What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law covering healthcare and health insurance industries. HIPAA addresses a number of topics, including access to health insurance, standardizing electronic healthcare-related records, and protecting the privacy and security of health data, which HIPAA calls protected health information (PHI).

As a federal law, HIPAA mandates that PHI (also referred to ePHI if it is in electronic form) must be protected in order to maintain the privacy and confidentiality of patients’ medical information. This mandate is addressed in two key HIPAA provisions: the Privacy Rule and the Security Rule. Per the Department of Health and Human Services (HHS), each rule is summarized thusly:

  • Privacy Rule The Privacy Rule standards address the use and disclosure of individuals’ health information (called “protected health information”) by organizations subject to the Privacy Rule (called “covered entities”), as well as standards for individuals' privacy rights to understand and control how their health information is used. A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public's health and well-being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing.
  • Security Rule: The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information.”

For more on these two rules, please visit the following HHS sites:

How Do I Abide by the Privacy Rule?

The HIPAA Privacy Rule states that PHI may be used and disclosed to facilitate treatment, payment, and healthcare operations (TPO), which means:

  • PHI may be disclosed to other providers for treatment.
  • PHI may be disclosed to other covered entities for payment.
  • PHI may be disclosed for certain approved healthcare activities (healthcare operations), such as quality assessment, credentialing, and compliance.
  • PHI may be disclosed to individuals involved in a patient’s care or payment for care, unless the patient objects.

When HIPAA permits the use or disclosure of PHI, the covered entity must use or disclose only the minimum necessary PHI required to accomplish the business purpose of the use or disclosure. Even when PHI is used or disclosed for appropriate business purposes, if the PHI is not limited to the necessary minimum, it is a HIPAA violation. The only exceptions to the necessary minimum standard are those times when a covered entity is disclosing PHI for the following reasons:

  • Treatment
  • Purposes for which a patient authorization is signed
  • Disclosures required by law
  • Sharing information to the patient about himself/herself

To ensure that the requirements of the Privacy Rule are met, UAB has adopted a set of Privacy Core Policies that include the following:

  • HIPAA Administration
  • Use & Disclosure of Health Information
  • Use & Disclosure of Health Information for Marketing
  • Use & Disclosure of Health Information for Fundraising
  • Use & Disclosure of Identifiable Health Information for Research
  • Patient Health Information Rights

How Do I Abide by the Security Rule?

The Security Rule and its associated regulations contain 18 standards that must be met in order to provide the appropriate security safeguards to protect the confidentiality, integrity, and availability of patients’ PHI. These regulations address a number of issues regarding the protection of PHI. Examples of such issues include, but are not limited to, the following:

  • Prohibition of downloading or copying PHI to portable media or a mobile device (laptops, tablets, smartphones, etc.) without documented prior approval from senior management.
  • Conducting a thorough risk assessmentat least every two years.
  • Requiring all hard drives that contain PHI to be encrypted.
  • Using secure transmission methods and protocols when sending PHI to authorized parties for legitimate, authorized share of PHI.

To ensure that the requirements of the Security Rule are met, UAB has adopted a set of Security Core Policies that include the following:

  • Media Reallocation and Disposal
  • Information System Account Management
  • Internet and eMail Use
  • Information Systems & Network Access
  • Contingency Planning
  • Risk Analysis and Management of EPHI
  • Information Security and Privacy Incident Response
  • Use of Portable Devices

In addition to those policies, UAB also has adopted the Data Protection Rule, which describes security requirements that must be followed in order to protect Restricted/ePHI data.

What is PHI?

PHI is individually identifiable health information, including demographic information, that is:

  • Created, received, transmitted, or maintained by a healthcare provider, health plan, or healthcare clearinghouse, and
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or past, present, or future payment for the provision of healthcare to the individual, and
  • Can be used to identify the individual.

HIPAA mandates that PHI must be protected in both physical and digital form. Such information is classified as Restricted/PHI by UAB’s Data Classification Rule. Examples of HIPAA/PHI data that must be protected include:

  • Names
  • Postal address information (any address information smaller than state of residence)
  • Dates
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security Numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web universal resource locators (URLs)
  • Internet protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images

PHI can appear in a number of different formats. Examples of media on which PHI can appear include, but are not limited to, the following:

  • Written documentation and all paper records, including prescription labels and ID bracelets
  • Spoken and verbal information, including discussions with or about patients, and voice mail messages
  • Electronic information stored on a computer, laptop, mobile device, USB drive, or other electronic media
  • X-rays, photographs, and digital images

What UAB Entities are Covered by HIPAA?

Per UAB’s HIPAA Administration Policy, HIPAA mandates apply to all UAB “covered entities” that create, receive, transmit, or maintain PHI in its various forms. A covered entity is defined as one of the following:

    Health Care Provider
  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
    Health Plan
  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, and the military/veterans health care programs
    Health Care Clearinghouse
  • Entities that process nonstandard health information received from another entity into a standard (i.e., standard electronic format or data content)

UAB’s HIPAA Administration policy defines the following organizations as covered entities:

    UAB Campus

  • School of Dentistry
  • School of Health Professions
  • School of Nursing
  • School of Optometry
  • Joint Health Sciences Departments
  • UAB Health Plans
  • Education’s Community Clinic

    UAB Medicine

  • UAB Hospital
  • The Kirklin Clinic of UAB Hospital
  • UA Health Services Foundation
  • School of Medicine
  • Callahan Eye Hospital and Clinics
  • VIVA Health
  • Ophthalmology Services Foundation
  • Medical West

Does HIPAA Apply to Researchers?

Yes, it can. Even if a researcher and his/her project are not tied to a UAB covered entity, they must comply with HIPAA if their research involves PHI as defined by UAB and/or any sponsoring agency tied to a contract or grant. In such situations, researchers must abide by all HIPAA requirements and UAB policies and standards regarding HIPAA and the protection of PHI.

At UAB/UABHS, research is a use of PHI. UAB/UABHS HIPAA-covered entities are permitted to use or disclose PHI for research purposes if the Institutional Review Board (IRB) has approved the research. IRB approval is granted under one or more of the following conditions:

  1. A signed patient authorization is recorded.
  2. The research is decedent research.
  3. The process is preparatory to research.
  4. The research utilizes a Limited Data Set with a Data Use Agreement.
  5. The IRB grants a waiver for the required patient/participant signed authorization.

Principal investigators or designated researchers must provide a copy of the fully executed IRB approval form to the covered entity holding the data before the data can be released for research. As a rule, investigators should first contact Health Information Management for PHI to be used for IRB-approved research.

Often principal investigators are also clinicians. Therefore, additional guidance must be followed when recruiting patients for research activities:
  • Principal investigators or their designees should not use their clinical access to search patient records for potential research participants.
  • Physicians who are involved in research activities may contact only their own patients when recruiting for research studies.
For more on research and HIPAA, visit UAB’s HIPAA web site. Note: Users must be on either the UAB or UABMC network to access this site.Researchers also can refer to the Use & Disclosure of Identifiable Health Information for Research policy and the HIPAA Handbook for Researchers at UAB.

What is the Penalty for Non-Compliance?

The Department of Health and Human Services (HHS), through the Office for Civil Rights, enforces a tiered civil penalty system for non-compliance with the HIPAA Privacy Rule and Security regulations. The following actions could occur should a non-compliance issue arise:

  • Monetary penalties that range from $100 to $1.65 million per violation could be assessed, depending on the circumstances.
  • HHS must investigate any complaint that could possibly result from a violation due to willful neglect and must impose penalties if such neglect is confirmed.
    • “Willful neglect” is defined as “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA.
  • State attorneys general also can pursue civil suits against persons who violate HIPAA.

The U.S. Department of Justice is responsible for enforcing criminal penalties for non-compliance with the HIPAA Privacy Rule. Criminal penalties for “wrongful disclosure” include both large fines of $50,000 to $250,000 and up to 10 years in prison. Examples of wrongful disclosures include accessing health information under false pretenses, releasing patient information with harmful intent, or selling PHI.

Note: Penalties and fines apply to members of the workforce and other individuals, not just to the covered entities.

In addition to the federal and state penalties and fines, members of the UAB/UABHS workforce are subject to disciplinary action, up to and including termination of employment or assignment, for non-compliance with HIPAA privacy and security regulations, policies, and procedures.

Can PHI be Shared with a Third Party

A covered entity can share PHI with a third party, but that party must be an authorized Business Associate (BA) and there are requirements and stipulations on how PHI can be shared. According to UAB HIPAA policies, a BA is defined as the following:

  • A person or entity (other than an employee of a UAB covered entity) who performs a function or activity involving the use or disclosure of protected health information, including, but not limited to, claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, for or on behalf of a UAB covered entity. A Business Associate of one UAB covered entity does not become a Business Associate of any other UAB covered entity simply by virtue of the UAB affiliation.

Examples of BAs include an electronic patient record vendor or a company that shreds physical media that contain PHI.

In order to share PHI with a BA, a UAB covered entity must execute a signed Business Associate Agreement (BAA) with the third party before the PHI can be shared. According to UAB HIPAA policies, a BAA is defined as the following:

  • A legal agreement between UAB and the Business Associate that outlines how the Business Associate will protect the PHI that they store, process, or transmit on behalf of UAB. This is an additional document separate from the contract.

The BAA binds the third-party individual or vendor to the HIPAA regulations when performing the contracted services for or on the behalf of UAB. All BAAs must be approved in accordance with appropriate UAB/UABHS policies and procedures, and they must be fully executed (have all signatures in place) before any PHI can be released to the third party. Steps must be taken to ensure that all PHI shared with an approved BA is secured appropriately and satisfies both the Privacy and Security rules.

For more on HIPAA, BAs and BAAs, and the associated forms, visit UAB’s HIPAA web site. Note: Users must be on either the UAB or UABMC network to access this site.

What is a Breach?

A breach is defined by UAB as an impermissible use or disclosure of PHI that compromises the security or privacy of the information. Examples of a breach include, but are not limited to:

  • Looking up a friend in the EHR without a work-related purpose to view his/her medical information,
  • Talking about a patient with an employee who does not work with that patient,
  • Discussing with a patient his/her medical condition in front of visitors without first asking his/her permission to do so,
  • Entering an incorrect fax number so that documents containing PHI go to an unapproved recipient rather than the physician’s office,
  • Giving a patient the depart or discharge summary belonging to another patient, or
  • Posting information about a patient on Facebook or other social media site.

If a potential breach has occurred, report it to any of the following:

  • Your supervisor,
  • Your HIPAA Entity Privacy Coordinator (EPC) or your HIPAA Entity Security Coordinator (contact information can be found at UAB’s HIPAA web site),
  • The appropriate information system Help Desk (AskIT or HSIS Help Desk),
  • The Privacy Office, the Information Security Office, the Office of UAB Medicine Compliance, or the Office of University Compliance,
  • The Institutional Review Board (IRB) if research data are involved, or
  • The UAB Ethics Hotline: 1-866-362-9476.