Tel: 314-534-3534
Fax: 314-534-0444
personal injury lawyer 
to discuss HIPAA
• how to clearly
  understand it
• what steps to 
take next to 
for HIPAA  

Paul R. Hales

Attorney at Law

3534 Washington Ave.

St. Louis, MO 63103

TEL: 314-534-3534


Take the Mystery out of HIPAA

Note: "HIPAA" as used on this website refers only to parts of the a Federal law and regulations about the privacy of a person's health information. That is what most people mean - and worry about - when they think of "HIPAA".

HIPAA Audits Underway

Providers & Business Associates
Will You Be Ready?

The U.S. Department of Health and Human Services has officially launched its long awaited, random HIPAA compliance audits of Covered Entities and Business Associates. Mr. Hales provides all content and updates for a comprehensive, user friendly, web-based HIPAA compliance product The HIPAA E-Tool ®. It includes a section with all 2016 Audit questions and corresponding policies, procedures and forms in The HIPAA E-Tool ® to follow in order to demonstrate your organization’s compliance.

 On January 25, 2013 the U.S. Department of Health and Human Services (HHS) Office published the long awaited HIPAA Final Omnibus Rule in the Federal Register. The Rule will go into full force and effect on September 23, 2013.  It is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes

What is HIPAA - Why does it seem so Complicated?

HIPAA, wondrously named "Administrative Simplification" by Congress,  seems complicated because the law and regulations are lengthy  and written in dense “legalese”.  However, HIPAA may be broken down into manageable parts that can be explained, taught and followed.


How to Take the Mystery out of HIPAA
On this page and the following HIPAA related pages you will see that HIPAA Compliance is simple if you follow a clear step-by-step process Mr. Hales developed.   You will also see there are major consequences including both civil and criminal liability for non-compliance and strong new government enforcement programs.
HIPAA - ONLY Four Rules
There are only four HIPPA Rules concerning health information privacy and security.
The four Rules, each described on this website, are:
There are 50 New HIPAA Sheriffs - One in each State
The HITECH Act amended HIPAA and authorized the Attorneys General of each State to enforce HIPAA.  Before HITECH it was enforced only by the Federal Government.  And the Federal Government is actively training State Attorneys General to enforce HIPAA.
EHR "Meaningful Use Standards" Require Attestation to HIPAA Compliance
Incentive payments are available for conversion from paper to Electronic Health Records ("EHR").  To receive an EHR incentive payment your Organization must attest it has done specific things including compliance with the HIPAA Security Rule.  False attestation may make you liable under the Federal False Claims Act or similar State law.  For more information see the EHR-EMR and HIPAA page on this website.
HIPAA - A Simple Concept
HIPAA is a Federal law that covers the Privacy and Security of personal protected health information created, received, maintained and/or transmitted by HIPAA Covered Entities and Business Associates.
Key HIPAA Definitions
PHI means "Protected Health Information". It is health information that can be identified as being about a specific person held by HIPAA "Covered Entities".  PHI may be in any medium - paper records, computerized records and even discussions and voicemails.  All PHI is covered by the HIPAA Privacy Rule.
EPHI means "Electronic Protected Health Information" and is simply PHI that is maintained or transmitted electronically.  The HIPAA Security Rule applies to EPHI.  However all EPHI is also PHI and governed by the HIPAA Privacy Rule.
Covered Entity
There are three types of HIPAA Covered Entities:
  1. Health Care Providers (such as doctors and hospitals)
  2. Health Plans (such as health insurance companies)
  3. Health Care Clearinghouses (transmitters of information such as for claims and billing)
Business Associates
Business Associates are persons or entities that create, receive, maintain or transmit PHI on behalf of a Covered Entity and are not members of the Covered Entity's workforce. Effective September 23, 2013 Business Associates and Subcontractors that create, receive, maintain and transmit PHI on behalf of a Business Associate will have much greater responsibilities and liabilities under HIPAA. The United States Department of Health and Human Services estimates 500,000 Business Associates will be affected by the HIPAA Omnibus Rule changes to HIPAA. Click on the .pdf link above for more information. 
HITECH and The HIPAA Omnibus Rule
HITECH is a Federal law that amended HIPAA. The HITECH amendments were codified in The HIPAA Omnibus Rule that becomes effective September 23, 2013. Changes include:
  1. increased Privacy and Security requirements for Covered Entities, Business Associates and Business Associate Subcontractors;
  2. increased civil monetary penalties for HIPAA violations;
  3. increased government enforcement including new authority for each State Attorney General to enforce HIPAA;
  4. mandatory random, detailed HIPAA audits of Covered Entities and Business Associates by The United States Department of Health and Human Services; and
  5. incentives and specifications for the transition from paper to electronic records (“EHR and EMR”) accompanied by audits by another Federal agency, the Center for Medicare & Medicaid Services, and additional exposure for Covered Entities including the potential for prosecution under the Federal False Claims Act and similar state laws.


EHR is an Electronic Health Record and EMR is an Electronic Medical Record. They permit healthcare providers to create, receive, maintain and transmit PHI electronically instead on paper.  See the EHR-EMR and HIPAA page on this website for more information.
 The Bottom Line -
Your Organization CAN Understand and Comply with HIPAA
1. Learn the simple structure of HIPAA and how its parts work together;
2. Honestly, Thoroughly and Accurately Assess your Organization's HIPAA Compliance and Analyze your HIPAA Security Risks now;
3. Modify your HIPAA Policies, Procedures and Workforce Training to reduce your HIPAA Risks, fill HIPAA compliance gaps; and

4. Document everything you do.