This document discusses confidentiality in the workplace and summarizes the key points of HIPAA. It explains that HIPAA provides protections for personal health information held by covered entities. It protects individually identifiable health information in any form. Covered entities include health plans, providers, and clearinghouses. Violations of HIPAA can result in civil and criminal penalties such as fines up to $50,000, imprisonment up to 1 year, or greater penalties if violations involved false pretenses or intent to sell health information.

1. Confidentiality in the
Workplace
The purpose of this training is to
discuss how to keep personal patient
information private while in the work
place
What is HIPPA?
Who does this impact?
What are the penalties for
noncompliance?

2. HIPPA Introduction
The HIPAA Privacy Rule provides federal protections for
individually identifiable health information held by
covered entities and their business associates and
gives patients an array of rights with respect to that
information. At the same time, the Privacy Rule is
balanced so that it permits the disclosure of health
information needed for patient care and other important
purposes.
The Security Rule specifies a series of
administrative, physical, and technical safeguards for
covered entities and their business associates to use to
assure the confidentiality, integrity, and availability of
electronic protected health information.
1996

3. WHO

The Privacy Rule, as well as all the
Administrative Simplification
rules, apply to health plans, health
care clearinghouses, and to any
health care provider who transmits
health information in electronic form in
connection with transactions for which
the Secretary of HHS has adopted
standards under HIPAA (the “covered
entities”).

4. WHAT






The Privacy Rule protects all "individually identifiable health
information" held or transmitted by a covered entity or its
business associate, in any form or media, whether
electronic, paper, or oral. The Privacy Rule calls this
information "protected health information (PHI)."12
“Individually identifiable health information” is
information, including demographic data, that relates to:
the individual’s past, present or future physical or mental
health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health
care to the individual,
and that identifies the individual or for which there is a
reasonable basis to believe it can be used to identify the
individual.13 Individually identifiable health information
includes many common identifiers (e.g., name, address, birth
date, Social Security Number).

5. Penalties for Noncompliance


The Department of Health and Human
Services, Office for Civil Rights (OCR) is
responsible for administering and
enforcing these standards and may
conduct complaint investigations and
compliance reviews.
Covered entities that fail to comply
voluntarily with the standards may be
subject to civil money penalties. In
addition, certain violations of the Privacy
Rule may be subject to criminal

6. More Penalties
A person who knowingly obtains or discloses
individually identifiable health information in
violation of the Privacy Rule may face a
criminal penalty of up to $50,000 and up to
one-year imprisonment. The criminal
penalties increase to $100,000 and up to five
years imprisonment if the wrongful conduct
involves false pretenses, and to $250,000
and up to 10 years imprisonment if the
wrongful conduct involves the intent to
sell, transfer, or use identifiable health
information for commercial
advantage, personal gain or malicious harm.
The Department of Justice is responsible for
criminal prosecutions under the Privacy Rule.

7. References and more
information
U.S. Department of Health and Human
Services
 http://www.hhs.gov/ocr/privacy/hipaa/u
nderstanding/summary/index.html