[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"blog-slug_blog_3_1":3,"blog-slug_blog_ultimate-hipaa-compliance-checklist-essential-steps-for-healthcare-providers_1000_1":40},{"article":4,"articles":15,"meta":33,"languages":39},{"id":5,"title":6,"excerpt":7,"locale":8,"slug":9,"authorSlug":10,"automaticTranslated":11,"publishedAt":12,"updatedAt":13,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3060,"The EU wants to kill cookie banners","The EU wants to end annoying cookie pop-ups by letting users set their consent once in their browser. If passed, websites will have to respect those choices.","en","the-eu-wants-to-kill-cookie-banners-by-moving-consent-to-your-browser","iron-brands",false,"2025-11-20T05:40:14.356Z","2025-11-20T06:13:15.812Z","blog",[4,16,26],{"id":17,"title":18,"excerpt":19,"locale":8,"slug":20,"authorSlug":10,"automaticTranslated":11,"publishedAt":21,"updatedAt":22,"ctaTitle":23,"ctaDescription":24,"doFollowLinks":11,"showIndex":25,"showCallToActions":11,"articleType":14},3019,"Google is tracking you (even when you use DuckDuckGo)","Google tracks users even on DuckDuckGo via Analytics and embeds. A new study shows how deep Google’s web tracking really goes.","google-is-tracking-you-even-when-you-use-duck-duck-go","2025-07-14T08:56:41.709Z","2025-07-14T11:26:01.386Z","If you care about privacy, you don't use Google Analytics","Ditch the tracking, keep the insights. Try Simple Analytics.",true,{"id":27,"title":28,"excerpt":29,"locale":8,"slug":30,"authorSlug":10,"automaticTranslated":11,"publishedAt":31,"updatedAt":32,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3018," German court rules Meta’s tracking tech violates GDPR","German court rules Meta’s tracking tech violates GDPR, allowing lawsuits without proof of harm. Big risks ahead for sites using Meta pixels.","german-court-rules-meta-s-tracking-tech-violates-gdpr","2025-07-10T08:20:51.111Z","2025-07-10T12:16:26.327Z",{"pagination":34},{"page":35,"pageSize":36,"pageCount":37,"total":38},1,3,362,1084,{},{"article":41},{"contentHtml":42,"content":43,"inlineMedia":44,"id":46,"title":47,"excerpt":48,"locale":8,"slug":49,"authorSlug":10,"automaticTranslated":11,"publishedAt":50,"updatedAt":51,"doFollowLinks":11,"showIndex":25,"showCallToActions":25,"articleType":14,"languages":52},"\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">The HIPAA is a long and complex piece of legislation. All we can do is provide very high-level information. This checklist is meant to be a mere starting point to help you navigate HIPAA compliance. If you need to go any deeper, you must get a legal professional involved.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Also, keep in mind that HIPAA is \u003Cstrong>not just about privacy\u003C/strong>. The law includes rules on security rules, portability rules, technical standards for electronic health records, and more. On its own, compliance with the Privacy Rule does not ensure compliance with the HIPAA as a whole. Don’t forget about all the rest!\u003C/ContentEditable>\n\u003Col class=\"counters\">\u003Cli>\u003CNuxtLink to=\"#does-hipaa-apply-to-me\">Does HIPAA apply to me?\u003C/NuxtLink>\u003Col>\u003Cli>\u003CNuxtLink to=\"#is-my-organization-or-my-customer-a-hipaa-covered-entity\">Is my organization or my customer a HIPAA-covered entity?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#is-my-organization-a-business-associate-or-subcontractor\">Is my organization a business associate or subcontractor?\u003C/NuxtLink>\u003C/li>\u003C/ol>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-information-is-covered-by-hipaa\">What information is covered by HIPAA?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#i-am-a-covered-entity-now-what\">I am a covered entity; now what?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#i-am-a-business-associatesubcontractor-now-what\">I am a business associate/subcontractor; now what?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#final-thoughts\">Final Thoughts\u003C/NuxtLink>\u003C/li>\u003C/ol>\u003CCtaOne />\u003CContentEditable  id=\"does-hipaa-apply-to-me\" parent=\"\" tag=\"h2\" :articleId=\"616\">Does HIPAA apply to me?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">First of all, you need to figure out whether HIPAA covers your organization. This means that you need to figure out whether you are a \u003Cstrong>covered entity\u003C/strong>, a \u003Cstrong>business associate\u003C/strong>, or a \u003Cstrong>subcontractor\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">If you are none of those things, you don’t need to worry about HIPAA at all. But other rules on health data may still apply (for instance, the CCPA’s rules on sensitive data).\u003C/ContentEditable>\n\u003CContentEditable  id=\"is-my-organization-or-my-customer-a-hipaa-covered-entity\" parent=\"\" tag=\"h3\" :articleId=\"616\">Is my organization or my customer a HIPAA-covered entity?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Covered entities (CEs) belong to three categories:\u003C/ContentEditable>\n\u003Cul>\n\u003Cli>healthcare providers. These are individuals, groups, or organizations providing medical services, care, equipment, or supplies as part of their usual business.\u003C/li>\n\u003Cli>health plans are individual, or group plans that provide or pay for medical care.\u003C/li>\n\u003Cli>healthcare clearinghouses are defined in a very complicated way, but in practical terms, they are usually intermediaries such as payment providers and added-value networks.\u003C/li>\n\u003C/ul>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Please note that these legal definitions come with many exceptions. It’s impossible to sum them all up, so make sure to check § 160.103 in the \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">consolidated text\u003C/a> of the law.\u003C/ContentEditable>\n\u003CContentEditable  id=\"is-my-organization-a-business-associate-or-subcontractor\" parent=\"\" tag=\"h3\" :articleId=\"616\">Is my organization a business associate or subcontractor?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">\u003Cstrong>Business associates\u003C/strong> (BAs) also have obligations under the HIPAA and Privacy rules. A BA is someone who provides a covered entity with certain services \u003Cstrong>and receives\u003C/strong> \u003Cstrong>protected health information\u003C/strong> \u003Cstrong>(PHI)\u003C/strong> from the covered entity.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Services provided by BAs include data analysis, processing, and administration. So the legal definition covers many intermediaries offering information society services such as web hosting and web analytics. The trickiest part in determining if you are a BA is assessing whether your customer is a HIPAA-covered entity (see the section above).\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Please note that working for a covered entity and accessing PHI are cumulative requirements. If you do not receive PHI, then you are not a BA, regardless of who you work with. Likewise, if you process health information but are not CE and do not work with one, then you don’t need to worry about HIPAA (but other legislation, such as the CCPA, may apply to you).\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">The HIPAA also covers \u003Cstrong>subcontractors\u003C/strong> who help BAs provide their service. You can think of a subcontractor as the business associate of a business associate.\u003C/ContentEditable>\n\u003CContentEditable  id=\"what-information-is-covered-by-hipaa\" parent=\"\" tag=\"h2\" :articleId=\"616\">What information is covered by HIPAA?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">If you qualify as a certified entity/business associate/subcontractor, then you have certain obligations under HIPAA. But \u003Cstrong>this does not mean that these obligations cover all the data you process!\u003C/strong> So the next step is figuring out what is PHI and what is not among the information you process.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Three cumulative criteria define protected health information:\u003C/ContentEditable>\n\u003Cul>\n\u003Cli>a. it is collected by a covered entity\u003C/li>\n\u003Cli>b. it relates to health\u003C/li>\n\u003Cli>c. it is personally identifiable\u003C/li>\n\u003C/ul>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">If any of these requirements are missing, then you are not processing PHI.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Let’s say a hospital offers medical professionals a seminar on a new and innovative treatment and advertises the seminar through its website. The website uses Google Analytics on the page for the seminar. Does this involve the disclosure of PHI?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Let’s break it down:\u003C/ContentEditable>\n\u003Cul>\n\u003Cli>a hospital is a healthcare provider,_ so requirement a is satisfied_\u003C/li>\n\u003Cli>\u003CNuxtLink to=\"/blog/hipaa-compliant-website-analytics\"  >Google Analytics collects data\u003C/NuxtLink> that qualifies as personally identifiable information under the HIPAA (cookie IDs and possibly IP, depending on settings and software version). \u003Cem>Requirement c is satisfied\u003C/em>\u003C/li>\n\u003Cli>the fact that someone wants to attend a seminar on the topic does not mean that they have the disease. In fact, the seminar is aimed at medical professionals who are likely to be professionally interested in the topic. \u003Cem>Requirement b is NOT satisfied\u003C/em>\u003C/li>\n\u003C/ul>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">In this case, no PHI is disclosed. But the answer could be different if the page provided information to the general public instead of promoting a seminar.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Bottom line is that figuring out what information is and is not PHI is not easy! All three requirements under HIPAA must be kept in mind.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">But it is also very important! Attempting to be HIPAA compliant with regard to all the data you process will be incredibly burdensome for your organization. This is why it is crucial to determine what data falls under HIPAA and what does not.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Remember that if you are a BA, then all information you do not receive from a CE cannot, by definition, be PHI. On the other hand, just because you receive information from a CE does not, in and of itself, mean that it is PHI. Again, you need to examine each data category based on the HIPAA’s definition of PHI.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Regarding web analytics, \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">the HHS’s website\u003C/a> provides useful information about PHI disclosures. If you are still not 100% sure as to what PHI is and what is not, please seek legal advice- the answer is really important for compliance!\u003C/ContentEditable>\n\u003CContentEditable  id=\"i-am-a-covered-entity-now-what\" parent=\"\" tag=\"h2\" :articleId=\"616\">I am a covered entity; now what?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">If you are a covered entity, then you need to comply with specific rules regarding the \u003Cstrong>disclosure of PHI.\u003C/strong>\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Some disclosures are always allowed because they are necessary to treat the patient or to ensure the functioning of the healthcare system as a whole. For instance, you can disclose a patient&#39;s electronic health record to their new hospital or forward the medical bills to their health insurance.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Any other disclosure \u003Cstrong>requires written authorization\u003C/strong> from the patient. This is very important, as unauthorized disclosures are punishable under HIPAA!\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">The HIPAA includes detailed rules as to what constitutes written authorization. As a rule of thumb, the patient must be really free to decline the authorization. You are not allowed to deny healthcare services to a patient in order to extort authorization!\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">By the way, the HHS clarified that \u003CNuxtLink to=\"https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html\">clicking “ok” on cookie banners and similar pop-ups \u003Cstrong>does not count as giving written authorization\u003C/strong>\u003C/NuxtLink>. If you use an online service such as a web analytics service, you won’t be able to rely on pop-ups to collect consent.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Additionally, if you work with a BA, you need a \u003Cstrong>business associate agreement\u003C/strong> (BAA). A BAA is a contract that tells a BA what it can and cannot do with PHI. A BAA contains standard clauses detailed by the US Department of Health and Human Services (you can learn more about these clauses \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">here\u003C/a>).\u003C/ContentEditable>\n\u003CContentEditable  id=\"i-am-a-business-associatesubcontractor-now-what\" parent=\"\" tag=\"h2\" :articleId=\"616\">I am a business associate/subcontractor; now what?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">If you are a BA or subcontractor, you must have a business associate agreement with your business associate/covered entity.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">BAAs hold BAs and subcontractors to \u003Cstrong>similar privacy and security standards as covered entities\u003C/strong>. So having a BAA in place is not just about signing some paperwork- you need to examine its content in detail and ensure you can comply with all its requirements. This includes responding to requests for information from patients and making certain documentation available.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">If you sign a BAA, \u003Cstrong>you are liable for any agreement violation\u003C/strong>. You should not offer to sign a BAA unless you are really sure that your organization can process information in compliance with HIPAA. This is why many services, including very large ones like Google Analytics, are unavailable to sign a BAA! If you are in doubt, you should consult a legal professional in order to avoid any liability under HIPAA.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Different HIPAA compliance certifications are available for service providers, and they can be an asset when negotiating contracts with covered entities. But be aware that \u003Cstrong>no certification is legally recognized\u003C/strong>. A certification’s usefulness depends entirely on its recognition in the industry. You should do some research and consult a legal professional before spending money on certification.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Finally, it is worth noting that BAs and subcontractors usually have no direct relationship with patients. This means that you will not be able to rely on patient authorizations for disclosures.\u003C/ContentEditable>\n\u003CContentEditable  id=\"final-thoughts\" parent=\"\" tag=\"h2\" :articleId=\"616\">Final Thoughts\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Compliance always starts by asking the right questions, and compliance with HIPAA’s Privacy Rule is no different. Here are some useful steps you can go through:\u003C/ContentEditable>\n\u003Col>\n\u003Cli>assess whether you are a covered entity, a business associate, a subcontractor, or none of the above\u003C/li>\n\u003Cli>figure out what data fall under HIPAA and what does not\u003C/li>\n\u003Cli>make sure that you comply with the Privacy Rule and the rules on disclosure limitation\u003C/li>\n\u003Cli>assess whether all the business associate agreements you need are in place (and make sure you can comply with them)\u003C/li>\n\u003Cli>(optional) Consider HIPAA certification from a reputable body\u003C/li>\n\u003Cli>\u003Cstrong>don’t forget about all the other rules of HIPAA!\u003C/strong>\u003C/li>\n\u003Cli>\u003Cstrong>don’t forget about other laws on health data! (CCPA, My Health My Data, etc.)\u003C/strong>\u003C/li>\n\u003C/ol>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Again, HIPAA is a long and complex piece of legislation. This blog only contains very high-level information and is no substitute for the opinion of a qualified professional.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">At the end of the day, compliance is not simple. So it’s worth asking yourself: do I really need to disclose this data? Maybe there are fully anonymized and privacy-friendly alternatives that can spare you a lot of compliance headaches.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">\u003CNuxtLink to=\"/\"  >Simple Analytics\u003C/NuxtLink> can be such a solution for your web analytics. We do not track visitors or collect any sensitive data. We only use IP addresses for communication; even this minimal disclosure can be avoided by proxying the address.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"616\">Simple Analytics can be easily implemented HIPAA-compliantly and requires no BAA. If this sounds good to you, feel free to \u003CNuxtLink to=\"/signup\"  >give us a try!\u003C/NuxtLink>\u003C/ContentEditable>\n","The HIPAA is a long and complex piece of legislation. All we can do is provide very high-level information. This checklist is meant to be a mere starting point to help you navigate HIPAA compliance. If you need to go any deeper, you must get a legal professional involved.\n\nAlso, keep in mind that HIPAA is **not just about privacy**. The law includes rules on security rules, portability rules, technical standards for electronic health records, and more. On its own, compliance with the Privacy Rule does not ensure compliance with the HIPAA as a whole. Don’t forget about all the rest!\n\n## Does HIPAA apply to me?\n\nFirst of all, you need to figure out whether HIPAA covers your organization. This means that you need to figure out whether you are a **covered entity**, a **business associate**, or a **subcontractor**.\n\nIf you are none of those things, you don’t need to worry about HIPAA at all. But other rules on health data may still apply (for instance, the CCPA’s rules on sensitive data).\n\n### Is my organization or my customer a HIPAA-covered entity?\n\nCovered entities (CEs) belong to three categories:\n\n-   healthcare providers. These are individuals, groups, or organizations providing medical services, care, equipment, or supplies as part of their usual business.\n-   health plans are individual, or group plans that provide or pay for medical care.\n-   healthcare clearinghouses are defined in a very complicated way, but in practical terms, they are usually intermediaries such as payment providers and added-value networks.\n\nPlease note that these legal definitions come with many exceptions. It’s impossible to sum them all up, so make sure to check § 160.103 in the [consolidated text](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf) of the law.\n\n### Is my organization a business associate or subcontractor?\n\n**Business associates** (BAs) also have obligations under the HIPAA and Privacy rules. A BA is someone who provides a covered entity with certain services **and receives** **protected health information** **(PHI)** from the covered entity.\n\nServices provided by BAs include data analysis, processing, and administration. So the legal definition covers many intermediaries offering information society services such as web hosting and web analytics. The trickiest part in determining if you are a BA is assessing whether your customer is a HIPAA-covered entity (see the section above).\n\nPlease note that working for a covered entity and accessing PHI are cumulative requirements. If you do not receive PHI, then you are not a BA, regardless of who you work with. Likewise, if you process health information but are not CE and do not work with one, then you don’t need to worry about HIPAA (but other legislation, such as the CCPA, may apply to you).\n\nThe HIPAA also covers **subcontractors** who help BAs provide their service. You can think of a subcontractor as the business associate of a business associate.\n\n## What information is covered by HIPAA?\n\nIf you qualify as a certified entity/business associate/subcontractor, then you have certain obligations under HIPAA. But **this does not mean that these obligations cover all the data you process!** So the next step is figuring out what is PHI and what is not among the information you process.\n\nThree cumulative criteria define protected health information:\n\n-   a. it is collected by a covered entity\n-   b. it relates to health\n-   c. it is personally identifiable\n\nIf any of these requirements are missing, then you are not processing PHI.\n\nLet’s say a hospital offers medical professionals a seminar on a new and innovative treatment and advertises the seminar through its website. The website uses Google Analytics on the page for the seminar. Does this involve the disclosure of PHI?\n\nLet’s break it down:\n\n-   a hospital is a healthcare provider,_ so requirement a is satisfied_\n-   [Google Analytics collects data](https://www.simpleanalytics.com/blog/hipaa-compliant-website-analytics) that qualifies as personally identifiable information under the HIPAA (cookie IDs and possibly IP, depending on settings and software version). _Requirement c is satisfied_\n-   the fact that someone wants to attend a seminar on the topic does not mean that they have the disease. In fact, the seminar is aimed at medical professionals who are likely to be professionally interested in the topic. _Requirement b is NOT satisfied_\n\nIn this case, no PHI is disclosed. But the answer could be different if the page provided information to the general public instead of promoting a seminar.\n\nBottom line is that figuring out what information is and is not PHI is not easy! All three requirements under HIPAA must be kept in mind.\n\nBut it is also very important! Attempting to be HIPAA compliant with regard to all the data you process will be incredibly burdensome for your organization. This is why it is crucial to determine what data falls under HIPAA and what does not.\n\nRemember that if you are a BA, then all information you do not receive from a CE cannot, by definition, be PHI. On the other hand, just because you receive information from a CE does not, in and of itself, mean that it is PHI. Again, you need to examine each data category based on the HIPAA’s definition of PHI.\n\nRegarding web analytics, [the HHS’s website](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html) provides useful information about PHI disclosures. If you are still not 100% sure as to what PHI is and what is not, please seek legal advice- the answer is really important for compliance!\n\n## I am a covered entity; now what?\n\nIf you are a covered entity, then you need to comply with specific rules regarding the **disclosure of PHI.**\n\nSome disclosures are always allowed because they are necessary to treat the patient or to ensure the functioning of the healthcare system as a whole. For instance, you can disclose a patient's electronic health record to their new hospital or forward the medical bills to their health insurance.\n\nAny other disclosure **requires written authorization** from the patient. This is very important, as unauthorized disclosures are punishable under HIPAA!\n\nThe HIPAA includes detailed rules as to what constitutes written authorization. As a rule of thumb, the patient must be really free to decline the authorization. You are not allowed to deny healthcare services to a patient in order to extort authorization!\n\nBy the way, the HHS clarified that [clicking “ok” on cookie banners and similar pop-ups **does not count as giving written authorization**](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html). If you use an online service such as a web analytics service, you won’t be able to rely on pop-ups to collect consent.\n\nAdditionally, if you work with a BA, you need a **business associate agreement** (BAA). A BAA is a contract that tells a BA what it can and cannot do with PHI. A BAA contains standard clauses detailed by the US Department of Health and Human Services (you can learn more about these clauses [here](https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html)).\n\n## I am a business associate/subcontractor; now what?\n\nIf you are a BA or subcontractor, you must have a business associate agreement with your business associate/covered entity.\n\nBAAs hold BAs and subcontractors to **similar privacy and security standards as covered entities**. So having a BAA in place is not just about signing some paperwork- you need to examine its content in detail and ensure you can comply with all its requirements. This includes responding to requests for information from patients and making certain documentation available.\n\nIf you sign a BAA, **you are liable for any agreement violation**. You should not offer to sign a BAA unless you are really sure that your organization can process information in compliance with HIPAA. This is why many services, including very large ones like Google Analytics, are unavailable to sign a BAA! If you are in doubt, you should consult a legal professional in order to avoid any liability under HIPAA.\n\nDifferent HIPAA compliance certifications are available for service providers, and they can be an asset when negotiating contracts with covered entities. But be aware that **no certification is legally recognized**. A certification’s usefulness depends entirely on its recognition in the industry. You should do some research and consult a legal professional before spending money on certification.\n\nFinally, it is worth noting that BAs and subcontractors usually have no direct relationship with patients. This means that you will not be able to rely on patient authorizations for disclosures.\n\n## Final Thoughts\n\nCompliance always starts by asking the right questions, and compliance with HIPAA’s Privacy Rule is no different. Here are some useful steps you can go through:\n\n1. assess whether you are a covered entity, a business associate, a subcontractor, or none of the above\n2. figure out what data fall under HIPAA and what does not\n3. make sure that you comply with the Privacy Rule and the rules on disclosure limitation\n4. assess whether all the business associate agreements you need are in place (and make sure you can comply with them)\n5. (optional) Consider HIPAA certification from a reputable body\n6. **don’t forget about all the other rules of HIPAA!**\n7. **don’t forget about other laws on health data! (CCPA, My Health My Data, etc.)**\n\nAgain, HIPAA is a long and complex piece of legislation. This blog only contains very high-level information and is no substitute for the opinion of a qualified professional.\n\nAt the end of the day, compliance is not simple. So it’s worth asking yourself: do I really need to disclose this data? Maybe there are fully anonymized and privacy-friendly alternatives that can spare you a lot of compliance headaches.\n\n[Simple Analytics](https://www.simpleanalytics.com/) can be such a solution for your web analytics. We do not track visitors or collect any sensitive data. We only use IP addresses for communication; even this minimal disclosure can be avoided by proxying the address.\n\nSimple Analytics can be easily implemented HIPAA-compliantly and requires no BAA. If this sounds good to you, feel free to [give us a try!](https://www.simpleanalytics.com/signup)\n",{"data":45},null,616,"Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers","HIPAA isn't just about privacy. It includes security, portability rules, and more. Ensure you're a covered entity, business associate, or subcontractor","ultimate-hipaa-compliance-checklist-essential-steps-for-healthcare-providers","2023-06-22T13:31:53.897Z","2023-08-15T11:53:52.191Z",{"en":53,"de":54,"fr":56,"it":58,"es":60,"nl":62},{"slug":49},{"slug":55},"ultimative-checkliste-zur-einhaltung-des-hipaa-wichtige-schritte-fuer-gesundheitsdienstleister",{"slug":57},"liste-de-controle-ultime-pour-la-conformite-hipaa-etapes-essentielles-pour-les-prestataires-de-soins-de-sante",{"slug":59},"lista-di-controllo-definitiva-sulla-conformita-hipaa-passi-essenziali-per-i-fornitori-di-servizi-sanitari",{"slug":61},"lista-de-comprobacion-definitiva-del-cumplimiento-de-la-hipaa-pasos-esenciales-para-los-proveedores-sanitarios",{"slug":63},"ultieme-checklist-voor-naleving-van-hipaa-essentiele-stappen-voor-zorgverleners"]