HIPAA Compliance for Physicians


HIPAA governs the privacy of your patient’s healthcare information. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.


The HIPAA Breach Notification Rule requires physicians and other healthcare providers to notify individuals whose protected health information (i.e., PHI) has been compromised of the breach. Generally, a breach is an impermissible use or disclosure that compromises the privacy or security of PHI. Most breach notifications must be provided without unreasonable delay and no later than 60 days following the breach discovery. The Breach Notification Rule also requires notification of the Department of Health and Human Services (i.e., HHS), and in some cases the media. Physicians should have a good understanding of their obligations in the event of a breach of a patient’s PHI.


58% of healthcare breaches involve practice employees, and these breaches are largely the result of employees improperly disclosing patient information, the mishandling of medical records, losing devices containing electronic protected health information (“ePHI”) or a general lack of training. This makes training a key aspect in preventing improper access or misuse of PHI.


HIPAA compliance training is critical because it can help your practice prevent breaches, or know how to handle them if a breach ever does occur. When you broaden HIPAA compliance knowledge across the practice, your team gains the ability to identify risks, resolve problems, and streamline processes so that your entire operation can operate on best practices.


There are several things that HIPAA compliance training should cover. It should include an overview of what HIPAA compliance is and how it applies to the practice. It should also cover the responsibilities of “Covered Entities” (i.e., including providers in possession of PHI such as physicians, clinics, psychologists, dentists, pharmacies, Chiropractors, and nursing homes) and “Business Associates” ( i.e., those entities and persons engaged by Covered Entities to carry out the activities and functions of the Covered Entity). HIPAA compliance training should also cover: patients right of access to PHI; how to protect against cyberthreats and the basics of protecting ePHI, such as changing passwords regularly, logging off of devices when not in use; and, how to identify and report a potential breach of patient data. Offering a quiz after completion of training is important for showing that employees retained the materials. No matter the training solution your practice chooses, make sure it meets all HIPAA requirements and most importantly delivers content in a way that will be retained and understood by your employees.


HIPAA training should occur on an annual basis for current staff, and within 90 days of employment for new hires. HIPAA training should be a key part of employee onboarding.


When it comes to documentation of HIPAA compliance training, you should be able to show which employees have undergone compliance training, what resources they used to complete the training and when it was completed. This way, in the event of an audit, you can show that you have taken this step to prevent breaches. A certificate of completion showing who completed the training and when it was completed should be provided to each employee upon completion of training.


Physicians and small group practices must establish HIPAA compliance programs that include the adoption of privacy and security measures in order to ensure HIPAA compliance. There are several documents which have to be prepared for physician practices, such as a Notice of HIPAA Privacy Practices, Business Associate Agreements, and HIPAA privacy and security policies and procedures. All of these documents should be drafted by or in consultation with an experienced HIPAA compliance attorney.


Concierge Healthcare Attorneys, LLC regularly works in this highly specialized area of the law, and stands ready to help you with all your HIPAA needs in a cost conscious manner.


For additional guidance see: