This module is intended as a general overview of HIPAA, and is for educational purposes only.
If you require specific guidance regarding the application of HIPAA at UNH, please contact the UNH HIPAA Privacy Officer:
Melissa McGee, 603-862-2005.
The Health Insurance Portability and Accountability Act (“HIPAA”) was passed by Congress in 1996i. The intent of the law was to improve the efficiency and effectiveness of the health care system nationwide. The law required the US Department of Health and Human Services (DHHS) to adopt national standards for health care transactions and code sets, and unique identifiers for health care providers. Because one of the goals was to make use of electronic technology to increase efficiency in health care delivery, Congress was concerned that such technology could jeopardize the privacy of health informationii.
Due to this concern about the privacy of health information, the HIPAA statute mandated that the US DHHS enact regulations protecting the privacy of individually identifiable health information. The HIPAA Privacy Ruleiii (published in 2000) established a national standard for what individually identifiable health information must be considered to be “protected.” The HIPAA Security Ruleiv (published in 2003) introduced technical and physical security requirements to ensure the integrity, confidentiality and availability of electronic protected health information.
While several states, including New Hampshire, already had strong confidentiality statutes, this was not the case across the country. The Privacy Rule established, for the first time, federal protections that would ensure the privacy of protected health information, and would guarantee an individual’s access to his/her own health information.
The HIPAA Privacy Rule does not replace federal, state or other laws that grant individuals even greater privacy protections. In addition, the HIPAA regulations allow entities covered by HIPAA to adopt policies or practices that are more protective of individuals’ privacy and access rights.
A Covered Entity is one of the following: A health care provider (such as a hospital or individual provider, if they transmit certain transactions in electronic form), a health plan (such as an HMO or Medicaid), or a health care clearinghouse (such as a billing service or other entity that processes health information).
” and their “Business AssociatesA Business Associate is an entity or individual engaged by a Covered Entity to carry out certain health care activities or services.
” must protect the privacy and security of health information.A helpful “Covered Entity” flow chart is here:
If an entity does not meet the definition of either a “Covered Entity” or “Business Associate,” the HIPAA Rules will not apply to it.
The Office for Civil Rights in the US DHHS enforces compliance with the HIPAA regulations, and is authorized by the HIPAA Enforcement Rule to impose civil monetary penalties for HIPAA violations.
The following are examples of “Covered Entities” – individuals, organizations and agencies that must comply with HIPAA:
Health Care Providers: Any person, business or agency that, in the normal course of business, furnishes, bills for or receives payment for, health care or medical services, and transmits certain transactions (e.g., billing) electronically. Examples include, but are not limited to:
Health Plans: Any individual or group plan that provides or pays the cost of medical care. Examples include:
Health Care Clearinghouses: Public or private entities that process nonstandard health information they receive from another entity into a standard format (or vice versa). Examples include:
A “Business Associate” is a person or entity that, on behalf of a Covered Entity (or on behalf of another business associate of a covered entity) – but other than as an employee of the Covered Entity – creates, receives, maintains, or transmits protected health information (“PHI”). (An employee of a Covered Entity is not a Business Associate if he/she does this work in the course of his/her employment.)
Examples include– but are not limited to– contractors who provide:
A Business Associate also may be a person or entity who, other than as an employee of the Covered Entity, provides:
services to or for the Covered Entity (or another business associate of a covered entity), where the provision of the service involves the disclosure of PHI.
A “Business Associate Agreement” (sometimes referred to as a “BAA”) is a written contractual arrangement that formalizes the terms and obligations of the relationship between the Covered Entity and the Business Associate relative to the handling of protected health information. A BAA may be an exhibit to a project or services agreement, an addendum, or a wholly separate agreement between the parties.
While the original requirement for written BAAs was intended to ensure that Business Associates provide the same protections to PHI as Covered Entities, recent updates to the HIPAA Rules made many of the provisions – such as security requirements and financial penalties – directly applicable to Business Associates (including their subcontractors).
See the UNH Research Blog post, "Have you been asked to sign a BAA?"
UNH is a Hybrid Entity for HIPAA compliance purposes. This means that only certain identified components of the University are subject to the HIPAA regulations.
A “Hybrid Entity,” for HIPAA purposes, is a single legal entity that performs both covered and non-covered functions.
To qualify as a Hybrid Entity, the Covered Entity must designate and include in its “health care component” all components that would meet the definition of a Covered Entity, the same as if those components were separate legal entities.
For example, an employee clinic that provides health care services and engages in standard electronic transactions would be included in a Hybrid Entity’s health care component, and would therefore be subject to the HIPAA Rules.
Similarly, a research component that has a services contract to conduct insurance claims analysis on behalf of an insurance provider (i.e. is a Business Associate) would be included in a Hybrid Entity’s health care component, and would be subject to HIPAA.
However, an unfunded research project by a graduate student that uses a survey, asking whether respondents have certain medical or mental health diagnoses, to study attitudes about the health care system, would not be included in a Hybrid Entity’s health care component. While the survey includes health care information, the graduate student is neither acting as a health care provider or other Covered Entity, nor is the student conducting the project on behalf of a Covered Entity (i.e. as a Business Associate).
Protected Health Information
HIPAA applies to “Protected Health Information” or “PHI.”
PHI is individually identifiable health information created, maintained or transmitted by a Covered Entity (or its Business Associate) in any form or medium, including information transmitted orally, or in written or electronic form. Electronic Protected Health Information is referred to as “ePHI.”v
“Individually identifiable health information” is a subset of health information (including demographic information) that is created or received by a Covered Entity (or its Business Associate), which identifies or may reasonably be used to identify the individual, and which relates to:
Thus, PHI includes, but is not limited to, information such as:
Also, a conversation between a doctor and nurse about a patient has the same general protections as information written in that patient’s medical records. Both paper and electronic medical records must be kept secure in a way that is appropriate for the storage medium.
It is important to be aware that the PHI protections under HIPAA only apply to Covered Entities and Business Associates. For example, the following types of entities are not covered by HIPAA:
Even if these entities receive information from a Covered Entity, if they do not receive it as a Business Associate, the HIPAA Rules will not apply to how these entities may re-release that information.
In addition, information regarding a person who has been deceased for more than 50 years is no longer covered by HIPAA.
Some individually identifiable health information is specifically excluded from the regulatory definition of PHI:vii
These exclusions from HIPAA are based on the role of the entity in possessing and using the health information, and the purpose for which the information is used. In order for the HIPAA regulations to apply, the entity must be acting specifically in its role as a Covered Entity or Business Associate.
When disclosing PHI, in accordance with the HIPAA regulations and state privacy laws, only the minimum information necessary should be released to achieve the purpose of the disclosure.
Under HIPAA, Covered Entities and Business Associates are permitted to use or disclose PHI:
Note, however, that some states have laws that provide additional privacy protections and specific consent of the individual may be required even for those disclosures that are permitted under HIPAA.
For instances when an Authorization is required to use or disclose PHI, it must be given on a separate document (i.e. cannot be combined with a consent for treatment) that sets out details of the authorized use or disclosure, such as the specific information to be released, the party to receive the information, the purpose(s) of the release, and the expiration of the authorization.
An individual’s PHI may be used for research with his or her specific consent or authorization. However, PHI may also be used for research if:
The HIPAA Security Rule requires that Covered Entities:
Covered Entities and Business Associates must have in place appropriate administrative, technical and physical safeguards that protect against uses and disclosures not permitted by the HIPAA Privacy Rule, as well as that limit incidental uses or disclosures.
Such safeguards need not guarantee the privacy of PHI from any and all potential risks; reasonable safeguards will vary from entity to entity, depending on factors such as an entity’s size and the nature of its business.
The HIPAA security standards are organized into four categories: Administrative, Physical, Technical and Network. Some examples:
Administrative | Physical | Technical | Network |
Policies and procedures | Physical safeguards controls | Application level assessment | Internet |
Business contingency | Awareness Training | Access control | Intranet/LAN |
The HIPAA Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the Covered Entity has applied reasonable safeguards to protect from the inadvertent disclosure of PHI and releases the minimum amount of PHI necessary when complying with the primary use or disclosure.
An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature and that occurs as a result of another use or disclosure that is permitted by the HIPAA Privacy Rule. However, an incidental use or disclosure is not permitted if it is a result of an underlying use or disclosure that violates the HIPAA Privacy Rule.
HIPAA provides individuals the right to:
As stated in the introduction to these slides, HIPAA establishes a national, baseline-level of privacy protection for health information. The HIPAA Privacy Rule does not replace federal, state or other laws that grant individuals even greater privacy protections. In addition, the HIPAA regulations allow entities covered by HIPAA to adopt policies or practices that are more protective of individuals’ privacy and access rights – which may be based on professional ethics or practice standards.
New Hampshire Laws Related to Medical Privacy
Several state regulations and statutes relate to the privacy or access to medical records in New Hampshire. Two of the most significant are:
FERPA and HIPAA
The Family Educational Rights and Privacy Act (FERPA) governs the privacy of student records, including student treatment records. As discussed earlier, information in records covered by FERPA is not considered to be PHI, and therefore is not also subject to the HIPAA regulations.
Ensuring privacy is key to providing the best service to the UNH community. It encourages trust, and ensures that we have access to the most appropriate information to perform our services, whether direct patient care or research, to the highest professional standards.
UNH is a “hybrid” entity for purposes of HIPAA compliance. This means that some departments of the University are covered by HIPAA, and others are not. Many UNH departments are Business Associates of other entities (for example, as part of sponsored projects or service contracts) and are therefore subject to the HIPAA regulations.
Covered components of UNH each provide a "Notice of Privacy Practices" to the individuals to whom they provide health care or other covered services. These notices describe how UNH may use or disclose PHI within these covered components, and describe individual rights regarding access and amendment. Each covered component has its own form for Authorization to Use or Disclose PHI, and maintains its own specific HIPAA policies and procedures that are consistent with the overall UNH HIPAA Policy.
Researchers at UNH who work with PHI are required to follow the HIPAA regulations applicable to the organization that owns the PHI. The UNH Institutional Review Board, which oversees research involving human subjects, has additional information regarding the use of PHI for research purposes.
If you have questions about whether HIPAA applies to certain activities or projects at UNH, please contact the HIPAA Privacy Officer.
The following slides contain quiz questions designed to test your understanding of the information covered in this training.
Please note: Multiple correct responses are possible for some questions; you must choose all of the correct responses for those items in order to certify your completion.
In both of the previous questions, involving FERPA and the ADA/FMLA, the analysis hinges on the role of the entity in possessing and using the health information, and the purpose for which the information is used. In order for the HIPAA regulations to apply, the entity must be acting specifically in its role as a “covered entity” or as a “business associate.” In other words, covered entities and their business associates must comply with HIPAA in their health care capacity, not in their capacity as employers or educational institutions.
Thank you for taking UNH’s HIPAA On-line Training!
Once you have finished all of the review questions click ‘Certify Completion’.