HIPAA establishes standards to protect sensitive patient health information. It covers identifiable health information held by covered entities, including demographic information, medical records, insurance forms, and billing information. HIPAA applies to both electronic and paper records. It gives patients rights over their protected health information and sets security standards for covered entities to safely store, use and transmit patient data. Covered entities must implement safeguards like access controls, disposal protocols and encryption and are subject to penalties for noncompliance.

1. THE BASICS OF HIPAA

2. HIPAA: WHAT IS IT?
• HIPAA does the following:
• Creates standards for protecting the privacy of
health information
• Creates standards for the security of health
information
• Creates standards for electronic exchange of
health information

3. WHAT IS COVERED BY HIPAA?
• Protected Health Information
The HIPAA privacy rule covers and sets standards for the
collecting, sharing and storing of a person’s Protected Health
Information, or PHI, for short. PHI is information that:
• Relates to past, present or future physical or mental health or
condition, payments and provisions about healthcare.
• Identifies the individual in a personal way.
• Provides a reasonable basis to be used to identify the
individual.
• Is created or received by a Covered Entity.

4. WHAT IS PRIVATE HEALTH
INFORMATION?
Protected health information (PHI) is:
• Individually identifiable health information
• Transmitted or maintained in any form or medium by a
Covered Entity or its Business Associate
• Health information, including demographic information
• Relates to an individual’s physical or mental health or
the provision of or payment for health care
• Identifies the individual

5. TYPES OF PHI
• Billing Information
• Medical Insurance Forms
• Prescriptions
• Patient Charts/Records (Paper or Electronic)

6. WHAT DOES HIPAA APPLY TO?
• Forms
• Spoken Communication
• E-mails
• Faxes

7. PROTECTING PHI WITH HIPAA MEANS:
• Removal of certain identifiers so that the individual who
is subject of the PHI may no longer be identified
• Application of statistical method or
• Stripping of listed identifiers such as:
• Names
• Geographic subdivisions < state
• All elements of dates
• SSNs
• Not discussing PHI with anyone, other than those
directly responsible for providing health care (provider,
clinician, technician, etc.)

8. PATIENT’S RIGHTS
• Patients have the right to obtain and amend their PHI to:
Request restrictions on uses and disclosures,
Request more confidential communications,
Receive an accounting of disclosures,
Complain about privacy violations
• Use and disclosure of PHI:
Patients have the right to know how their PHI
Patients are entitled to know how their PHI will be
used and who will receive their PHI.
• Patients have a right to see privacy disclosures regarding
their PHI

9. SPECIAL RULES OF HIPAA
• Special rules for certain types of entities:
• Some Covered Entities have additional privacy
regulations covering areas like directories, marketing
and fund raising.
• Administrative requirements of Covered Entities may
keep details record-keeping and procedural compliance
issues.

10. ENFORCEMENT OF HIPAA
• There are potential penalties and fines for
noncompliance.
• Penalties start at $100, and can be as strict as $25,000 per year
• If an employee or patient makes a complaint, it will be
investigated, and if necessary, subsequent corrective
action will follow.
• Covered Entities or programs will have a process to
receive and investigate complaints.

11. ANTI-RETALIATION POLICY
• Retaliation against anyone who may file a complaint is
strictly prohibited
• Individuals may file a complaint with either the Covered
Entity or the U.S. Department of Health and Human
Services.

12. REASONABLE PHYSICAL AND
TECHNOLOGICAL SAFEGUARDS
• Telephones – How do you know the person you are
talking to is authorized to receive an employee’s PHI?
• Disposing of PHI – When you dispose of PHI (both hard
copy and electronic) how can you be certain that it is
appropriately destroyed?
• E-mail – How can you be sure PHI is secure when it’s
sent via e-mail?
• Fax machines – When faxing PHI, how can you be sure
the right person will read it on the other end?
• Mail – Sending PHI through the mail may have
restrictions.
• Storing PHI – Safeguarding PHI on computer databases,
file cabinets, even laptop computers will have to follow
procedure.

13. WHAT DOES THIS MEAN TO YOU?
• Do not let anyone use your username and password
• Log off of your computer, when you walk away from it,
• Do not use anyone else’s username and password
• Do not discuss private health information of any patient outside of
the care setting
• Do not discuss private health information of any patient with
someone other than a direct care giver
• Do not look up any health records, unless it is a patient under your
care and the information is for the purpose of providing patient care
• Do not look up your own private health information