Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) came into effect on April 14, 2003, the Privacy Rule protects the privacy of certain individually identifiable health information by establishing conditions for its use and disclosure by health plans, health care clearinghouses, and certain health care providers. It is designed to improve the efficiency and effectiveness of the health care system and requires many things, including the standardization of electronic patient health, administrative and financial data. In response to the original HIPAA law, Health and Human Services (HHS) published an additional regulation referred to as the Privacy Rule that relates directly to organizations involved in health care operations that transmit health information electronically.

The HIPAA Privacy Rule:

• Establishes conditions under which PHI can be used within a Covered Entity and disclosed to others outside that entity;
• Grants individuals certain rights regarding their PHI;
• Requires that Covered Entities maintain the privacy and security of PHI.

HIPAA also establishes security and privacy standards for the use and disclosure of "protected health information" (PHI).

A covered entity is (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider (e.g., group practice, solo practitioner) that transmits any health information in electronic form in connection with health care transactions and (4) their business associates. The Privacy Rule allows covered entities to designate themselves as “hybrid entities” with selected parts subject to the requirements of the Privacy and Security Rules. University of Colorado is a covered entity that has chosen hybrid status. Therefore certain areas of the University have to comply directly with HIPAA. The UCCS HealthCircle Clinics are considered to be covered parts or covered healthcare components of the UCCS covered entity.

A covered entity can use and disclose PHI for Treatment, Payment and Health care Operations (TPO).

•Treatment  generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.

•Payment encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.  In addition to the general definition, the Privacy Rule provides examples of common payment activities which include, but are not limited to:

• Determining eligibility or coverage under a plan and adjudicating claims;
• Risk adjustments;
• Billing and collection activities;
• Reviewing health care services for medical necessity, coverage, justification of charges, and the like;
• Utilization review activities; and
• Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).

•Health care operations are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listed in the definition of “health care operations” at 45 CFR 164.501, include:

• Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination;
• Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities;
• Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims
• Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs;
• Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and
• Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity. General Provisions at 45 CFR 164.506.

HIPAA does not consider Research part of health care operations and has created special rules for using PHI for research purposes.  For additional information related to research please click on the Privacy Board Tab on the Compliance Website. 

The UCCS Wellness Center is not a HIPAA covered entity. The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). See 45 CFR § 160.102. Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan. See the definition of “transaction” at 45 CFR § 160.103 and 45 CFR Part 162, Subparts K–R. Thus, even though the Wellness Center employs school nurses, physicians, psychologists, or other health care providers, the center is not a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services.

No. All States have laws that require providers to report cases of specific diseases to public health officials. The HIPAA Privacy Rule permits disclosures that are required by law. Furthermore, disclosures to public health authorities that are authorized by law to collect or receive information for public health purposes are also permissible under the Privacy Rule. In order to do their job of protecting the health of the public, it is frequently necessary for public health officials to obtain information about the persons affected by a disease. In some cases they may need to contact those affected in order to determine the cause of the disease to allow for actions to prevent further illness.

The Privacy Rule continues to allow for the existing practice of sharing protected health information with public health authorities that are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public. Examples of such activities include those directed at the reporting of disease or injury, reporting deaths and births, investigating the occurrence and cause of injury and disease, and monitoring adverse outcomes related to food (including dietary supplements), drugs, biological products, and medical devices.

Yes, provided the school is required by law to have proof of immunizations in order to admit the child, and a parent, guardian, or other person acting in loco parentis has agreed to the disclosure. See 45 CFR 164.512(b)(1)(vi). Where the individual who is a student or prospective student is an adult or emancipated minor, the provider may make the disclosure with the agreement of the student herself. In either case, the agreement may be obtained orally or in writing, but must be documented (e.g., by placing in the medical record a copy of a written request, or notation of an oral request, from a parent for the provider to disclose the proof of immunization to the school).

Yes. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about students to school nurses, physicians, or other health care providers for treatment purposes, without the authorization of the student or student’s parent. For example, a student’s primary care physician may discuss the student’s medication and other health care needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school. In addition, a covered health care provider may disclose proof of a student's immunizations directly to a school nurse or other person designated by the school to receive immunization records if the school is required by State or other law to have such proof prior to admitting the student, and a parent, guardian, or other person acting in loco parentis has agreed to the disclosure. See 45 CFR 164.512(b)(1)(vi).

Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.

A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).

In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).

Yes.  As long as you do not object, your health care provider is allowed to share or discuss your health information with your family, friends, or others involved in your care or payment for your care.  Your provider may ask your permission, may tell you he or she plans to discuss the information and give you an opportunity to object, or may decide, using his or her professional judgment, that you do not object.  In any of these cases, your health care provider may discuss only the information that the person involved needs to know about your care or payment for your care. 

Here are some examples:

• A provider may discuss your treatment in front of your friend when you ask that your friend come into the treatment room.
• Your clinic may discuss your bill with your daughter who is with you at the clinic and has questions about the charges.
• Your provider may talk to your sister who is driving you home from the clinic about your keeping your foot raised during the ride home.
• Your provider may discuss the drugs you need to take with your health aide who has come with you to your appointment.
• Your nurse may tell you that she is going to tell your brother how you are doing, and then she may discuss your health status with your brother if you did not say that she should not.

BUT:
Your nurse may not discuss your condition with your brother if you tell her not to.

Yes. Disclosures of protected health information in a group therapy setting are treatment disclosures and, thus, may be made without an individual’s authorization. Furthermore, the HIPAA Privacy Rule generally permits a covered entity to disclose protected health information to a family member or other person involved in the individual’s care. Where the individual is present during the disclosure, the covered entity may disclose protected health information if it is reasonable to infer from the circumstances that the individual does not object to the disclosure. Absent countervailing circumstances, the individual’s agreement to participate in group therapy or family discussions is a good basis for inferring the individual’s agreement.

No. Nothing in the Privacy Rule changes the way in which an individual grants another person power of attorney for health care decisions. State law (or other law) regarding health care powers of attorney continue to apply. The intent of the provisions regarding personal representatives was to complement, not interfere with or change, current practice regarding health care powers of attorney or the designation of other personal representatives. Such designations are formal, legal actions which give others the ability to exercise the rights of, or make treatment decisions related to, an individual. The Privacy Rule provisions regarding personal representatives generally grant persons, who have authority to make health care decisions for an individual under other law, the ability to exercise the rights of that individual with respect to health information.

No. Your UCCS email account is not secure and encrypted therefore when sending PHI you must use LionShare.

Here’s a link to UCCS’ LionShare page: https://oit.uccs.edu/services/file-transfer-and-storage/lionshare

• Ensure your computer is encrypted:
• If you use a mobile device to access PHI, the device (regardless of ownership) must be encrypted
• Do not store data on the hard drive.
• If you use a laptop do not leave it in places where it can easily be taken.
• If possible, do not remove PHI from the premises.

The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. See 45 CFR 164.530(c). This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii). Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.

Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. See 45 CFR 160.103 (definition of “workforce”).

Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.

In general, examples of proper disposal methods may include, but are not limited to:

• For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
• Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
• For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

For more information on proper disposal of electronic PHI, see the HHS HIPAA Security Series 3: Security Standards – Physical Safeguards. In addition, for practical information on how to handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP 800-88, Guidelines for Media Sanitization.

Other methods of disposal also may be appropriate, depending on the circumstances. Covered entities are encouraged to consider the steps that other prudent health care and health information professionals are taking to protect patient privacy in connection with record disposal. In addition, if a covered entity is winding up a business, the covered entity may wish to consider giving patients the opportunity to pick up their records prior to any disposition by the covered entity (and note that many states may impose requirements on covered entities to retain and make available for a limited time, as appropriate, medical records after dissolution of a business).
For questions please contact:

De-identified data are not subject to the requirements of the Privacy and Security Rules because the data are not individually identifiable and not considered PHI.  There are two ways to de-identify data:

1. Safe Harbor Method – in which all of the following 18 elements are removed from a data set:
   1. Names
   2. Geographic info (including city and ZIP)
   3. Elements of dates (except year), ages over 89 years
   4. Telephone #s
   5. Fax #s
   6. E-mail address
   7. Social Security #
   8. Medical record, prescription #s
   9. Health plan beneficiary #s
   10. Account #s
   11. Certificate/license #s
   12. VIN and Serial #s, license plate #s
   13. Device identifiers, serial #s
   14. Web URLs
   15. IP address #s
   16. Biometric identifiers (finger prints)
   17. Full face, comparable photo images
   18. Unique identifying #s

If all of the 18 identifiers listed above are removed, the information is no longer

1. Individually identifiable,
2. PHI, and
3. Subject to HIPAA's requirements.
4. Statistical Method – in which certification is provided by "a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable so that there is a ‘very small’ risk that the information could be used by the recipient to identify the individual who is the subject of the information, alone or in combination with other reasonably available information.”   For more information see HHS Guidance for De-identification of Protected Health Information.

A data set may also be considered de-identified if an expert in statistical and scientific methods determines and documents that the methods used to de-identify or code the data present a very small risk that the information can be used alone or in combination with other reasonably available information to identify an individual.

"Anonymous" data are not necessarily considered de-identified under HIPAA. Anonymity under the federal Common Rule requires that individuals cannot be readily ascertained by the investigator and cannot be associated with the data. According to the Common Rule standard, anonymous data may retain dates of treatment. Under HIPAA's more stringent requirements, however, such data would be considered identifiable data.

Some studies may need to retain a limited number of identifiers and, thus, not meet the strict HIPAA definition of "de-identified data." However, these studies may present only minimal potential for identifying participants based on the data set. In such circumstances, HIPAA permits use of a "Limited Data Set" for research purposes. A Limited Data Set is PHI that excludes "direct identifiers" of the individual, relatives of the individual, employers, or household members.

A limited data set must exclude all direct identifiers such as:

1. Names
2. Street Addresses or P.O. Box Numbers
3. Phone and Fax Numbers
4. Email Addresses
5. Social Security Numbers
6. Medical Record Numbers
7. Health Plan Numbers
8. Account Numbers
9. Certificate/Licenses Numbers
10. Vehicle Identifiers/License Plates
11. Device Identifiers
12. Web URLS
13. Internet Protocols (IP)
14. Full Face Photos

A limited data set may include one or more of the following:

1. Towns
2. Cities
3. States
4. Zip Code and their equivalent geocodes. (Note that a zip code cannot be used if the area composing the zip code has less than 20,000 citizens.)
5. Dates including birth and death
6. Other unique identifying numbers, characteristics, or codes that are not expressly excluded as long as the unique identifier(s) cannot be used to identify a specific individual. (e.g. the four time NFL MVP would be a unique identifier that identifies only one individual, so could not be used)
7. Relevant medical information

A Limited Data Set may be used only for purposes of research, public health, or health care operations. Under the Privacy Rule, use or disclosure of limited data sets for research purposes requires a "Data Use Agreement."

A Limited Data Set may be used only if the covered entity providing the data and the recipient of the data first enter into a Data Use Agreement. The investigator, the holder of the PHI, and their respective institutions, must sign Data Use Agreements, either for access to a Limited Data Set or for the release of a Limited Data Set. At UCCS, the Office of Legal Counsel and Compliance will assist with the completion of these agreements. These agreements must, among other things, establish the permitted uses and disclosures of the information included in the Limited Data Set and must provide that the recipient of the Limited Data Set will not identify the information or use it to contact individuals.

As with research conducted pursuant to an authorization, disclosure(s) of PHI that are part of a Limited Data Set need not be tracked for purposes of providing an accounting to an individual.

The HIPAA Privacy Rule states the Minimum Necessary Standard applies when using or disclosing protected health information (PHI), or when requesting PHI from others, a covered entity must take reasonable steps to limit uses and disclosures of PHI to "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." The minimum necessary standard applies to all uses and disclosures for the purposes of payment, health care operations and research (it does not apply to treatment). Even if accessing PHI for research purposes pursuant to an authorization, the researcher must limit the amount of information requested in the authorization to the minimum necessary.

Under the HITECH Act it is further explains, if a covered entity does not comply with the minimum necessary standard it could be considered a Breach.

Health-related information is considered PHI if (any of the following are true):

1. The researcher obtains the records directly from a health plan, health care clearing house, or health care provider;
2. The records were created by any of the entities (aka Covered Entities) in "1" and the researcher obtains the records from an intermediate source; OR
3. The researcher obtains it directly from the study subject in the course of providing treatment to the subject.

View the campus policy PDF.