Health Information Privacy: Frequently Asked Questions

This information is provided as guidance only. Providers should always consult with their privacy and security officer(s) or an attorney when considering their privacy and security policies.

Who needs to comply with the Privacy Rule?

All HIPAA-covered entities and business associates of covered entities must comply with the Privacy Rule requirements. Find out if you are a covered entity.

What does the Privacy Rule encompass?

The Privacy Rule applies to all forms of protected health information, including oral, paper, and electronic.

What is protected health information?

Protected health information, or PHI, is any information that may reasonably allow someone to identify the individual. It is anything that is created or received by a health care provider, health plan, employer, or health care clearinghouse. PHI includes such things as:

  • Name
  • Address
  • Birthdates and dates of service (admission, discharge, etc.)
  • Phone numbers
  • E-mail addresses
  • Social security numbers
  • Health insurance plan information
  • Photos

In addition, any information about the person's health status, treatments, prognosis, and payment should be protected. Whenever information is shared, only the minimum information needed to meet the request should be included. The minimum necessary standard specifies that covered entities must "make reasonable efforts to limit the use of disclosure of, and requests for, protected information to the minimum necessary to accomplish the intended purpose" (45 CFR Parts 160 and 164 [PDF], Final Rule, page 53195).

What does the Privacy Rule allow?

There are specific instances in which a covered entity can release PHI without patient authorization or consent. These instances include:

  • Treatment
  • Payment
  • Health care operations

In addition, PHI may be used or disclosed without patient authorization for reasons such as suspected abuse or neglect, marketing, as requested by law enforcement or the courts, for workman's compensation, and more.

Covered entities must appoint a privacy officer, develop privacy policies and procedures, train staff, and draft appropriate paperwork.

What paperwork is required?

In addition to the policies and procedures mentioned above, covered entities must have a privacy notice that is shared with all new patients at the first visit or as soon as possible in cases of emergencies. This notice must also be posted in a prominent place in the office or facility. The notice can also be posted on the web and any updates must be provided to patients upon request.

Patients must sign a form acknowledging that they have received the privacy notice. Providers must make a good faith effort to get this signature and, if unsuccessful, must document the effort and reason why acknowledgement was not obtained.

Patients must also sign an authorization form if information is to be used in any way outside of the allowable reasons under the HIPAA regulations. Providers must keep a list of when a patient's information was used or disclosed, called an accounting of disclosures.

If the audiologist or SLP works with a business associate (billing agency, contractors, etc.), a business associate agreement is necessary.

To summarize, the following paperwork is required:

  • Privacy policies and procedures
  • Documentation of staff training
  • Privacy notice
  • Acknowledgement of receipt of privacy notice
  • Authorization form
  • Accounting of disclosures form
  • Business associate agreement, if applicable

Additional forms and documents may be required, depending upon your circumstance. You should review the privacy regulations closely to determine your needs.

What steps do I need to take to comply with the Privacy Rule?

The logical progression of HIPAA preparation activities include:

  • reviewing the regulations
  • conducting a risk assessment and gap analysis
  • developing a compliance plan
  • providing education to all employees
  • continuous auditing and monitoring

Risk assessment and gap analysis

A gap analysis is an assessment of how your office's/facility's current practices measure up to the new federal requirements. A gap analysis could include an evaluation of current compliance with medical privacy laws, a review of existing procedures for the use and disclosure of protected health information, and a review of the facility and ways information is accessed.


Every covered entity must have documentation to show how they intend to comply with the privacy rule. These documents must be retained to show compliance. The documentation may include the designation of the privacy officer; the development of a training program for employees; methods of implementing safeguards to protect health information from intentional or accidental misuse; a means for individuals to lodge complaints about an entities' information practices; and a system of sanctions for employees and business associates who violate the entity's policies and procedures for compliance. In addition, the covered entity must have an authorization form and notice of privacy statement available for the patient's signature.

It is important to note that the privacy rule allows for flexibility in the complexity of the compliance documents. For example, a small private practice may have different compliance practices than a hospital or skilled nursing facility.

Sample HIPAA forms

This list is not exhaustive and inclusion does not imply endorsement from ASHA or a guarantee of the quality of the contents.

Additional samples can be found through an Internet search. Software programs are available that include HIPAA forms.

What rights do my patients have?

Your patients have a number of specific rights under the Privacy Rule. They can:

  • Ask that you not share their information
  • Ask that you contact them privately
  • Look at and copy their health information
  • Ask for changes to be made to their health information
  • Get a report of how and when their information was used or shared
  • Get a paper copy of the privacy notice, even if they've received one before
  • File a complaint if they believe their rights have been violated

You do not necessarily have to agree to all of these requests. This information must be clearly explained in your privacy notice.

What information is available for small practices?

The Workgroup for Electronic Data Interchange (WEDi) published the Small Practice Implementation White Paper [PDF] that outlines special considerations for small practices who may not be able to afford HIPAA consultants. The intent is to provide a simple, straightforward description of the basics of HIPAA, as well as resources and links to additional information.

How do I write a privacy notice?

The privacy notice is to be written in plain language so that patients and families can clearly understand their rights. To assist providers, a guide to writing HIPAA privacy notices is available on the US Department of Health and Human Services website.

What is the difference between HIPAA and FERPA?

On November 25, 2008, the U.S. Department of Health and Human Services and the U.S. Department of Education released joint guidance explaining the relationship between the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). See HHS/ED Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and HIPAA to Student Health Records [PDF].

Can I still do things like have patients sign in and call out patients' names in the waiting room?

Yes, HIPAA rules are designed to allow for the natural provision of health care. Providers should still take precautions to allow only the minimum necessary information to be exchanged. There is more information available from the Office of Civil Rights.

Can I send e-mails to my patients or is that a HIPAA violation?

HIPAA regulations do not prohibit e-mail communication between provider and patient or provider and provider. Information contained in le-mails should be kept to the minimum necessary and a risk analysis should be done to determine the privacy risks and address them. More information about e-mails is available in the Security Rule FAQs.

Additional Resources

ASHA Corporate Partners