Updated: February 2010
HIPAA was enacted as a broad Congressional attempt at healthcare
- it was initially introduced in Congress as the
Bill. The landmark Act was passed in 1996 with two
- One was to ensure that individuals would be able to
their health insurance between jobs. This is the
Portability part of the Act. It is relatively
and has been successfully implemented.
- The second part of the Act is the "Accountability"
This section is designed to ensure the security and
patient information/data. In addition, it mandates
standards for electronic data transmission of administrative
financial data relating to patient health information.
This document presents a summary of the second part of the
For specific information and guidance on policies and procedures
complying with HIPAA, please see our Faculty
Staff - Guidance
The HIPAA legislation required the Department of Health and Human
(DHHS) to broadcast regulations on the specific areas of HIPAA,
the Rules. These Rules were finalized at various times and
care organizations had 2 or 3 years (depending on size) to
the specific requirements.
The Rules are composed of Standards. The HIPAA Standards
from many years of public and private sector
Industry workgroups were formed and reports written with
recommendations on how to better manage and protect health
information. The goal of this initiative was to define
standards for transferring health information among healthcare
providers, health plans, and clearinghouses (covered entities)
securing health information and ensuring patient privacy and
- nine encounter related transactions
- diagnostic, therapeutic, and treatment codes
|Health Plan Identifier
|defined as controlling
authorized to access information. Better said, it
is the right of
individuals to keep information about themselves from
|defined as the ability to
control access to, and prevent information from
intentional disclosure to unauthorized persons; and,
destruction, or loss.
Click here to view the University
Chicago Medical Center Organizational Contacts
HIPAA applies to health plans, healthcare clearinghouses, and to
healthcare providers that electronically transmit health
connection with standard transactions.
"Health plan" generally includes any individual or group plan,
or governmental that provides or pays for medical care.
health benefit plans are excluded if they are self-administered
have fewer than 50 participants. Government-funded
excluded if their principal purpose is something other than
or paying for health care, or if their principal activity is the
provision of health care or the making of grants to fund health
"Healthcare clearinghouse" is a public or private entity that
health information received from another entity, or converts
transactions from non-standard into standard format, or vice
versa. The regulations distinguish between a clearinghouse
dealing with information in its own right (in which case it is
all the requirements of the regulations), and in its capacity as
business associate of another covered entity (in which case some
requirements do not apply, but it is bound by its business
contract with the covered entity). For example, the
rights provisions would be enforced through the business
contract, not directly.
"Healthcare provider" is any person or organization who
bills, or is paid for health care in the normal course of
providers are covered by the rules only if they transmit
health information in connection with a standard transaction.
An entity that fits more than one definition must comply with
as they affect each of its functions, and may use or disclose
information only as appropriate to the function for which the
disclosure is made.
All health plans, claims
clearinghouses, and health care providers that choose to
of the transactions in electronic form must comply within 24
after the effective date of each final rule (small health
plans have 36
Requirements - Transactions
Many healthcare providers and health plans used EDI (Electronic
Interchange) or the digital exchange of standard business
data. Electronic Transactions were so prevalent that the
estimated that 400 different formats were being used to process
care claims. This lack of standardization makes it
vendors to develop software solutions, decreases potential
efficiencies, and increases costs for healthcare providers and
The widely adopted use of standards is required to perform EDI
common interchange and data structure. Under HIPAA, DHHS
directed to issue standards for electronic data transactions
administering healthcare data and information. Using
standards eliminates the need for software adaptation for
formats required to meet the demand of proprietary information
now being used by providers and health plans. Operational
efficiencies with long-term savings are the anticipated results.
The HIPAA Standard EDI format requires standardization of the
content by specifying uniform definitions of the data elements
will be exchanged in each type of electronic transaction and
identification of the specific codes or values that are valid
data element. Standards were adopted for the following
administrative and financial health care transactions:
- Health claims and equivalent encounter information.
- Enrollment and disenrollment in a health plan.
- Eligibility for a health plan.
- Health care payment and remittance advice.
- Health plan premium payments.
- Health claim status.
- Referral certification and authorization.
- Coordination of benefits.
- First report of injury.
All providers, clearinghouses, and health plans that exchange
transactions electronically are required to modify existing or
new information systems to incorporate the data requirements for
new transaction standards, and use the medical and non-medical
Requirements - Privacy
Very few people are going to argue that ensuring the privacy of
protected health information (PHI) is not important. Every
individual has the right to know that his/her information is not
to be released to just anyone. Numerous examples exist
what can happen when personal information finds its way to a
party in an unauthorized manner. It can mean tremendous
and heartache for the individual. Moreover, if
to ensure the confidentiality of patient information it can lead
financial and legal repercussions as well as the loss of public
What is Protected Health
This information is any individually identified health
including demographic information that relates to the
past, present, or future physical or mental health condition or
other identifying information that can be used to identify the
individual. The Privacy Rule states that the following
identifiers are considered PHI and must be protected:
- Address (including zip code)
- Dates (birth, admission, discharge, death)
- Telephone numbers
- Fax numbers
- E-mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/License numbers
- Vehicle identifiers and serial numbers (including license
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) addresses
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images;
- Any other unique identifying number, characteristic, or
PHI is part of everything you do. It exists in verbal and
communication, interactions with technology (i.e. faxing,
and activities related to the privacy rules. For example,
in contact with a patient's health information when we speak to
colleague about a patient's treatment, review a patient's
record or bill and when you access information using a computer.
Use and Disclosure
Under the Privacy Rule, we may use and disclose PHI without
written authorization for the purposes of treatment,
health care operations. Treatment
coordination, and/or management of a patient's condition through
diagnostic testing, referral for services in another specialty,
consultations between providers.
refers to the activities of reimbursement for services,
with insurers or others involved in the reimbursement
This area also includes eligibility verification and billing and
pertains to all other areas including
assurance activities, competency activities, residency and
school programs, conducting audit programs for compliance,
programs for allied health, business planning and development to
only a few.
There are other situations in which information may be used or
disclosed without the patient's authorization. Some of
- Workers Compensation
- Law Enforcement Purposes
- Victims of Abuse
- Health Oversight Activities
- Public Health Activities
Under the HIPAA Privacy Rule, organizations must obtain the
signature (authorization) for any use or disclosure outside of
treatment, payment, and health care operations unless it is
specifically identified as an area of exception based on the
of the Privacy Rule. Specific authorizations are required
- Psychotherapy notes
- Marketing (some exceptions)
- Fund Raising
The HIPAA Privacy Rule is not intended to prohibit the patients'
treatment team from talking to each other and/or to their
patients. Of course, others outside the treatment team may
present during these discussions. While reasonable
should be used to avoid sharing patient information with those
involved in the patient's care, it is possible that minor
patient information may be disclosed to people near where
is delivered or being coordinated. This is referred to as
incidental disclosure. Privacy principles do not prohibit
incidental disclosure of patient information so long as
safeguards are taken to minimize the disclosure. What is
reasonable depends on the situation.
Minimum Necessary and Need to
The PHI you need to do your job is called "minimum
is information you "need to know" to do your job. Despite
safeguards and controls to minimize access, we know that PHI
us. If you come into contact with PHI and your job does
require it, you should not discuss or use this information.
Notice of Privacy Practices
The Privacy Rule requires healthcare facilities to provide
with a notice advising them of their rights and telling them how
PHI may be used or disclosed. This is called the Notice of
Practices. Every patient is required to receive the Notice
initial visit to the hospital. The Notice provides
information regarding their rights under the Privacy Rule.
patient has the right to:
- Access their own records and obtain copies.
- Ask to amend or correct any inaccurate or incomplete PHI.
- Request a restriction limiting access to or disclosure of
- Request an accounting of how their PHI has been disclosed.
- Receive written notice of how their PHI may be used or
- File a complaint if they believe their privacy has been
In February 2009, the Health Information Technology for Economic
Clinical Health ("HITECH") was enacted as part of the American
and Reinvestment Act of 2009 ("ARRA"). HITECH makes
changes to HIPAA's administrative simplification provisions
to privacy and security, including notifying individuals (and in
instances, media outlets) when there has been a privacy/security
Previously, covered entities (health care providers, health
health care clearinghouses) were obligated to mitigate harm
authorized disclosures of protected health information ("PHI"),
required to give notice to the individuals whose information was
inappropriately disclosed. With HITECH, covered entities
business associates will be required to notify individuals when
security breaches occur with respect to "unsecured"
Unsecured information means information not protected through
technology or methods designated by the federal
addition, if the breach involves 500 or more individuals, notice
U.S. Department of Health and Human Services and the media is
What is a breach?
the HITECH regulations, a "breach" is the unauthorized
access, use or disclosure of PHI that compromises the security
privacy of the PHI. "Compromise the security and privacy
PHI" means that the breach poses a significant risk of
reputational or other harm to the individual.
entities need to notify an individual of a breach of his/her PHI
"without unreasonable delay" or no later than 60 days after the
breach. A covered entity is considered to have become
the breach when the first workforce member or business associate
knew of the breach. Because of this
quick time frame, all UCMC
employees and faculty need to be aware of these breach
provisions and continue to report breaches to the HIPAA
as soon as they are discovered.
Complaints and Enforcement
We must have a procedure to address patient complaints.
can contact the HIPAA Program Office to make a complaint as well
contact the Federal Government Agency in charge of enforcing the
Privacy Rule - The
obeying the Privacy Rule are tiered based on increasing levels
knowledge of covered entity and by exercising reasonable
would not have known it violated the HIPAA Privacy Rule
|Violations due to
|$1,000 to $50,000
|Violations due to willful
neglect but are corrected within 30 days
|Violations due to willful
neglect and are not corrected
person who knowingly violates HIPAA are as follows:
- $50,000 and a one year prison term
- $100,000 and up to 5 years in prison for wrongful conduct
- $250,000 and up to 10 years in prison for wrongful conduct
to sell, transfer, or use individually identified health
for personal gain or malicious harm.
Requirements - Security
The HIPAA Security Rule became effective on April 20,
Security Rule standards define how we are to ensure the
confidentiality, and availability of our patients' electronic
health information (ePHI). The Security Rule requires that
have administrative, physical, and technical safeguards for
ePHI. Some examples of each are:
be implemented to meet the
- Assigning or delegating security responsibility to an
- Chief Security Officer.
- Training workforce members on security principles and
- Terminating workforce members' access to information
- Reporting and responding to security incidents.
to protect electronic systems, equipment, and the data they
hold, from threats, environmental hazards and unauthorized
- Limiting physical access to information systems containing
(i.e. server rooms).
- Preventing inappropriate viewing of ePHI on computers.
- Properly removing ePHI from computers before disposing or
- Backing up and storing ePHI.
processes used to protect data and control access to data.
Patient Privacy/Security and
- Providing users with unique identifiers for accessing
- Accessing ePHI during an emergency.
- Encrypting ePHI during transmission.
- Automatically logging off users after a determined time
As we use technology to improve patient care, we are faced with
additional challenges to protect patient information from
use and disclosure. It is important to understand the form
technology being used and the precautions we must take to
Our patients entrust us with
health information; therefore we must protect it against
inadvertent misuse or disclosure.
consequences of not
complying with HIPAA are too great. We do not want to see
University of Chicago Medical Center's name in the newspaper
systems attack or theft of patient information. So, it is
imperative that we all follow our privacy and information
policies, and do the right thing... protect our patients'
confidentiality of their health information.
Back to Guidances