This document summarizes the key aspects of the Health Insurance Portability and Accountability Act (HIPAA) regulations regarding patient privacy and the handling of protected health information. It notes that HIPAA was passed as a federal law in 1996 and outlines regulations to protect individuals' health information privacy and ensure security of electronic personal data transfers. The document then discusses how health information is used by various medical professionals and entities involved in patient care and lists some examples. It also provides an overview of the objectives of HIPAA, patients' rights to their information, and consequences for violations.

1. • Federal law passed by Congress in 1996
• Regulations promulgated by the Dept of Health
and Human Services
• Guidelines implemented in April, 2003

2. HIPAA regulations were designed to:
1) protect individuals’ rights to privacy and
confidentiality
2) assure the security of electronic transfer of
personal information

3. Health information is used by multiple agents in the
course of a single episode with a health problem.
Below are some of the agencies and individuals who
may handle health information. This is not all
inclusive:
• Admitting clerks • Transport techs
• Caregivers from the • Respiratory therapists
ED to the morgue • Billing clerks
• Physical therapists • Insurance agents/clerks
• Nutritionists • School teachers/nurses
• Lab personnel • Home health personnel
• Receptionists in • Medical records clerks
MD offices • Website managers

4. Objectives
 After completing this program you will be able to:
 Discuss the general concepts of HIPAA guidelines
 Adapt HIPAA guidelines for the various settings in
which you might practice
 Discuss the seven patient/client rights regarding
his/her health information
 Differentiate individuals who have a ‘need to know’
from those who don’t. This determines those with
whom you can discuss protected health information
 Discuss application of HIPAA to the student role
 List legal and professionalconsequences of violating
HIPAA rules

5. Why HIPAA??
 Genetic advancements - as more is known about our genetic
predisposition to diseases, HIPAA will ensure that, for
example, an individual is not denied insurance because the
company knows that she may eventually develop MS.
 Marketing - as information is more easily captured
concerning, for example, the prescriptions we purchase,
HIPAA is designed to prevent marketing of unsolicited
products or services based on harvested marketing data.
 Technology - as information is quickly and sometimes
loosely moved around networks, HIPAA standards will hold
violators accountable for accidental or intentional
‘interception’ of protected health information (PHI).

6. What Objectives do the Privacy Regulations
Accomplish for Patients?
 Give patients more control over their health information.
 Set boundaries on the use and disclosure of health records.
 Establish appropriate safeguards for all people who
participate in or are associated with the provision of
healthcare to ensure that they honor patients’ rights to
privacy of their PHI.
 Hold violators accountable through civil and criminal
penalties.
 Strike a balance when public responsibility requires
disclosure of some forms of data--for example, to protect
public health.

7. What are the Seven Patient Rights Regarding
Privacy of PHI (Protected Health Information)
Individuals have the right to:
1. Receive notice of an agency’s privacy practices.
2. Know that an agency will use its PHI ONLY for
treatment, payment, operations (TPO), certain
other permitted uses and uses as required by law
3. Consent to and control the use and disclosure of
their PHI.

8. Seven Rights…continued
4. Access their protected health information (PHI),
except for psychotherapy notes (they might be
charged for copies)
5. Request amendment or addendum to their PHI
(not always granted)
6. Receive accountings of disclosures
7. File privacy complaints to agency officer

9. HIPAA Restricts Sharing PHI
Personal information cannot be released to individuals
or companies interested in marketing ventures, without
the patient’s written permission. For example:
 Names of patients with diabetes cannot be released to
a company marketing nutritional products to lower
blood glucose.
 Names and addresses of infants or their parents
cannot be released to formula manufacturers.
 Contact information of previous patients cannot be
used to raise money for any hospital campaign.

10. Who has Access to PHI?
The ‘Need-to-Know’ Principle
PHI should be shared with as few individuals as needed
to ensure patient care and then only to the extent
demanded by the individual’s role.
For example, the nursing assistant ‘needs to know’ only
the facts concerning the patient’s current admission.
As a nurse or other professional, you will discuss PHI
only as it applies to your practice or your patient’s care.

11. Protecting your patient’s PHI
 Take all reasonable steps to make sure that individuals
without the ‘need to know’ do not overhear
conversations about PHI.
 DO NOT conduct discussion about PHI in public areas
to include but not limited to elevators or cafeterias.
 Do not let others see your computer screen while you
are working. Be sure to log out when done with any
computer file.

12. Protecting your patient’s PHI
When preparing care plans or other ancillary materials:
• identify the patient/client by initials only
• use other demographic data only to the extent necessary
to identify the patient and his/her needs.
• protect the computer screen, PDA, clip board, or notes
from other individuals who don’t have a ‘need to know’
• protect your printer output from others who don’t have a
‘need to know’
• protect your floppy/zip/CD-ROM/PDA from loss
• consider using Webspace to save your documents

13. Consequences of HIPAA Violations
In addition to federal laws, failure to comply with HIPAA
also violates
 Nursing’s Code of Ethics
 Board of License
 Medical Boards

14. Potential Consequences of
HIPAA Violations
Legal consequences
 Criminal penalties up to imprisonment
 Civil penalties to include fines (up to $50,000 per
individual with up to $1.5 million for institutions)
Professional consequences:
 Disciplinary action by the Board of Nurses
 Disciplinary action by employer
 Termination of employment
 Public Embarrassments

15. HIPAA Supplemental Training for Health Care Settings
Today’s Date:
Your Name Printed
I have completed this HIPAA training program. I understand the basic provisions
of the law and agree to do my part to ensure the patients’ rights of privacy and
confidentiality. Furthermore, I understand the consequences of failing to do so.
Your Signature

16. HIPPA (1996) The Health Insurance Portability and
Accountability Act of 1996 (HIPAA) Privacy and
security rules retrieved on April 28, 2011 from
http://www.hhs.gov/ocr/privacy/