Learning Objectives 

After completion of the course, you will be able to:

  1. List 5 things that the HIPAA Privacy Rule requires the average provider or health plan to do.
  2. Describe how the HIPAA Privacy Rule protects individuals’ medical records and other personal health information.
  3. Explain which entities are covered by the Privacy Rule by following decision trees.
  4. Define business associate, provide several examples of business associates, and frame a business associate contract.
  5. Discuss six permitted uses and disclosures of protected health information.
  6. Define the HIPAA Privacy Rule’s minimum necessary standard and its application in the use and disclosure of protected health information. Right to Access Medical Records
  7. Explain the right of access to the protected health information afforded to patients under the HIPAA Privacy Rule.
  8. Explain the right to amend the protected health information afforded to patients under the HIPAA Privacy Rule.
  9. Explain the right to an accounting of disclosures of protected health information afforded to patients under the HIPAA Privacy Rule.
  10. Discuss various situations where incidental uses and disclosures of protected health information are permitted under the Privacy Rule.
  11. Provide examples of reasonable safeguards a covered entity must implement to limit incidental, and avoid prohibited, uses and disclosures of protected health information.
  12. Explain how a covered entity can disclose protected health information to a public health authority and comply with the requirement to provide individuals with an accounting for disclosures.
  13. Define marketing and distinguish between what is marketing and what is not marketing under the HIPAA Privacy Rule.
  14. Discuss situations when an authorization is required from the patient before a provider or health plan can engage in marketing to that individual.
  15. Distinguish between activities for treatment or health care operations versus marketing activities.
  16. Identify two circumstances when a patient’s prior authorization is required for the use and disclosure of protected health information for marketing.
  17. Discuss how the Privacy Rule works with respect to disclosures for workers’ compensation.
  18. Discuss the requirement of limited data set.
  19. Discuss the use and disclosure of limited data set to a business associate under the HIPAA Privacy Rule.
  20. Discuss the right provided by the Privacy Rule to individuals to receive a notice of privacy practices for protected health information, and specify the content of the notice.
  21. Identify three entities who are not required to develop a notice of privacy practices.
  22. Identify individuals and circumstances under which these individuals can have access to protected health information of minors or other individuals.
  23. Explain the application of HIPAA Privacy Rule in research uses and disclosures of protected health information.
  24. Discuss the implementation of administrative simplification requirements by HHS.


Course Outline

1. Protecting the Privacy of Patient’s Health Information


 Patient Protections

 Health Plans and Providers

 Outreach and Enforcement

2. Summary of the HIPAA Privacy Rule


 Statutory & Regulatory Background

 Who Is Covered by The Privacy Rule


 Business Associates 

 What Information Is Protected 

 General Principle for Uses and Disclosures 

 Permitted Uses and Disclosures 

 Authorized Uses and Disclosures 

 Limiting Uses and Disclosures to the Minimum Necessary

 Notice and Other Individual Rights 

 Administrative Requirements 

 Organizational Options  

 Other Provisions: Personal Representatives and Minors’ Personal Representatives

 State Law

 Enforcement and Penalties for Noncompliance 

 Compliance Dates  

 Copies of the Rule & Related Materials  

 Incidental Uses and Disclosures 

 Minimum Necessary 

 Personal Representatives 

 Business Associates 

 Uses and Disclosures for Treatment, Payment, and Health Care Operations 


 Disclosures For Public Health Activities


 Disclosures For Workers’ Compensation Purposes  

 Notice of Privacy Practice For Protected Health Information  

 Restrictions on Government Access to Health Information 

3. Implementation of Administrative Simplification Requirements by HHS


Implementation Plan

Standards Adoption Process

Public and Private Sector Input into the Standards Development Process

Implementation Schedule

Understanding CMS’s Compliance Policy

What Is a Contingency Plan?

Steps For Contingency Planning

Health Plan Responsibilities

Review Your Good Faith Efforts to Comply

4. Security Standard

 General Approach  

 Specific Requirements  

 Guidance on Compliance with HIPAA Transactions and Code Sets After the October 16, 2003 Implementation Deadline

Enforcement Approach

Working Toward Compliance

 HIPAA Administrative Simplification Compliance Act (ASCA) 

 Electronic Transaction Standards 

Code Set Standards  

What Is a Code Set

What Code Sets Have Been Adopted as HIPAA Standards?   

5. FAQ About HIPAA

  HIPAA: In General  

  Privacy Rule: General Topics  

  Protected Health Information  

  Preemption of State Law 

  Covered Entities  

  Compliance Dates 

  Minimum Necessary

  Business Associates 

  Treatment/Payment/Health Care Operations  

  Right to Access Medical Records 


  Right to an Accounting of Disclosures 

  Incidental Uses and Disclosures 

  Public Health Uses and Disclosures

  Facility Directories 

  Disclosure to Family and Friends 

  Disclosures Required by Law  

  Disclosures for Rule Enforcement 

  Disclosures for Law Enforcement Purposes  


  Marketing Uses and Disclosures  

 Workers’ Compensation Disclosures

 Notice of Privacy Practices 

 Personal Reps/Parents and Minors 

  Limited Data Set 

  Research Uses and Disclosures 

  Transition Provision  

Appendix A: Notice of Privacy Practices

Appendix B: Sample Business Associate Contract

Appendix C: How to File a Health Information Privacy Complaint With the Office For Civil Rights


Back To The Top