HIPAA requirements for covered entities who maintain protected health information

Essentially, a HIPAA covered entity cannot use or disclose protected health information for any purpose other than treatment, payment, or health care operations without either the authorization of the individual or under an exception in the HIPAA regulations.

HIPAA requires covered entities to do the following:

1. Institute a required level of security for health information, including limiting disclosures of information to the minimum required for the activity;

2. Designate a privacy officer and contact person;

3. Establish privacy and disclosure policies to comply with HIPAA;

4. Train employees on privacy policies;

5. Establish sanctions for employees who violate privacy policies;

6. Establish administrative systems in relation to the health information that can respond to complaints, respond to requests for corrections of health information by a patient, accept requests not to disclose for certain purposes, track disclosures of health information;

7. Issue a privacy notice to patients concerning the use and disclosure of their protected health information;

8. Establish a process through an IRB (or privacy board) for a HIPAA review of research protocols; and

9. As a health care provider, include consent for disclosures for treatment, payment, and health care operations in treatment consent form (optional).