Privacy is never negotiable, and when it’s about our medical records, it is even more delicate. We prefer our medical information to be kept under wraps. Traditional paper records, when metamorphosed into Electronic Health Records (EHR), became convenient for all healthcare professionals to access medical charts conveniently. It became easy for the physicians to go through the entire clinical history of the patients and land up in appropriate treatment strategies.

On the flip side, with vital chart medical records being increasingly digitized, cyber security has become a significant concern in the healthcare sector. When medical charts are vital in patient care, personal injury lawsuits, and insurance claims, the gravity of medical data security is enhanced even further.

HIPAA and medical records are closely interlinked when it comes to data security.  This blog aims to thrash out what is HIPAA law, electronic medical records, and HIPAA medical records compliance and understand how HIPAA rule safeguards the privacy of an individual’s medical records.

LezDo techmed being one of the top medical review companies; the prime focus would be on the role of HIPAA compliance when outsourcing medical record review services. We comply with HIPAA regulations for medical records to ensure data safety.

What is HIPAA law?

HIPAA stands for Health Insurance Portability and Accountability Act of 1996. It contains five sections as indicated below.

  •  Title I: HIPAA Health Insurance Reform
  •  Title II: HIPAA Administrative Simplification.
  •  Title III: HIPAA Tax-Related Health Provisions.
  •  Title IV: Application and Enforcement of Group Health Plan Requirements.
  •  Title V: Revenue Offsets.

The HIPAA rule covers several categories under the above mentioned titles. They are indicated below.

The HIPAA Privacy Rule

The HIPAA Privacy Rule provides data privacy and security provisions for safeguarding medical information. The rule protects sensitive patient health information from being disclosed without the patient’s consent or knowledge. The sensitive health information of a patient is referred to as Protected Health Information (PHI). As per the HIPAA rules, the patient and the physician must decide under what circumstances to disclose the health information.

It also establishes the limits and conditions on the use and disclosure of clinical information without the patient’s consent. An individual also has the rights to access his health information under HIPAA regulations. This includes the right to inspect and acquire a copy of his medical record and to request valid corrections in the clinical data.

The HIPAA Security Rule

Another HIPAA rule is the HIPAA Security Rule which deals with the regulations associated with the Electronic Protected Health Information (e-PHI). This rule is not applicable to PHI communicated orally or in writing.

The Transactions Rule

The Transactions Rule cover the transactions and code sets used in HIPAA transactions. This comprises of ICD-9, ICD-10, HCPCS, CPT-3, CPT-4, and NDC codes. These codes provide security and accuracy to the health information of patients.

The Identifiers Rule

A covered entity that employs HIPAA financial and administrative transactions has different identities under HIPAA. Health care providers must have a National Provider Identifier (NPI) number that identifies them on administrative transactions, according to HIPAA.

The Enforcement Rule

This rule is an expansion of the HIPAA Privacy and Security Rules. It covers the penalties for any violations and deals with the HIPAA non- compliance and breach reporting system.

Is HIPAA a federal law or a state law?

HIPAA is a federal law amended in 1996 which was signed by President Bill Clinton on Aug. 21, 1996. It is also known as Public Law 104-191. HIPAA rule had witnessed periodic modifications from 1999-2020, thereby empowering patients, improving coordinated care and accessibility of medical data, and reducing regulatory burdens and breaches.

Can any doctor access my medical records?

No. Only the physician who is involved in your healthcare can access your medical records. If that particular physician refers you to another doctor, he can study your medical charts for further treatment. HIPAA compliance medical records allows only the individual or his personal representative to inspect and acquire copies of the medical records. In the case of minor patients or deceased individuals, personal representatives are applicable. However, if the personal representative is suspected of endangering the individual as in domestic abuse or violence, he cannot access the medical data.

How do I obtain my medical records? When medical records are required for lawsuits or insurance claims, through an authorization procedure, the legal representative or other third parties can request for the medical records. This is a stringent protocol which demands all the supporting documents indicating the necessity of medical records retrieval with the consent of the patient.

Who has to comply with HIPAA?

Health care providers, laboratories, health plans, physicians, dentists, clinics, pharmacies, insurance companies, and medical records outsourcing companies must comply with HIPAA rule as per the HIPAA privacy standards. They are called Covered Entities and are expected to comply with the HIPAA rule. HIPAA and the HITECH (Health Information Technology for Economic and Clinical Health) Act must be followed by covered entities.

In some instances, the covered entities would have to associate with certain external business agencies to accomplish their regular services. They are called Business Associates (BA). Both parties are accountable for protecting the medical data that is shared. Department of Health and Human Services defines a business associate as follows.

“A person or entity, other than a member of the workforce of a covered entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. A (BA) also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another (BA)”.

Let’s check out what are the businesses that would be considered business associates according to the HIPAA rule.

  • Accountants
  • Attorneys
  • Billing agencies
  • Third-party administrators
  • Revenue cycle management firms
  • Patient safety or accreditation organizations
  • Paralegal staffs
  • Medical transcription companies and medical information outsourcing companies
  • Accreditation companies
  • Data processing firms
  • Medical equipment services companies that handle equipment containing patient information
  • Medical record review outsourcing companies
  • Professional translators

Importance of HIPAA Compliance in Medical Records Review Outsourcing

Medical record review and analysis is an integral part of any lawsuit involving a personal injury, medical malpractice, or workers’ compensation. The tricky aspect is that medical records are endorsed as the vital evidence of the physical harm sustained by a claimant. Reviewing medical records of the claimant is the key process to identify and mirror the damages which ends up in a deserving restitution accordingly.

Medical records review is either done through in-house reviewing by the legal team or outsourced to medical chart review outsourcing companies. In both cases, the medical records are to be disclosed to the team that conducts the medical chart review. The privacy of the medical files that are shared with these business associates is a major concern as it’s all about a litigation. Compliance with the HIPAA rule is a crucial factor to be considered while offshoring the medical record review process.

The HIPAA rule demands the covered entity and the business associates to sign a Business Associate Agreement (BAA) before sharing the Patient Health Information. BAA is a legal contract to ensure that both the parties are HIPAA compliant and the PHI contained in the medical files would be safeguarded at each stage of the service. BAA describes the guidelines to be followed by the business associates to ensure confidentiality of the medical data and also the consequences of violation of HIPAA.

Is Your Medical Record review Outsourcing Partner HIPAA Compliant?

When the attorney outsources medical records of a claimant to a medial record review outsourcing company, the BAA contract exists between the two business associates. In such cases, both the business associates are not allowed to use or disclose PHI, other than as specified in the contract or as required by the HIPAA laws.

While picking a medical chart outsourcing partner, it is vital for the legal team to check for the HIPAA compliance of the organization. High- quality medical record review reports from a HIPAA-compliant environment should be the criteria. Referring the HIPAA Compliance Checklist for 2021, you would get more insights on this.

For a medical record review company to be HIPAA compliant, both the employers the employees should be aware of the HIPAA rule and stick to the outlined HIPAA standards. Let’s check out the requirements for a medical record reviewing company to become HIPAA compliant.

  • The medical record review outsourcing company should have adequate administrative, technical as well as physical precautions in accordance with the HIPAA rule.
  • There should be a centrally-controlled unique username and PIN code for each personnel handling the electronic PHI.
  • The devices used must encrypt information sent and received outside of an internal firewall server.
  • Data encryption is also essential on computer networks to prevent hacking of the patient information present in medical records.
  • Automatic log-off of PCs and devices should be ensured to avoid unauthorized access to e-PHI when the device is left unattended.
  • Security surveillance, network requirements, data transfer technologies, etc. used, should meet the requirements of the HIPAA rule.
  • Facility access controls must be implemented to avoid unauthorized access and tampering with the medical charts.
  • Legal nurse consultants involved in the review of medical charts are also business associates as per HIPAA, and they should have undergone HIPAA training.
  • The entire medical chart reviewing crew should be aware of the HIPAA guidelines for medical records handling and the consequences of failing to comply with HIPAA.
  • Personal electronic gadgets like laptops or cell phones should never be used by medical chart reviewers inside the premises.
  • The medical records review analyst should never disclose the patient information contained in the medical records.
  • The organization should never share or use the PHI in the medical charts for any research or survey purpose.
  • The organization should periodically evaluate HIPAA compliance.
  • If any security gaps are identified, they should be periodically addressed with expert assistance.
  • Audit reports, HIPAA compliance review or tracking logs should be maintained to record activity on hardware and software.
  • After the completion of the service, the medical record review reports should be transferred through secure cloud drive platforms and the PHI should be destroyed from the server.


What counts as a HIPAA violation?

Business associates are directly answerable for compliance with specific provisions of the HIPAA Rules. Any threat to PHI must be reported to the covered entity by business associates. First, business associates must notify the covered entity of unsecured protected PHI breaches to notify the individual and U.S. Department of Health & Human Services (HHS).

The HHS Office for Civil Rights, state attorneys general, and other agencies can penalize the business associated directly with HIPAA breaches. Some offenses may also result in criminal charges. As a result, HIPAA compliance can be challenging as well.


Privacy and confidentiality of your medical data is an individual’s right. Unlawful access or misuse of medical records should be immediately reported to the doctor’s office. Complying with the HIPAA rule is a crucial factor that cannot be compromised in medical chart review and analysis. Outsourcing health information management should not create data privacy.

Before recruiting a company for outsourcing the medical records, it should be audited for HIPAA compliance. Violation of HIPAA is a serious offence that can result in significant consequences to the medical chart reviewing companies. We would discuss more in detail about breach of HIPAA in our upcoming blog.

Follow us on Twitter for more updates.