Directory  |  Calendar  |  Forms  |  Contact Us  |  Login

HIPAA Compliance Kit

HIPAA Articles


More Resources

HIPAA Compliance Kit

As you probably know, most hearing care practitioners must be compliant with the new privacy regulations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) by April 14, 2003.

To assist you with your compliance efforts, we are providing three of the forms and a link to a fourth form that you may be required to provide to your patients or your business associates in order to comply with HIPAA. Included are:

IHS, through its Washington Counsel McDermott, Will & Emery, developed the first two forms. The Business Associate Agreement was drafted by the Hearing Industries Association and reviewed and endorsed by IHS.

Set forth below is a brief summary of some of the key provisions of the privacy regulations applicable to hearing care practitioners.

Am I a Covered Entity?

You are a "Covered Entity" if you are a health care provider that transmits health information in electronic form in connection with the following specific types of transactions:

  1. Requesting a payment and necessary accompanying information from a health plan;
  2. Inquiring about a health plan enrollee’s eligibility to receive health care under the health plan, coverage of health care under the health plan, or benefits associated with the benefit plan;
  3. Requesting an authorization to provide health care, or an authorization to refer an individual to another health care provider;
  4. Inquiring about the status of a health care claim;
  5. Arranging for the provision of health care or health care coverage payments for an individual by asking a health plan about: (1) a payment, (2) the transfer of funds, (3) detailed remittance information for an individual for whom premiums are being paid, or (4) payment processing information such as payroll deductions; or
  6. Coordinating benefits with a health plan for the purpose of determining its payment responsibilities.

As you can see, the above list of transactions generally deals with your relationships with health plans. So, if you transmit health information for other reasons, you may not be a Covered Entity. For example, if you send credit card information about one of your patients to your financial institution to process a payment, that does not make you a Covered Entity.

However, obtaining credit card information from one of your patient’s health plans would likely make you a Covered Entity to the extent you are requesting such information for a purpose described above (e.g., arranging for the provision of health care by asking a health plan about a payment or the transfer of funds).

The IHS Website has links to flow charts developed by the U.S. Department of Health and Human Services which will assist you in making a determination with respect to whether or not you are a Covered Entity under HIPAA. Covered Entities must comply with the HIPAA privacy regulations.

Importantly, you CANNOT avoid being considered a Covered Entity by using another company (e.g., a clearinghouse or practice management company) to do the above transactions for you.

HIPAA Generally

Protected Health Information

Once you have determined that you are a Covered Entity, it is important to understand that HIPAA was meant to protect “protected health information” or “PHI.” PHI is the personal, individually-identifiable medical data of an individual. PHI includes a broad range of medical information relating to an individual and covers information regarding hearing loss.

Now that you understand the information that HIPAA protects, the next step is to understand what HIPAA generally requires of a Covered Entity, the documents involved, as well as the types of uses and disclosures that are permitted without a patient’s authorization and the types of uses and disclosures that are prohibited unless an authorization is received.

Notice of Privacy Practices

Enclosed you will find a form entitled Notice of Privacy Practices. The Notice is the primary document that you will be required to provide to your patients. The Notice contains very specific language that informs a patient of how you will be using or disclosing his or her PHI and a statement of the patient’s rights and how to exercise those rights.

You must provide the Notice to your patients no later than the date on which you first provide a service to the patient after April 14, 2003. The Notice must also be posted in a clear and prominent location (e.g., the waiting room) at each practice location, as well as on your web site, if applicable.

A Covered Entity must make a good faith effort to obtain each patient’s written acknowledgement that he or she has received the Notice. If you do not obtain a patient’s written acknowledgement, you must document your organization’s good faith efforts and the reason why the acknowledgement was not obtained. Because HIPAA does not define what “good faith” efforts means, you should take every reasonable step possible to obtain a patient’s written acknowledgement. From a practical standpoint, you should obtain a patient’s written acknowledgement in all situations short of a patient’s refusal or a medical emergency.

If you do not obtain a patient’s written acknowledgement, you may still treat the patient, but must document the reason why you did not obtain the acknowledgement (e.g., patient’s refusal) in the medical record. In an emergency situation, the Notice must be provided and the acknowledgement obtained as soon as reasonably practicable after the emergency situation has been stabilized.

Permitted Uses and Disclosures Without Authorization

HIPAA requires Covered Entities to safeguard PHI and use and disclose it only to the minimum extent necessary. However, HIPAA contains important exceptions designed to facilitate patient treatment, payment/billing matters and general operations.

This means that once you provide a patient with the Notice and either obtain his or her written acknowledgement (or document the reasons why the patient’s acknowledgement was not obtained), HIPAA permits you to disclose PHI to other Covered Entities, hearing care practitioners or health care providers for purposes of treating the patient, obtaining payment and conducting certain health care operations without first obtaining a patient’s consent or authorization. Some examples of permitted uses and disclosures that you may engage in without first obtaining a patient’s consent or authorization are as follows:

  1. Treatment. HIPAA permits Covered Entities to use or disclose a patient’s health information to diagnose, assess or treat a patient’s health condition. Thus, you can share a patient’s PHI with other Covered Entities, hearing health care professionals and any other health care provider involved in the patient’s care for the purposes of your treatment of the patient’s condition or another Covered Entity's or health care provider's treatment of the patient's condition.
  2. Payment. HIPAA permits Covered Entities to disclose a patient’s PHI to an insurance carrier, HMO, PPO, employer, or other party that arranges or pays for the cost of some or all of the patient’s health care to verify that such parties will pay for such health care or to bill and collect payment for the services provided to a patient. Covered Entities may also disclose a patient’s health information to other health care providers for purposes of obtaining payment or assisting another entity to obtain a patient’s payment.
  3. Health Care Operations. HIPAA permits Covered Entities to use or disclose a patient’s health information for quality control purposes, staff evaluation, satisfaction surveys or for other administrative purposes to efficiently and effectively run his, her or its practice.

Uses and Disclosures Requiring An Authorization

Other than for treatment, payment and health care operations and certain other uses and disclosures, you are required to obtain a patient’s authorization before using and disclosing his or her PHI. Some examples of where a HIPAA authorization might be necessary include using or disclosing PHI for:

  1. Certain marketing activities (See marketing section below for a more detailed discussion);
  2. Requests by attorneys for information relating to a civil suit involving the patient; and
  3. Requests by a patient’s life insurance carrier.

Office Management

In the office management context, HIPAA requires Covered Entities to use reasonable safeguards to protect PHI. “Incidental disclosures” will be allowed, which means that patient sign-in sheets in waiting rooms will remain permissible. However, Covered Entities must take reasonable measures to ensure that PHI is not released to the general public.


HIPAA was designed in large part to eliminate certain health care providers’ questionable marketing practices. Consequently, HIPAA generally prohibits Covered Entities from selling PHI (for example, patient names) to third parties without first obtaining the patients' written authorization. However, HIPAA allows Covered Entities to use PHI in treating patients, face-to-face encounters with the patient, conducting follow-up care, and to describe a health related product or service that is provided by the Covered Entity making the communication for case management or care coordination for the patient, or to direct or recommend alternative treatments, providers or settings of care. It is likely that these marketing exceptions will allow you to continue most of your existing marketing activities.

Business Associates

HIPAA will require Covered Entities to examine their relationships with third parties and enter into Business Associate Agreements with third parties to which they provide PHI. A “Business Associate” is a third party that performs a function or activity on behalf of a Covered Entity utilizing PHI in the usual course of its business. IHS has reviewed and endorsed the Business Associate Agreement prepared by the Hearing Industries Association. To access that form, go the IHS Website or go directly to the HIA-created Website at Typical examples include practice management companies, transcription service companies, consultants and debt collection agencies. Covered Entities must take certain steps to ensure that their Business Associates protect their patients' PHI. The primary means to ensure such protection is through a Business Associate Agreement.

Not all vendors or third parties that you do business with qualify as a business associate. For example, you are not required to enter into a Business Associate Agreement with the janitorial staff, repair man, electrician or plumber, because their services do not require the use or disclosure of PHI in the usual course of business. Any disclosure of PHI to these individuals is likely to be considered and incidental use or disclosure.

For More Information

For further information, you can e-mail the Department of Health & Human Services directly with specific HIPAA questions at: In addition, you may visit the government’s HIPAA website at

HIPAA will affect each hearing care practitioner differently. It is our hope that the enclosed documents will be a helpful reference as you determine HIPAA’s effects on your practice. Please note that the enclosed documents are intended to be a general starting point to get you up to par with what's necessary to become HIPAA compliant. Covered Entities are required to have additional documentation as well, such as HIPAA-compliant policies and procedures that implement the practice’s privacy practices.

These documents do not address the particular circumstances that your practice may encounter nor the particular laws of the State that you operate in, all of which are important factors to consider to become HIPAA compliant. For example, the state in which you operate may be stricter than HIPAA and require you to first obtain a patient’s consent before releasing medical records to any third party regardless of the reason. We strongly encourage you to consult your local attorney or your local HIPAA expert.