
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Overview – HIPAA Privacy and Security
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the use and disclosure of individually identifiable information or protected health information (PHI) created or received by covered entities.
The University of Colorado is a covered entity that has chosen hybrid status, meaning it is a single legal entity with components that are covered and non-covered under HIPAA. HIPAA Affected Areas refer to those units at UCCS that have access to PHI, as defined by HIPAA, because the unit is a designated healthcare component (healthcare provider or a health plan), provides services to covered components and as such receives PHI to perform those tasks, or uses PHI for education or research purposes. The designated health care components for UCCS can be found in Exhibit A of the “HIPAA Hybrid Entity Designation” Administrative Policy Statement. The locations listed in Exhibit A are all considered covered entities and therefore all of these areas must comply with HIPAA rules and regulations.
Key Concepts:
HIPAA designated healthcare components must safeguard PHI during storage, use and disclosure. These safeguards apply to the Privacy and Security of the data and must include:
- Administrative Safeguards (e.g. policies, procedures, training, contractual agreements)
- Physical Safeguards (e.g. doors, privacy curtains, locking cabinets)
- Technical Safeguards (e.g. password protected computers, encryption)
- Notice of Privacy Practices (How their information may be used)
- Inspect & copy PHI
- Accounting of Disclosures (Record of disclosures of PHI for other than TPO & without their permission)
- Request to Amend their record
- Request for Confidential Communications
- Request for Restrictions related to certain uses and disclosures
- Give permission to allow certain uses and disclosures such as for research purposes
- File a Complaint
- Select the Skillsoft tile on the home page
- Once in Skillsoft, select Library from the top of the screen and select UCCS or use the UCCS tile from the home page
- Select the HIPAA folder then select CU: HIPAA Regulations – UCCS and click LAUNCH
Frequently Asked Questions
The Health Insurance Portability and Accountability Act (HIPAA) came into effect on April 14, 2003, the Privacy Rule protects the privacy of certain individually identifiable health information by establishing conditions for its use and disclosure by health plans, health care clearinghouses, and certain health care providers. It is designed to improve the efficiency and effectiveness of the health care system and requires many things, including the standardization of electronic patient health, administrative and financial data. In response to the original HIPAA law, Health and Human Services (HHS) published an additional regulation referred to as the Privacy Rule that relates directly to organizations involved in health care operations that transmit health information electronically.
The HIPAA Privacy Rule:
- Establishes conditions under which PHI can be used within a Covered Entity and disclosed to others outside that entity;
- Grants individuals certain rights regarding their PHI;
- Requires that Covered Entities maintain the privacy and security of PHI.
HIPAA also establishes security and privacy standards for the use and disclosure of "protected health information" (PHI).
A covered entity is (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider (e.g., group practice, solo practitioner) that transmits any health information in electronic form in connection with health care transactions and (4) their business associates. The Privacy Rule allows covered entities to designate themselves as “hybrid entities” with selected parts subject to the requirements of the Privacy and Security Rules. University of Colorado is a covered entity that has chosen hybrid status. Therefore certain areas of the University have to comply directly with HIPAA. The UCCS HealthCircle Clinics are considered to be covered parts or covered healthcare components of the UCCS covered entity.
The UCCS Wellness Center is not a HIPAA covered entity. The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). See 45 CFR § 160.102. Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan. See the definition of “transaction” at 45 CFR § 160.103 and 45 CFR Part 162, Subparts K–R. Thus, even though the Wellness Center employs school nurses, physicians, psychologists, or other health care providers, the center is not a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services.
Yes. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about students to school nurses, physicians, or other health care providers for treatment purposes, without the authorization of the student or student’s parent. For example, a student’s primary care physician may discuss the student’s medication and other health care needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school. In addition, a covered health care provider may disclose proof of a student's immunizations directly to a school nurse or other person designated by the school to receive immunization records if the school is required by State or other law to have such proof prior to admitting the student, and a parent, guardian, or other person acting in loco parentis has agreed to the disclosure. See 45 CFR 164.512(b)(1)(vi).
Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.
A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).
In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).
Yes. Disclosures of protected health information in a group therapy setting are treatment disclosures and, thus, may be made without an individual’s authorization. Furthermore, the HIPAA Privacy Rule generally permits a covered entity to disclose protected health information to a family member or other person involved in the individual’s care. Where the individual is present during the disclosure, the covered entity may disclose protected health information if it is reasonable to infer from the circumstances that the individual does not object to the disclosure. Absent countervailing circumstances, the individual’s agreement to participate in group therapy or family discussions is a good basis for inferring the individual’s agreement.
No. Nothing in the Privacy Rule changes the way in which an individual grants another person power of attorney for health care decisions. State law (or other law) regarding health care powers of attorney continue to apply. The intent of the provisions regarding personal representatives was to complement, not interfere with or change, current practice regarding health care powers of attorney or the designation of other personal representatives. Such designations are formal, legal actions which give others the ability to exercise the rights of, or make treatment decisions related to, an individual. The Privacy Rule provisions regarding personal representatives generally grant persons, who have authority to make health care decisions for an individual under other law, the ability to exercise the rights of that individual with respect to health information.
No. Your UCCS email account is not secure and encrypted therefore when sending PHI you must use LionShare.
Here’s a link to UCCS’ LionShare page: https://oit.uccs.edu/services/file-transfer-and-storage/lionshare
- Ensure your computer is encrypted:
- If you use a mobile device to access PHI, the device (regardless of ownership) must be encrypted
- Do not store data on the hard drive.
- If you use a laptop do not leave it in places where it can easily be taken.
- If possible, do not remove PHI from the premises.
The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. See 45 CFR 164.530(c). This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii). Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.
Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. See 45 CFR 160.103 (definition of “workforce”).
Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.
In general, examples of proper disposal methods may include, but are not limited to:
- For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
- For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
For more information on proper disposal of electronic PHI, see the HHS HIPAA Security Series 3: Security Standards – Physical Safeguards. In addition, for practical information on how to handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP 800-88, Guidelines for Media Sanitization.
Other methods of disposal also may be appropriate, depending on the circumstances. Covered entities are encouraged to consider the steps that other prudent health care and health information professionals are taking to protect patient privacy in connection with record disposal. In addition, if a covered entity is winding up a business, the covered entity may wish to consider giving patients the opportunity to pick up their records prior to any disposition by the covered entity (and note that many states may impose requirements on covered entities to retain and make available for a limited time, as appropriate, medical records after dissolution of a business).
For questions please contact:
De-identified data are not subject to the requirements of the Privacy and Security Rules because the data are not individually identifiable and not considered PHI. There are two ways to de-identify data:
- Safe Harbor Method – in which all of the following 18 elements are removed from a data set:
- Names
- Geographic info (including city and ZIP)
- Elements of dates (except year), ages over 89 years
- Telephone #s
- Fax #s
- E-mail address
- Social Security #
- Medical record, prescription #s
- Health plan beneficiary #s
- Account #s
- Certificate/license #s
- VIN and Serial #s, license plate #s
- Device identifiers, serial #s
- Web URLs
- IP address #s
- Biometric identifiers (finger prints)
- Full face, comparable photo images
- Unique identifying #s
If all of the 18 identifiers listed above are removed, the information is no longer
- Individually identifiable,
- PHI, and
- Subject to HIPAA's requirements.
- Statistical Method – in which certification is provided by "a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable so that there is a ‘very small’ risk that the information could be used by the recipient to identify the individual who is the subject of the information, alone or in combination with other reasonably available information.” For more information see HHS Guidance for De-identification of Protected Health Information.
A data set may also be considered de-identified if an expert in statistical and scientific methods determines and documents that the methods used to de-identify or code the data present a very small risk that the information can be used alone or in combination with other reasonably available information to identify an individual.
"Anonymous" data are not necessarily considered de-identified under HIPAA. Anonymity under the federal Common Rule requires that individuals cannot be readily ascertained by the investigator and cannot be associated with the data. According to the Common Rule standard, anonymous data may retain dates of treatment. Under HIPAA's more stringent requirements, however, such data would be considered identifiable data.
Some studies may need to retain a limited number of identifiers and, thus, not meet the strict HIPAA definition of "de-identified data." However, these studies may present only minimal potential for identifying participants based on the data set. In such circumstances, HIPAA permits use of a "Limited Data Set" for research purposes. A Limited Data Set is PHI that excludes "direct identifiers" of the individual, relatives of the individual, employers, or household members.
A limited data set must exclude all direct identifiers such as:
- Names
- Street Addresses or P.O. Box Numbers
- Phone and Fax Numbers
- Email Addresses
- Social Security Numbers
- Medical Record Numbers
- Health Plan Numbers
- Account Numbers
- Certificate/Licenses Numbers
- Vehicle Identifiers/License Plates
- Device Identifiers
- Web URLS
- Internet Protocols (IP)
- Full Face Photos
A limited data set may include one or more of the following:
- Towns
- Cities
- States
- Zip Code and their equivalent geocodes. (Note that a zip code cannot be used if the area composing the zip code has less than 20,000 citizens.)
- Dates including birth and death
- Other unique identifying numbers, characteristics, or codes that are not expressly excluded as long as the unique identifier(s) cannot be used to identify a specific individual. (e.g. the four time NFL MVP would be a unique identifier that identifies only one individual, so could not be used)
- Relevant medical information
A Limited Data Set may be used only for purposes of research, public health, or health care operations. Under the Privacy Rule, use or disclosure of limited data sets for research purposes requires a "Data Use Agreement."
A Limited Data Set may be used only if the covered entity providing the data and the recipient of the data first enter into a Data Use Agreement. The investigator, the holder of the PHI, and their respective institutions, must sign Data Use Agreements, either for access to a Limited Data Set or for the release of a Limited Data Set. At UCCS, the Office of Legal Counsel and Compliance will assist with the completion of these agreements. These agreements must, among other things, establish the permitted uses and disclosures of the information included in the Limited Data Set and must provide that the recipient of the Limited Data Set will not identify the information or use it to contact individuals.
As with research conducted pursuant to an authorization, disclosure(s) of PHI that are part of a Limited Data Set need not be tracked for purposes of providing an accounting to an individual.
The HIPAA Privacy Rule states the Minimum Necessary Standard applies when using or disclosing protected health information (PHI), or when requesting PHI from others, a covered entity must take reasonable steps to limit uses and disclosures of PHI to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." The minimum necessary standard applies to all uses and disclosures for the purposes of payment, health care operations and research (it does not apply to treatment). Even if accessing PHI for research purposes pursuant to an authorization, the researcher must limit the amount of information requested in the authorization to the minimum necessary.
Under the HITECH Act it is further explains, if a covered entity does not comply with the minimum necessary standard it could be considered a Breach.
Health-related information is considered PHI if (any of the following are true):
- The researcher obtains the records directly from a health plan, health care clearing house, or health care provider;
- The records were created by any of the entities (aka Covered Entities) in "1" and the researcher obtains the records from an intermediate source; OR
- The researcher obtains it directly from the study subject in the course of providing treatment to the subject.
Report a concern or have Questions
Forms
Activities Preparatory to Research - Request for Waiver of Authorization Fill-In Form (PDF)
Authorization to Release and/or Obtain Patient Information and Referral Fill-In Form (PDF)
Authorization to Use or Disclose Identifiable Health Information for Research
Approval of Request to Amend Medical or Billing Records (PDF)
Business Associates Agreement
Data Use Agreement (PDF)
Denial of Request to Amend Healthcare Information Form (PDF)
HealthCircle Notice of Privacy Practices (PDF)
HIPAA Authorization for Release of Health Information – Media
HIPAA Security Workbook
HIPAA Walkthrough Checklist
PHI Disclosure Accounting Log (PDF)
Privacy - Security Incident Fill-In Form (PDF)
Request for Alternate Means of Communication of Confidential Medical Information (PDF)
Request for Amendment of Health Information Instructions and Fill-in Form (PDF)
Request for Accounting of Disclosures of Protected Health Information Fill-in Form (PDF)
Request for Waiver of Elements of Authorization or an Altered Authorization Fill-In Form (PDF)
Request to Restrict Uses or Disclosures of Personal Medical Records (PDF)
Request to View or Obtain Copy of Personal Medical Records (PDF)
Required Representations for Research on Decedents Information Fill-In Form (PDF)
Revocation of Authorization Fill-in Form (PDF)