top of page

Frequently Asked Questions

  • If my business is subject to HIPAA, do I also need to worry about state consumer privacy laws?
    It is possible. Businesses that comply with HIPAA may still need to comply with the requirements of other consumer privacy laws depending on their data collection practices, revenue and records thresholds, and location of their consumers/patients. All current comprehensive US consumer privacy laws have carve-outs for organizations that are subject to HIPAA compliance. These HIPAA exemptions are meant to allow Covered Entities and Business Associates to continue following HIPAA regulations. However, this doesn’t mean that health care companies are completely exempt from consumer privacy laws. With the exception of Virginia, that appears to exempt the business entity entirely, all other current US state consumer laws only exempt the PHI. All other data not considered PHI that is collected by the company could still fall under the scope of consumer privacy laws. Examples would be other personal information collected through websites or mobile applications that does not meet the definition of PHI. This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • Do I need a Business Associate Agreement (BAA) with everyone that my Business Entity does business with?
    HIPAA is clear that you do not need to have a BAA in place for everyone that your Business Entity does business with. It depends solely on whether or not you are sharing Protected Health Information (PHI) with them as part of the relationship. No PHI, no BAA. Take note that sharing doesn't just mean transmitting the PHI to them, allowing them into your systems where PHI is accessible is also sharing. It is also possible that a BAA would not be needed if the handling of PHI by a service is performed under the direct control of the Business Entity. The Privacy Rule allows for treating the service as part of the Business Entity's staff in this case. This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • Under HIPAA, what rights do my patients have regarding their Protected Health Information (PHI)?
    Three rights are granted to patients under the HIPAA Privacy Rule: Patients have a right to access their Protected Health Information (PHI) Patients can request amendments to their PHI Patients can request an accounting of all disclosures of their PHI Business Entities must put a process in place to be able to handle these data requests and generally must respond to the request within 30 days. This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • What is the proper way to dispose of Protected Health Information (PHI)?
    The proper way to dispose of Protected Health Information (PHI) depends on the type of records you are dealing with. Here are some general guidelines: Paper Records Shredding - This is the easiest and most common way to dispose of paper records and is preferable to the other forms listed here. Make sure you use micro-shredders or cross-cut shredders because they make the pieces smaller and harder to reassemble. Burning - This is another good way to dispose of paper records. Just be sure that the fire completely destroys the records and doesn't leave any data visible. Pulping - This is a method that turns paper into a liquid. It is still considered an acceptable means of disposal but requires you to take your records to a specialty facility. Pulverizing - This is a method where paper is put into a machine that reduces the documents to fiber. This also requires you to take your records to a specialty facility. Electronic Records Clearing - This is simply overwriting the PHI with non-sensitive data. Please note that simply deleting a record is not considered enough in most cases. Purging - This involves the use of a strong magnet that erases all of the data from electronic storage media such as computer hard drives, floppy disks, and tape drives. Destruction - This consists of several methods that make the media inoperable such as disintegration, pulverization, melting, incinerating, or shredding. According to the Department of Health and Human Services, you may also consider allowing patients the opportunity to pick up their records prior to any disposal. This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • What does my practice need to do to satisfy the HIPAA Privacy Rule?
    Generally speaking, as a healthcare provider, you would need to do the following to be in compliance with the HIPAA Data Privacy Rule: Implement privacy policies, procedures, and processes in accordance with HIPAA requirements. Notify patients of their privacy rights in accordance with HIPAA requirements. Assign a responsible person to oversee your privacy program and be the HIPAA point of contact. Train your employees on privacy procedures and the proper handling of Protected Health Information (PHI). This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • What security controls does HIPAA require for electronic Protected Health Information (ePHI)?
    The HIPAA Security Rule mandates "appropriate administrative, physical, and technical safeguards" to protect ePHI. But beyond that, this rule does not specify exact controls or tools needed to be compliant. Each business is different and what is "appropriate" for one business, may not be appropriate for another. We recommend checking out NIST cybersecurity standards and implementing what works for your specific business. Some topics to explore are: Password Guidelines Data Encryption Auditing/Monitoring Software Update Social Engineering Awareness Access Control Backup and Recovery Policies Data Minimization This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • Under HIPAA, how long must I retain a patient's Protected Health Information (PHI)?
    HIPAA has a six-year record retention requirement for some records. However, all U.S. states have retention requirements for medical data. For a full list of state requirements, please click here. This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • How does HIPAA play with state medical privacy laws?
    State and federal laws can work alongside each other. HIPAA sets a minimum standard for protecting Protected Health Information (PHI). State medical privacy laws build upon this minimum standard and can actually take precedence over HIPAA if they are more restrictive in nature. However, whenever there is a direct conflict between state law and HIPAA, HIPAA preempts state law. This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • What is data privacy and why does my business need to be concerned with it?
    I would argue that there are two answers to this question depending on your perspective. From a business perspective, data privacy is protecting the privacy of your customers through the proper handling, storage, sharing, and usage of their Personally Identifiable Information (PII). From an individual perspective, data privacy is the ability to determine for yourself when, how, and to what extent your personal information is provided to others. As a business you need to be concerned with data privacy for a couple of reasons: 1. It is the right thing to do. 2. There are many data privacy regulations on the books that can impose penalties for non-compliance. 3. It can differentiate you from your competitors. 4. Customers are increasingly concerned about how their data is being used and will take their business elsewhere.
  • What is the difference between data privacy and data security?
    Data privacy and data security are both necessary for organizations to comply with regulations, maintain trust, and mitigate risk. They are both concerned with accountability, integrity, availability of systems and data. Data privacy primarily focuses on the policies, processes, and procedures behind the handling of PII: Limiting PII collection Limiting PII use Data retention Identifying uses and users of PII Consent Allowing data access, deletion, correction Data Security, on the other hand, can be considered the technical foundation for data privacy. It focuses on things like: Ensuring system and data availability Protecting systems and data from threats Providing system and data access
  • Where should I start when building a data privacy program for my company?
    It is our belief that the most important thing when building a data privacy program, is to make sure you understand your data. Knowing what PII you have, all the places where it is located, the physical locations of your servers, and how it moves through your processes will provide the foundation needed to make all other decisions. This should be the first step, followed closely by identifying what regulations apply to your business.
  • Do I need a privacy policy on my website?
    More than likely, if you collect personally identifiable information on your website, the answer is yes. The General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Online Privacy Protection Act (CalOPPA) all require external privacy notices. But beyond the requirements, having an easily accessible and easy-to-understand privacy notice on your website just makes good business sense because it demonstrates a commitment to protecting user privacy and fosters trust. This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • Do I need a cookie consent banner on my website?
    Not necessarily. If your website collects personal data from residents of the EU/EEA, you will need to ask consent to place non-essential cookies or other trackers on their devices based on General Data Protection Regulation (GDPR) and ePrivacy Directive requirements. The easiest way to do that is through a cookie consent banner. The California Consumer Privacy Act (CCPA) mandates providing notice of cookie use, but doesn't require consent before placing cookies so it is acceptable to just place a cookie notice in your privacy notice. Even if not required, it is not a bad idea to have one because it provides transparency and fosters trust. This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • Is my small business affected by data privacy regulations?
    Again, this depends on your business. For instance, if you offer goods or services, collect personal information, or monitor the behavior of EU/EAA residents, then the answer is yes. The General Data Protection Regulation (GDPR) has no revenue or company size requirements, so it does affect small businesses. The same goes for the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada. If your company only offers goods or services or collects personal information from US residents through your website, your small business may not be affected due to requirements on annual revenue or amount of personal data processed. Requirements vary, so please look it up or reach out via our Contact Us page. We will be happy to answer your questions. This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • Which data privacy regulations apply to my business?
    The important thing to note is that privacy regulations don't apply based on where your business is physically located, but rather on where your consumers are located. If you are targeting residents of the EU/EEA, then the General Data Protection Regulation (GDPR) applies. If you are targeting residents of California, the California Consumer Privacy Act (CCPA) applies (if your business meets certain criteria). For example, if you are an internet retailer based in Texas that sells products to the US, Canada, and the EU/EAA, you can expect that the General Data Protection Regulation (GDPR), the Personal Information Protection and Electronic Documents Act (PIPEDA), and multiple US state regulations will apply (if your business meets certain criteria). This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • What data privacy rights are granted to my customers by consumer privacy regulations?
    This varies from regulation to regulation, but in general there are common set that apply across the board: Right to know if their data is being processed Right to access their data Right to correct their data Right to delete their data Some others include: Right to opt-out of automated decision-making, profiling, and targeted advertising Right to withdraw consent Right to opt out of sale and sharing This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • What is the proper way to dispose of Personally Identifiable Information (PII)?
    The proper way to dispose of Personally Identifiable Information (PII) depends on the type of records you are dealing with. Here are some general guidelines: Paper Records Shredding - This is the easiest and most common way to dispose of paper records and is preferable to the other forms listed here. Make sure you use micro-shredders or cross-cut shredders because they make the pieces smaller and harder to reassemble. Burning - This is another good way to dispose of paper records. Just be sure that the fire completely destroys the records and doesn't leave any data visible. Pulping - This is a method that turns paper into a liquid. It is still considered an acceptable means of disposal but requires you to take your records to a specialty facility. Pulverizing - This is a method where paper is put into a machine that reduces the documents to fiber. This also requires you to take your records to a specialty facility. Electronic Records Clearing - This is simply overwriting the PII with non-sensitive data. Please note that simply deleting a record is not considered enough in most cases. Purging - This involves the use of a strong magnet that erases all of the data from electronic storage media such as computer hard drives, floppy disks, and tape drives. Destruction - This consists of several methods that make the media inoperable such as disintegration, pulverization, melting, incinerating, or shredding. This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
  • Are there any data retention rules that my company needs to follow for Personally Identifiable Information (PII)?
    There are no laws governing how long Personally Identifiable Information (PII) can or should be kept. Companies get to determine how long to keep this information. However, it is important that you make sure that you are sticking to whatever retention times are specified in your internal and external privacy policies. If you tell your customers that you keep certain types of data for a certain period, you need to abide by that. The information you put in your policies is enforceable, and deviating from that can be considered a "deceptive" trade practice by the Federal Trade Commission (FTC). This is provided for information purposes only. Please speak with a licensed attorney for specific legal advice.
bottom of page