The Privacy Rule was finalized on April 14, 2001, and as of April 14, 2003, all covered entities must be compliant with privacy regulations.

Regulations

The federal regulations have been revised. You can find the revised regulations here, as well as the original documents.

Requirements

All health plans, clearinghouses and healthcare providers who submit transactions electronically must comply with HIPAA Privacy requirements.

• Policies and procedures must be updated to reflect privacy requirements
• Business Associate agreements must be signed
• A Privacy Officer must be identified
• Staff must be trained
• Compliance must be documented

State specific requirements

Most states have existing privacy protections in place for individuals. Covered entities must know when to use the state laws instead of federal laws mandated by HIPAA; this is a non-trivial exercise accomplished with the help of a state preemption analysis.

Covered entities must also contend with federal and state reporting requirements, which do not require the individual’s consent or authorization but must be logged by the covered entity.

HIPAAssociates services and products cover the state requirements for Connecticut, New York, New Jersey, Massachusetts, Illinois, and Arizona.