How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask Ely Your Own Question
Ely, Counselor at Law
Category: Legal
Satisfied Customers: 102350
Experience:  Private practice with focus on family, criminal, PI, consumer protection, and business consultation.
Type Your Legal Question Here...
Ely is online now
A new question is answered every 9 seconds

We are a small Chiropractic Office with no employees. We do

This answer was rated:

We are a small Chiropractic Office with no employees. We do not have internet at the office, never check eligibility on line, and do not file any insurance claims electronically. In addition, we only have "old fashion" paper files on our patients. Do we have to be HIPAA compliant?
Hello friend. My name is XXXXX XXXXX welcome to JustAnswer. Please note: (1) this is general information only, not legal advice, and, (2) there may be a slight delay between your follow ups and my replies.

On this website, I do not always get to give good news, and this is one of these times. The answer is yes. Any covered entity must be compliant. A covered entity is defined per 45 CFR 160.103 and a good explanation in layman's terms for it may be found here.

So it does not matter whether the office is big or small, staffed or not, etc. HIPAA applies. However, just because it does, does not mean that one has to use electronic storage, etc. Provided that the paper files are stored reasonably securely, that is all that matters.

HIPAA's the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It does not require that files be electronic, but simply dictates reasonable safety standards if they are.

Please note: I aim to give you genuine information and not necessarily to tell you only what you wish to hear. Please, rate me on the quality of my information and do not punish me for my honesty. I understand that hearing things less than optimal is not easy, and I empathize.

Gentle Reminder: Please use the REPLY button to keep chatting, or RATE my answer when we are finished. Kindly rate my answer as one of the top three faces and then submit, as this is how I get credit for my time with you. Rating my answer the bottom two faces does not give me credit and reflects poorly on me, even if my answer is correct. I work very hard to formulate an informative and honest answer for you; please reciprocate my good faith. (You may always ask follow ups at no charge after rating.)
Customer: replied 3 years ago.

But on that website it says:

This includes providers such as:

  • Doctors

  • Clinics

  • Psychologists

  • Dentists

  • Chiropractors

  • Nursing Homes

  • Pharmacies

...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.


Right, I think the example is confusing.

You see, HIPAA is made up of several parts. The two main parts that concern medical offices are PRIVACY RULE and SECURITY RULE.

PRIVACY RULE concerns patient information. This is is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. 45 C.F.R. 164.501. If you have it, then that part of HIPAA covers you and the office must abide by the Privacy Rule.

SECURITY RULE concerns storage of that patient information. The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. If your office does not have electronic storage, then the SECURITY RULE does not apply, but the PRIVACY RULE still does, and maintains that patient information shall be stored reasonably safe.

I hope this clarifies.

Gentle Reminder: Please use the REPLY button to keep chatting, or RATE and submit your rating when we are finished.
Ely and 5 other Legal Specialists are ready to help you