You are leaving Medscape Education
Cancel Continue
Log in to save activities Your saved activities will show here so that you can easily access them whenever you're ready. Log in here CME & Education Log in to keep track of your credits.



Examining Compliance With the HIPAA Privacy Rule

  • Authors: Rachel Seeger, MA, MPA
  • CME Released: 6/27/2012; Reviewed and Renewed: 6/27/2013
  • Valid for credit through: 6/27/2014, 11:59 PM EST
Start Activity

Target Audience and Goal Statement

This activity is intended for healthcare professionals who interact with protected health information.

The goal of this activity is to provide a basic overview for clinicians and other healthcare professionals on the importance of compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and breach notification requirements. It is not meant to supplement or substitute training required under the Rule.

Upon completion of this activity, participants will be able to:

  1. Identify responsibilities of covered entities and their business associates under the HIPAA Privacy Rule
  2. Develop strategies for assessing and maintaining a compliance program with the HIPAA Privacy Rule


As an organization accredited by the ACCME, Medscape, LLC, requires everyone who is in a position to control the content of an education activity to disclose all relevant financial relationships with any commercial interest. The ACCME defines "relevant financial relationships" as financial relationships in any amount, occurring within the past 12 months, including financial relationships of a spouse or life partner, that could create a conflict of interest.

Medscape, LLC, encourages Authors to identify investigational products or off-label uses of products regulated by the US Food and Drug Administration, at first mention and where appropriate in the content.


  • Rachel Seeger, MA, MPA

    Senior Health Information Privacy Outreach Specialist, Office for Civil Rights, U.S. Department of Health and Human Services, Washington, DC


    Disclosure: Ms. Seeger has disclosed no relevant financial relationships.

    Ms. Seeger does not intend to discuss off-label uses of drugs, mechanical devices, biologics, or diagnostics approved by the FDA for use in the United States.

    Ms. Seeger does not intend to discuss investigational drugs, mechanical devices, biologics, or diagnostics not approved by the FDA for use in the United States.


  • Jane Lowers

    Group Scientific Director, Medscape, LLC


    Disclosure: Jane Lowers has disclosed no relevant financial relationships.

  • Neil Chesanow

    Senior Clinical Editor, Medscape, LLC


    Disclosure: Neil Chesanow has disclosed no relevant financial relationships.

CME Reviewer(s)

  • Nafeez Zawahir, MD

    CME Clinical Director, Medscape, LLC


    Disclosure: Nafeez Zawahir, MD, has disclosed no relevant financial relationships.

Accreditation Statements

    For Physicians

  • Medscape, LLC is accredited by the Accreditation Council for Continuing Medical Education (ACCME) to provide continuing medical education for physicians.

    Medscape, LLC designates this enduring material for a maximum of 0.5 AMA PRA Category 1 Credit(s)™ . Physicians should claim only the credit commensurate with the extent of their participation in the activity.

    Medscape, LLC staff have disclosed that they have no relevant financial relationships.

    Contact This Provider

For questions regarding the content of this activity, contact the accredited provider for this CME/CE activity noted above. For technical assistance, contact [email protected]

Instructions for Participation and Credit

There are no fees for participating in or receiving credit for this online educational activity. For information on applicability and acceptance of continuing education credit for this activity, please consult your professional licensing board.

This activity is designed to be completed within the time designated on the title page; physicians should claim only those credits that reflect the time actually spent in the activity. To successfully earn credit, participants must complete the activity online during the valid credit period that is noted on the title page. To receive AMA PRA Category 1 Credit™, you must receive a minimum score of 70% on the post-test.

Follow these steps to earn CME/CE credit*:

  1. Read the target audience, learning objectives, and author disclosures.
  2. Study the educational content online or printed out.
  3. Online, choose the best answer to each test question. To receive a certificate, you must receive a passing score as designated at the top of the test. We encourage you to complete the Activity Evaluation to provide feedback for future programming.

You may now view or print the certificate from your CME/CE Tracker. You may print the certificate but you cannot alter it. Credits will be tallied in your CME/CE Tracker and archived for 6 years; at any point within this time period you can print out the tally as well as the certificates from the CME/CE Tracker.

*The credit that you receive is based on your user profile.


Examining Compliance With the HIPAA Privacy Rule

Authors: Rachel Seeger, MA, MPAFaculty and Disclosures

CME Released: 6/27/2012; Reviewed and Renewed: 6/27/2013

Valid for credit through: 6/27/2014, 11:59 PM EST



The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is providing this technical assistance, not to supplant training required by the Privacy Rule, but as a resource tool to help individuals understand the importance of a carefully designed, delivered, and monitored HIPAA Privacy Rule compliance program.


The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) establish a set of national standards for the protection of certain health information. The US Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Rule addresses the use and disclosure of individuals’ health information -- called protected health information (PHI) -- by organizations subject to the Privacy Rule -- called covered entities -- as well as standards for the rights of individuals to understand and control how their health information is used. Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties. Enforcement of the Privacy Rule began April 14, 2003, for most HIPAA-covered entities.

A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and protect the public's health and well-being. The Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing. Given that the healthcare marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

Covered Entities and Business Associates

Covered entities must follow the HIPAA Privacy Rule. Covered entities include:

  • Healthcare providers, including doctors, clinics, hospitals, dentists, nursing homes, and pharmacies that transmit any information electronically in connection with a transaction for which HHS has adopted a standard;
  • Health plans; and
  • Healthcare clearinghouses.

In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. When a covered entity uses a contractor or other nonworkforce member to perform "business associate" services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections). In the business associate contract, a covered entity must impose specified written safeguards on the protected health information used or disclosed by its business associates.

Protected Health Information

The Privacy Rule applies to all protected health information, which includes, when held or transmitted by a covered entity, information that:

  • Relates to the individual’s past, present, or future physical or mental health or condition; to the provision of health care to an individual; or to past, present, or future payment for the provision of health care to the individual; and
  • Identifies the individual or is information for which there is a reasonable basis to believe it can be used to identify the individual.

Protected health information can be in any form -- electronic, paper, or oral. It can include financial and demographic information collected from patients.

        With the changes as part of the Health Information Technology for Economic and Clinical Health Act (HITECH), it’s probably good to do a HIPAA spring cleaning. The privacy regulation went into effect in 2003, and everybody jumped on the notice. Many have never looked at it since. You probably learned a lot since 2003 and now’s the time to revamp the policies, to retrain the staff. -- Robert M. Tennant, Medical Group Management Association (MGMA) Senior Policy Advisor

The Privacy Rule does not govern the use or disclosure of health information that does not identify an individual (which can include “de-identified” information). Also, the Privacy Rule does not apply to a covered entity’s own employment records or to education-related and certain other records covered by the Family Educational Rights and Privacy Act (FERPA).

Under the Privacy Rule, covered entities must provide patients with a full notice on how their protected health information is used, disclosed, and protected. This Notice of Privacy Practices specifies patients’ rights and covered entities’ responsibilities.

The notice should include the header required by the Privacy Rule, and should explain, in plain language:

  • How the covered entity may use and disclose protected health information about the individual;
  • The individual’s rights with respect to the information and how the individual may exercise these rights, including how to file a complaint with the covered entity or with HHS;
  • The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information; and
  • How the individual can get more information about the covered entity’s privacy policies.

In addition to providing this notice at the initial visit, a covered entity must make its notice available to any patient upon request. This is only a general summary of some of HIPAA’s requirements. Providers must refer to the Rule for more specific information.

  • Print