HIPAA requires healthcare providers to protect individuals' protected health information (PHI). PHI includes any health information like names, dates, diagnoses, and other identifiable details. HIPAA sets rules for appropriate access, use, and disclosure of PHI. Violations can result in criminal penalties such as fines up to $250,000 or imprisonment up to 10 years. The document reviews key HIPAA concepts like what is considered PHI, how PHI can be used, and requirements for safeguarding electronic and written PHI.

1. Health Insurance
Portability and
Accountability Act (HIPAA)
Training
Karen Meyer, RN, BSN, CIC
MHA690 – Healthcare Capstone
Ashford University
Instructor: Hwang-Ji Lu
February 28, 2013

2. What is HIPAA?
O HIPAA requires health care providers and
organizations, as well as their business
associates, to develop and follow procedures
that ensure the confidentiality and security
of protected health information (PHI) when it
is transferred, received, handled, or shared
(California Department of Healthcare
Services, n.d.).
O This applies to all forms of PHI, including
written, oral, electronic, photographic
images, audio, and video.

3. What is PHI?
O Any individually identifiable health
information:
O Created or received by covered entity or
business associate.
O Relates to past, present, or future
physical or mental health or condition of
an individual.
O Transmitted in any form or medium.

4. Examples of PHI
Device
identifiers
and serial
numbers
Social
Email
security Account
addresses URLs
numbers numbers
Names
Photographs
Medical
Fax IP
record License
numbers address
Geographical numbers numbers
identifiers numbers
Any other
unique
Health identifying
Phone Insurance Vehicle Biometric number
Dates numbers numbers identifiers identifiers

5. HIPAA Enforcement and Penalties
O The Department of Health and Human Services,
Office for Civil Rights (OCR) is responsible for
enforcing privacy rule standards.
O Criminal Penalties:
Wrongfully accessing or disclosing PHI Up to $50,000 Up to 1 year imprisonment
Obtaining PHI under false pretenses Up to $100,000 Up to 5 years imprisonment
If wrongful conduct involves the intent Up to $250,000 Up to 10 years imprisonment
to sell, transfer, or use PHI for
commercial advantage, personal gain,
or malicious harm
Reference: U.S. Department of Health & Human Services (2003).

6. HIPAA Permitted Uses and
Disclosures of PHI
O PHI may be used and disclosed to facilitate treatment,
payment, and healthcare operations which means:
O HI may be disclosed to other providers for treatment.
O PHI may be disclosed to other covered entities for
payment.
O PHI may be disclosed to other covered entities that
have a relationship with the patient for certain
healthcare operations such as quality improvement,
credentialing, and compliance.
O PHI may be disclosed to individuals involved in a
patient’s care or payment for care unless the patient
objects.

7. Rules for Access
O Access to computer systems and information is
based on your work duties and responsibilities.
O Access privileges are limited to only the minimum
necessary information you need to do your work.
O Access to an information system does not
automatically mean that you are authorized to view
or use all the data in that system.
O If job duties change, clearance levels for access to
ePHI is re-evaluated.
O Access is eliminated if employee is terminated.
O Accessing ePHI for which you are not cleared or for
which there is no job-related purpose will subject you
to sanctions.

8. Rules for Protecting Information
O Do not allow unauthorized persons into restricted areas
where access to PHI or ePHI could occur.
O Arrange computer screens so they are not visible to
unauthorized persons and/or patients; use security screens
in areas accessible to public.
O Log in with password, log off prior to leaving work area, and
do not leave computer unattended.
O Close files not in use/turn over paperwork containing PHI.
O Do not duplicate, transmit, or store PHI without appropriate
authorization.
O Storage of PHI on unencrypted removable devices
(Disk/CD/DVD/Thumb Drives) is prohibited without prior
authorization.

9. Conclusion
O All employees are required to follow
HIPAA and will be held accountable for
their actions.
O ALWAYS follow the rules for access and
rules for protecting information.

10. References
California Department of Healthcare Services. (n.d.).
Health insurance portability and accountability
act. Retrieved from
http://www.dhcs.ca.gov/formsandpubs/laws/hipaa
/Pages/1.00%20WhatisHIPAA.aspx
U.S. Department of Health and Human Services.
(2003). Summary of the HIPAA privacy rule.
Retrieved from
http://www.hhs.gov/ocr/privacy/hipaa/understandi
ng/summary/privacysummary.pdf