You are leaving Medscape Education
Cancel Continue
Log in to save activities Your saved activities will show here so that you can easily access them whenever you're ready. Log in here CME & Education Log in to keep track of your credits.



Examining Compliance With the HIPAA Privacy Rule

  • Authors: Rachel Seeger, MA, MPA
  • CME Released: 6/27/2012; Reviewed and Renewed: 6/27/2013
  • Valid for credit through: 6/27/2014
Start Activity

Target Audience and Goal Statement

This activity is intended for healthcare professionals who interact with protected health information.

The goal of this activity is to provide a basic overview for clinicians and other healthcare professionals on the importance of compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and breach notification requirements. It is not meant to supplement or substitute training required under the Rule.

Upon completion of this activity, participants will be able to:

  1. Identify responsibilities of covered entities and their business associates under the HIPAA Privacy Rule
  2. Develop strategies for assessing and maintaining a compliance program with the HIPAA Privacy Rule


As an organization accredited by the ACCME, Medscape, LLC, requires everyone who is in a position to control the content of an education activity to disclose all relevant financial relationships with any commercial interest. The ACCME defines "relevant financial relationships" as financial relationships in any amount, occurring within the past 12 months, including financial relationships of a spouse or life partner, that could create a conflict of interest.

Medscape, LLC, encourages Authors to identify investigational products or off-label uses of products regulated by the US Food and Drug Administration, at first mention and where appropriate in the content.


  • Rachel Seeger, MA, MPA

    Senior Health Information Privacy Outreach Specialist, Office for Civil Rights, U.S. Department of Health and Human Services, Washington, DC


    Disclosure: Ms. Seeger has disclosed no relevant financial relationships.

    Ms. Seeger does not intend to discuss off-label uses of drugs, mechanical devices, biologics, or diagnostics approved by the FDA for use in the United States.

    Ms. Seeger does not intend to discuss investigational drugs, mechanical devices, biologics, or diagnostics not approved by the FDA for use in the United States.


  • Jane Lowers

    Group Scientific Director, Medscape, LLC


    Disclosure: Jane Lowers has disclosed no relevant financial relationships.

  • Neil Chesanow

    Senior Clinical Editor, Medscape, LLC


    Disclosure: Neil Chesanow has disclosed no relevant financial relationships.

CME Reviewer(s)

  • Nafeez Zawahir, MD

    CME Clinical Director, Medscape, LLC


    Disclosure: Nafeez Zawahir, MD, has disclosed no relevant financial relationships.

Accreditation Statements

    For Physicians

  • Medscape, LLC is accredited by the Accreditation Council for Continuing Medical Education (ACCME) to provide continuing medical education for physicians.

    Medscape, LLC designates this enduring material for a maximum of 0.5 AMA PRA Category 1 Credit(s)™ . Physicians should claim only the credit commensurate with the extent of their participation in the activity.

    Medscape, LLC staff have disclosed that they have no relevant financial relationships.

    Contact This Provider

For questions regarding the content of this activity, contact the accredited provider for this CME/CE activity noted above. For technical assistance, contact [email protected]

Instructions for Participation and Credit

There are no fees for participating in or receiving credit for this online educational activity. For information on applicability and acceptance of continuing education credit for this activity, please consult your professional licensing board.

This activity is designed to be completed within the time designated on the title page; physicians should claim only those credits that reflect the time actually spent in the activity. To successfully earn credit, participants must complete the activity online during the valid credit period that is noted on the title page. To receive AMA PRA Category 1 Credit™, you must receive a minimum score of 70% on the post-test.

Follow these steps to earn CME/CE credit*:

  1. Read the target audience, learning objectives, and author disclosures.
  2. Study the educational content online or printed out.
  3. Online, choose the best answer to each test question. To receive a certificate, you must receive a passing score as designated at the top of the test. We encourage you to complete the Activity Evaluation to provide feedback for future programming.

You may now view or print the certificate from your CME/CE Tracker. You may print the certificate but you cannot alter it. Credits will be tallied in your CME/CE Tracker and archived for 6 years; at any point within this time period you can print out the tally as well as the certificates from the CME/CE Tracker.

*The credit that you receive is based on your user profile.


Examining Compliance With the HIPAA Privacy Rule


The Importance of Training and Education

It is essential that your employees and others who interact with your patients’ PHI are trained and updated regularly on your policies and procedures so that they can understand and implement them in their day-to-day responsibilities.

Documenting the training curriculum, who received it, and when it was completed is a necessary and important piece of a Privacy Rule compliance program.

Newsletters and hard copy documentation or email or both can fill an important role in ongoing training as well as nurture your Privacy Rule compliance program. The scope of training depends on the size of the practice or the role of the individual in the healthcare continuum; however, everyone needs to receive initial training at the time of employment and ongoing education on HIPAA compliance as new rules are implemented or as business needs change.

A Word About Enforcement

        You can provide fact sheets, posters, or other visual tools to keep staff engaged and stay up on the current information of what HIPAA compliance is. These communication tools also help to reinforce continuing education by providing a forum in which hypothetical and actual privacy cases can be discussed. -- Angela Dihn, Director of Professional Practice, AHIMA

OCR is serious about HIPAA enforcement. Several recent high-profile cases -- including loss of records from Massachusetts General Hospital, for which it was fined $1 million, and sharing of confidential patient information at the University of California at Los Angeles (UCLA) Health Systems, which resulted in a fine of $865,000 – have put the importance of protecting patients’ health information in the spotlight.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, modified the HHS Secretary’s authority to impose civil money penalties for violations of HIPAA occurring after February 18, 2009. These HITECH Act revisions significantly increased the penalty amounts the Secretary may impose for violations and encourage prompt corrective action.

The HITECH Act strengthens the civil money penalty scheme for enforcement by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

In addition, HITECH gives states' attorneys general the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy Rule. The HITECH Act permits states' attorneys general to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy Rule.

Finally, HITECH requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA privacy requirements. To implement this mandate, OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy compliance. Audits conducted during the pilot phase began in November 2011 and will conclude by December 2012.


Protecting your patients’ health information is your legal responsibility. A meaningful HIPAA compliance program is one in which everyone involved in healthcare delivery understands their role in zealously protecting health information. Policies and procedures cannot simply be binders on a shelf; they must be integrated into practice -- from the front office to the back. A sound compliance program includes but is not limited to:

  • Internal audits;
  • Up-to-date policies and procedures; and
  • Training for everyone in your organization, including physicians and other management staff.
  • Print