or author. Excellent certifications include:
AHIMA: Certified in Healthcare Privacy and Security (CHPS)
HIMSS: CAHIMS, CPHIMS
ISACA: CISA, CISM, CRISC, CSX
(ISC)²: CISSP, HCISPP
IAPP: Certified Information Privacy Professional (CIPP)
Why do I need HIPAA anyway?
Everyone must take common sense steps to protect patient information privacy and security, especially electronic PHI.
How often do I need to do a security risk assessment (SRA)?
If you are sending PHI, you must encrypt. For records, you can encrypt via Winzip or use secure, encrypted servers. You can also use full-drive encryption, encrypted PDFs, CDs, and USB drives. Faxing PHI is considered secure, though not error-proof.
What are my obligations for training?
All workforce members must be trained on your organization’s specific HIPAA policies and procedures, not just general HIPAA knowledge. Training should occur when an employee starts, before accessing PHI, and after any breach.
My EHR vendor says they are HIPAA compliant. Doesn’t that cover me?
No. Organizations, not technology, are HIPAA compliant. You must perform due diligence on your Business Associates (BAs) to ensure they comply with HIPAA.
What should I do if I get a subpoena?
Verify the subpoena’s validity. Document all disclosures. Ensure the patient has been notified or obtain a protective order that restricts PHI use and requires destruction or return after litigation.
My state requires consent to release mental health info. Did HIPAA erode privacy rights?
No. HIPAA allows you to continue obtaining patient consent, maintaining consistency with your state law.
How do I know which businesses qualify as Business Associates (BAs)?
A BA is anyone working for you who isn’t a workforce member (e.g., third-party vendors). Employees, volunteers, and treatment team members are not BAs. You must assess risks, ensure BAs protect PHI, and terminate agreements if violations persist.
All I have is one computer — why worry about a Security Risk Assessment (SRA)?
HIPAA issues overlap with other privacy regulations. Following HIPAA provides legal protection (“affirmative defense”) if a breach occurs.
How do I know if I am HIPAA compliant?
You should be able to produce:
Your HIPAA policies and procedures manual
Training logs and materials
A security risk assessment (SRA)
A remediation plan
Due diligence documentation for Business Associates
Can we have a sign-in sheet in our waiting room?
Yes. Seeing names on a sign-in sheet is an “incidental disclosure” and not a breach. Some practices use peel-off labels or black out names after sign-in for added privacy.
Does the size of my practice affect my HIPAA compliance?
All Covered Entities must comply, but HHS allows flexibility depending on your organization’s size, resources, and capabilities.
Does everyone in my practice get only the minimum necessary information?
The “minimum necessary” rule does not apply to treatment-related disclosures, patient access to PHI, or authorized releases.
Does HIPAA require me to submit my claims electronically?
No, although some government and private payers may require electronic submission.
Is it acceptable to Skype with patients?
Skype is encrypted, but messages are stored and therefore considered stored PHI. Other secure options include TrueConf, Off-the-Record Messaging, Jitsi, Cryptocat, and Zfone.
In my practice, everyone uses personal cell phones. Is this OK?
Mobile devices must be encrypted due to risk of loss or theft. Practices should enforce policies on lockout, texting, camera use, device inspections, and remote wipe capabilities.