A HIPAA Primer
Use the text to complete the Test, then forward completed work to the HIPPA compliance officer.

The many parts of HIPPA

The federal government enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA) with the intent to ensure health insurance portability, reduce healthcare fraud and abuse, guarantee security and privacy of health information and enforce standards for health information. Title II, Subtitle F of this act mandates regulations in five areas:

1. Electronic transaction standards
2. Unique health identifiers
3. Standard code sets
4. Security code sets
5. Privacy of individually identifiable health information

Current status of HIPAA regulations

Regulations for electronic transactions and standard code sets went into effect October 16, 2003.

Regulations for data went into Feb 20, 2003. This regulation covers electronic information only.

Privacy regulations went into effect April 14, 2003.

The Privacy Rule impacts all health care providers and is the focus of this packet.

Protected Health Information (PHI)

Information, whether oral or recorded in any form that relates to the past, present, or future physical or mental health or condition of an individual: or the past, present, or future payment for the provision of health care to an individual.

Individually Identifiable Patient Information, A subset of PHI

The following individually identifiable data elements are deemed protected health information under The Privacy Rule:

· Name
· Geographic subdivisions smaller than a state
· Birth Date ( except year)
· Telephone Number
· E-Mail Address
· Social Security Number
· Medical Record number
· Health plan beneficiary number

· Account Number

· Certificate/License numbers

· Vehicle identifiers & serial numbers

· Device identifiers & serial numbers

· Unique resource locaters(URLs)

· IP address numbers

· Biometric numbers

· Full face photographs

· Any other unique identifying number, characteristics or code

Notice of Privacy Practices

The Privacy Rule requires health care entities to provide patients notice about the uses and disclosures of protected health information that may be made by the provider and the patient’s rights and the providers legal duties with respect to the protected health information.

The notice must be written in plain language and contain all the elements specified in the Privacy Rule. The header of the notice must contain the following “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.”

Signed consent versus written acknowledgement of receipt of notice.

Uses and Disclosures of PHI

· Treatment, Payment and Healthcare Operations
· Minimum Necessary for Uses and Disclosures
· Reasonable Safeguards to protect privacy
· Incidental Disclosures
· Business Associate Agreements

Disclosures without authorizations

Disclosures without authorizations will continue to be possible when one of the following apply:

· Required by law
· Public health activities (communicable diseases)
· Abuse, neglect, domestic violence
· Health oversight activities (State Inspections, Joint commission surveyors)
· Workers compensation
· Judicial & administrative proceedings (court orders)
· Law enforcement purposes (minimum information in special circumstances)
· Decedents
· Organ Donation purposes
· Specialized government functions (rare instances of National Security)

Specific criteria apply to each of the above exceptions and only authorized departments or individuals in the hospital will have authority to make required releases.


Except when specifically exempted (TPO, or see above) health care providers may not use or disclose protected health information without a valid patient authorization. A valid authorization consists of the following elements:

· Description of the information to be discussed
· Name of the person authorized to make disclosure
· Name of the person to whom the provider may make disclosure
· Expiration date
· Statement of the individuals right to revoke
· Statement that information may be subject to re-disclosure
· Signature of the individual and date
· Description of a representative’s authority to sign

Patients Rights

The privacy rule for the first time extends to all patients certain rights relating to their protected health information including:

· The right to request restrictions of uses and disclosures of their information
· The right to receive communications of protected information by alternative means or alternative locations
· The right to access, inspect, and obtain a copy of their protected health information
· The right to amend protected health information or a record about the patient
· The right to receive an accounting od disclosures of protected information made by the provider

Employee Training

The privacy rule requires health care facilities to train all members of their workforce on their policies and procedures relating to protected health information as necessary and appropriate for the members of the workforce to carry out their function within the facility. The facility must also document that the training has been provided.

Civil and Criminal Penalties

The Office of Civil Rights is the enforcement and monitoring body for Privacy Complaints and Violations.

· General noncompliance with privacy regulations ( i.e. failure to adopt or adhere to specific requirement) $100 per violation and up to $25,000 per person for all identical violations in a calendar year
Specific noncompliance with HIPAA

· $50,000 fine and imprisonment if we knowingly obtain or disclose individually identifiable health information
· $100,000 fine and imprisonment for 5 years if we knowingly obtain or disclose health information under false pretenses
· $250,000 fine and/or up to 10 years imprisonment if we obtain or disclose health information with the intent to sell, transfer, or use the information for financial or malicious gain

Other risks of noncompliance: increased exposure to lawsuits for breach of confidentiality: loss of accreditation: government audits: and harm to business associations

What does the regulation do?

The Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.

· It gives patients more control over their health information
· It sets boundaries on the use and release of health records
· It establishes safeguards that health care providers and others must achieve to protect the privacy of health information
· It holds violators accountable, with civil and criminal penalties that can be imposed if patients privacy rights are violated
· It strikes a balance when public responsibility requires disclosure, for example, to protect public health

What does this regulation require the average provider or health plan to do?

For the average health car e provider or health plan, the privacy rule requires activities, such as:

· Providing information to patients about their rights and how their information can be used
· Adopting clear privacy procedures for its practice, hospital or plan
· Training employees so that they understand the privacy procedures
· Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed
· Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them