Please Note...

This module is intended as a general overview of HIPAA, and is for educational purposes only.

If you require specific guidance regarding the application of HIPAA at UNH, please contact the UNH HIPAA Privacy Officer:

Melissa McGee, 603-862-2005.

Introduction to HIPAA

The Health Insurance Portability and Accountability Act (“HIPAA”) was passed by Congress in 1996i. The intent of the law was to improve the efficiency and effectiveness of the health care system nationwide. The law required the US Department of Health and Human Services (DHHS) to adopt national standards for health care transactions and code sets, and unique identifiers for health care providers. Because one of the goals was to make use of electronic technology to increase efficiency in health care delivery, Congress was concerned that such technology could jeopardize the privacy of health informationii.

Introduction (cont.)

Due to this concern about the privacy of health information, the HIPAA statute mandated that the US DHHS enact regulations protecting the privacy of individually identifiable health information. The HIPAA Privacy Ruleiii (published in 2000) established a national standard for what individually identifiable health information must be considered to be “protected.” The HIPAA Security Ruleiv (published in 2003) introduced technical and physical security requirements to ensure the integrity, confidentiality and availability of electronic protected health information.

Introduction (cont.)

While several states, including New Hampshire, already had strong confidentiality statutes, this was not the case across the country. The Privacy Rule established, for the first time, federal protections that would ensure the privacy of protected health information, and would guarantee an individual’s access to his/her own health information.

The HIPAA Privacy Rule does not replace federal, state or other laws that grant individuals even greater privacy protections. In addition, the HIPAA regulations allow entities covered by HIPAA to adopt policies or practices that are more protective of individuals’ privacy and access rights.

Who Must Comply With HIPAA?

HIPAA’s rules establish a national baseline of privacy protection, and so-called “Covered Entities

A Covered Entity is one of the following: A health care provider (such as a hospital or individual provider, if they transmit certain transactions in electronic form), a health plan (such as an HMO or Medicaid), or a health care clearinghouse (such as a billing service or other entity that processes health information).

” and their “Business Associates

A Business Associate is an entity or individual engaged by a Covered Entity to carry out certain health care activities or services.

” must protect the privacy and security of health information.

A helpful “Covered Entity” flow chart is here:

If an entity does not meet the definition of either a “Covered Entity” or “Business Associate,” the HIPAA Rules will not apply to it.

Who Must Comply With HIPAA? (cont.)

The Office for Civil Rights in the US DHHS enforces compliance with the HIPAA regulations, and is authorized by the HIPAA Enforcement Rule to impose civil monetary penalties for HIPAA violations.

Covered Entities

The following are examples of “Covered Entities” – individuals, organizations and agencies that must comply with HIPAA:

Covered Entities (cont.)

Health Care Providers: Any person, business or agency that, in the normal course of business, furnishes, bills for or receives payment for, health care or medical services, and transmits certain transactions (e.g., billing) electronically. Examples include, but are not limited to:

Covered Entities (cont.)

Health Plans: Any individual or group plan that provides or pays the cost of medical care. Examples include:

Covered Entities (cont.)

Health Care Clearinghouses: Public or private entities that process nonstandard health information they receive from another entity into a standard format (or vice versa). Examples include:

Business Associates

A “Business Associate” is a person or entity that, on behalf of a Covered Entity (or on behalf of another business associate of a covered entity) – but other than as an employee of the Covered Entity – creates, receives, maintains, or transmits protected health information (“PHI”). (An employee of a Covered Entity is not a Business Associate if he/she does this work in the course of his/her employment.)

Examples include– but are not limited to– contractors who provide:

Business Associates (cont.)

A Business Associate also may be a person or entity who, other than as an employee of the Covered Entity, provides:

services to or for the Covered Entity (or another business associate of a covered entity), where the provision of the service involves the disclosure of PHI.

Business Associate Agreements

A “Business Associate Agreement” (sometimes referred to as a “BAA”) is a written contractual arrangement that formalizes the terms and obligations of the relationship between the Covered Entity and the Business Associate relative to the handling of protected health information. A BAA may be an exhibit to a project or services agreement, an addendum, or a wholly separate agreement between the parties.

While the original requirement for written BAAs was intended to ensure that Business Associates provide the same protections to PHI as Covered Entities, recent updates to the HIPAA Rules made many of the provisions – such as security requirements and financial penalties – directly applicable to Business Associates (including their subcontractors).

See the UNH Research Blog post, "Have you been asked to sign a BAA?"

Hybrid Entities

UNH is a Hybrid Entity for HIPAA compliance purposes. This means that only certain identified components of the University are subject to the HIPAA regulations.

A “Hybrid Entity,” for HIPAA purposes, is a single legal entity that performs both covered and non-covered functions.

To qualify as a Hybrid Entity, the Covered Entity must designate and include in its “health care component” all components that would meet the definition of a Covered Entity, the same as if those components were separate legal entities.

Hybrid Entities (cont.)

For example, an employee clinic that provides health care services and engages in standard electronic transactions would be included in a Hybrid Entity’s health care component, and would therefore be subject to the HIPAA Rules.

Similarly, a research component that has a services contract to conduct insurance claims analysis on behalf of an insurance provider (i.e. is a Business Associate) would be included in a Hybrid Entity’s health care component, and would be subject to HIPAA.

However, an unfunded research project by a graduate student that uses a survey, asking whether respondents have certain medical or mental health diagnoses, to study attitudes about the health care system, would not be included in a Hybrid Entity’s health care component. While the survey includes health care information, the graduate student is neither acting as a health care provider or other Covered Entity, nor is the student conducting the project on behalf of a Covered Entity (i.e. as a Business Associate).

What Information is Protected by HIPAA?

Protected Health Information

HIPAA applies to “Protected Health Information” or “PHI.”

PHI is individually identifiable health information created, maintained or transmitted by a Covered Entity (or its Business Associate) in any form or medium, including information transmitted orally, or in written or electronic form. Electronic Protected Health Information is referred to as “ePHI.”v

“Individually identifiable health information” is a subset of health information (including demographic information) that is created or received by a Covered Entity (or its Business Associate), which identifies or may reasonably be used to identify the individual, and which relates to:

Protected Health Information (cont.)

Thus, PHI includes, but is not limited to, information such as:

Also, a conversation between a doctor and nurse about a patient has the same general protections as information written in that patient’s medical records. Both paper and electronic medical records must be kept secure in a way that is appropriate for the storage medium.

What is Not Covered by HIPAA?

It is important to be aware that the PHI protections under HIPAA only apply to Covered Entities and Business Associates. For example, the following types of entities are not covered by HIPAA:

What is Not Covered by HIPAA? (cont.)

Even if these entities receive information from a Covered Entity, if they do not receive it as a Business Associate, the HIPAA Rules will not apply to how these entities may re-release that information.

In addition, information regarding a person who has been deceased for more than 50 years is no longer covered by HIPAA.

What is Not Covered by HIPAA? (cont.)

Some individually identifiable health information is specifically excluded from the regulatory definition of PHI:vii

These exclusions from HIPAA are based on the role of the entity in possessing and using the health information, and the purpose for which the information is used. In order for the HIPAA regulations to apply, the entity must be acting specifically in its role as a Covered Entity or Business Associate.

How May PHI Be Used?

When disclosing PHI, in accordance with the HIPAA regulations and state privacy laws, only the minimum information necessary should be released to achieve the purpose of the disclosure.

Under HIPAA, Covered Entities and Business Associates are permitted to use or disclose PHI:

Note, however, that some states have laws that provide additional privacy protections and specific consent of the individual may be required even for those disclosures that are permitted under HIPAA.

Authorization to Use or Disclose PHI

For instances when an Authorization is required to use or disclose PHI, it must be given on a separate document (i.e. cannot be combined with a consent for treatment) that sets out details of the authorized use or disclosure, such as the specific information to be released, the party to receive the information, the purpose(s) of the release, and the expiration of the authorization.

PHI for Research

An individual’s PHI may be used for research with his or her specific consent or authorization. However, PHI may also be used for research if:

How Must PHI Be Secured?

The HIPAA Security Rule requires that Covered Entities:

Reasonable Safeguards

Covered Entities and Business Associates must have in place appropriate administrative, technical and physical safeguards that protect against uses and disclosures not permitted by the HIPAA Privacy Rule, as well as that limit incidental uses or disclosures.

Such safeguards need not guarantee the privacy of PHI from any and all potential risks; reasonable safeguards will vary from entity to entity, depending on factors such as an entity’s size and the nature of its business.


The HIPAA security standards are organized into four categories: Administrative, Physical, Technical and Network. Some examples:

Policies and proceduresPhysical safeguards controlsApplication level assessmentInternet
Business contingencyAwareness TrainingAccess controlIntranet/LAN

Incidental Uses and Disclosures

The HIPAA Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the Covered Entity has applied reasonable safeguards to protect from the inadvertent disclosure of PHI and releases the minimum amount of PHI necessary when complying with the primary use or disclosure.

An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature and that occurs as a result of another use or disclosure that is permitted by the HIPAA Privacy Rule. However, an incidental use or disclosure is not permitted if it is a result of an underlying use or disclosure that violates the HIPAA Privacy Rule.

HIPAA & Individual Rights

HIPAA provides individuals the right to:

Additional Privacy Laws to Consider

As stated in the introduction to these slides, HIPAA establishes a national, baseline-level of privacy protection for health information. The HIPAA Privacy Rule does not replace federal, state or other laws that grant individuals even greater privacy protections. In addition, the HIPAA regulations allow entities covered by HIPAA to adopt policies or practices that are more protective of individuals’ privacy and access rights – which may be based on professional ethics or practice standards.

New Hampshire Laws Related to Medical Privacy

Several state regulations and statutes relate to the privacy or access to medical records in New Hampshire. Two of the most significant are:

Additional Privacy Laws to Consider (cont.)


The Family Educational Rights and Privacy Act (FERPA) governs the privacy of student records, including student treatment records. As discussed earlier, information in records covered by FERPA is not considered to be PHI, and therefore is not also subject to the HIPAA regulations.

HIPAA Compliance at UNH

Ensuring privacy is key to providing the best service to the UNH community. It encourages trust, and ensures that we have access to the most appropriate information to perform our services, whether direct patient care or research, to the highest professional standards.

UNH’s HIPAA Policy

HIPAA Compliance at UNH (cont.)

UNH is a “hybrid” entity for purposes of HIPAA compliance. This means that some departments of the University are covered by HIPAA, and others are not. Many UNH departments are Business Associates of other entities (for example, as part of sponsored projects or service contracts) and are therefore subject to the HIPAA regulations.

Covered components of UNH each provide a "Notice of Privacy Practices" to the individuals to whom they provide health care or other covered services. These notices describe how UNH may use or disclose PHI within these covered components, and describe individual rights regarding access and amendment. Each covered component has its own form for Authorization to Use or Disclose PHI, and maintains its own specific HIPAA policies and procedures that are consistent with the overall UNH HIPAA Policy.

HIPAA Compliance at UNH (cont.)

Researchers at UNH who work with PHI are required to follow the HIPAA regulations applicable to the organization that owns the PHI. The UNH Institutional Review Board, which oversees research involving human subjects, has additional information regarding the use of PHI for research purposes.

If you have questions about whether HIPAA applies to certain activities or projects at UNH, please contact the HIPAA Privacy Officer.


The following slides contain quiz questions designed to test your understanding of the information covered in this training.

Please note: Multiple correct responses are possible for some questions; you must choose all of the correct responses for those items in order to certify your completion.


A children’s summer day camp is offered by the local municipal recreation department. As part of the camp registration process, parents complete a “Camper Health Information” form. The form requests the following information for each child: Emergency contact name/phone; physician name/phone; health insurance provider and insurance ID number; emotional or physical disabilities; allergies; medications; and past medical conditions (such as asthma) that might impact participation in athletic activities. The completed forms are submitted through email, and are kept in a binder for the camp counselors’ reference in the event of an emergency. Camp policy is to call 9-1-1 for any incidents that require more than basic first aid care.

Is the summer camp required by HIPAA to keep the forms and the emails secure from unauthorized disclosure?
Correct. The summer camp is not a covered entity, because it is not a health care provider, is not a health plan, and is not a health care clearinghouse. It also is not providing a service on behalf of a covered entity, so it is not a business associate. Note that, even if the information on the forms is not covered by the HIPAA regulations, it is still sensitive. The summer camp staff should keep both the paper and the electronic copies of the forms in a secure manner, and it would be prudent to shred the paper copies at the end of camp.
Incorrect. Try selecting another answer.
Incorrect. Try selecting another answer.
Incorrect. Try selecting another answer.


Felix is an undergraduate at State U. He requires surgery for a chronic heart condition, and emails his professors to let them know why he will be absent from class for at least a week.

Are Felix’s professors required to comply with HIPAA because they now have information about Felix’s medical condition?
Incorrect. Try selecting another answer.
Correct. FERPA governs the privacy of student records, including student health information. Because of this existing protection, the definition of “protected health information” under the HIPAA regulations specifically excludes any individually identifiable health information that is considered to be part of education records covered by FERPA; therefore, student records that contain health-related information such as disability status or other health conditions are not subject to the HIPAA regulations. Because the health information disclosed is part of a student record, the professors should follow State U’s FERPA policies and need not also comply with the HIPAA policy.


Lexi is legally blind, and requires adaptive equipment to read a computer screen. Her job duties in the Medical Records department of City Hospital have recently changed, and now she must enter data at a computer periodically throughout the day. She has asked her supervisor to provide the adaptive equipment necessary for her to be able to do this.

Is Lexi’s request for adaptive equipment to accommodate her visual impairment “protected health information” and therefore subject to HIPAA protections?
Incorrect. Try selecting another answer.
Correct. Individually identifiable health information that may be disclosed to an employer – such as in a request for accommodation of an employee’s disability, or for Family Medical Leave – is not subject to HIPAA. The definition of “protected health information” specifically excludes health information that is part of employment records. Such health information may, however, be subject to privacy conditions of the Americans with Disabilities Act (ADA) or Family Medical Leave Act (FMLA), but HIPAA will not apply to the employer’s use of the information. Note that, if the employer, in order to comply with the ADA or FMLA, requests an employee’s health care information from a covered entity (such as a hospital or physician), the covered entity must comply with HIPAA regarding its release of the PHI to the employer.

In both of the previous questions, involving FERPA and the ADA/FMLA, the analysis hinges on the role of the entity in possessing and using the health information, and the purpose for which the information is used. In order for the HIPAA regulations to apply, the entity must be acting specifically in its role as a “covered entity” or as a “business associate.” In other words, covered entities and their business associates must comply with HIPAA in their health care capacity, not in their capacity as employers or educational institutions.


Bill and Ted work in the geriatric clinic’s excellent scheduling department. They often break for lunch together at a nearby pizza shop. While waiting at the crowded pizza shop counter one day, Ted comments to Bill about how tired Mrs. Fitch seemed when she called to schedule her husband’s next occupational therapy appointment. Bill says, “It really must be difficult for her to take care of her husband since she had her hip replacement. I noticed a note in Mr. Fitch’s record that he was in the emergency room again last week with chest pain, and Mrs. Fitch missed her physical therapy appointment.”

Has Bill disclosed information protected under HIPAA?
Correct. HIPAA prohibits protected health information, such as a patient’s name, treatment history, or medical condition, from being revealed without the patient’s authorization (except in very limited circumstances). The clinic is a “covered entity” under HIPAA, because it is a provider of health care services. Bill and Ted, as clinic employees, must therefore comply with HIPAA. Their discussion of the Fitch’s treatment and conditions may be a violation of HIPAA. Even for permitted disclosures, only the minimum necessary information should be released.
Incorrect. Try selecting another answer


Suki, an emergency medical technician (EMT) providing medical services at a local music festival, treated a teenager who apparently had been using illegal drugs and drinking. Suki recognized the teen as the 15-year-old brother of her friend. The next day Suki wants to discuss the incident with her friend, but what should she consider before Suki talks with her friend about her patient?
Incorrect. Try selecting another answer.
Incorrect. Try selecting another answer.
Correct. Suki, as a health care provider, is not permitted to share confidential information regarding the treatment or diagnosis of a patient. HIPAA prohibits disclosing or sharing protected health information without an authorization, except for limited circumstances – such as treatment coordination or “as required by law” – that do not apply in this situation.


Freddie fell from a ladder and broke his arm at work. He signed an authorization for his primary care doctor to share information concerning his arm injury with his employer, XYZ Company. Valerie processes workers’ compensation claims for XYZ Company. When she reviewed a copy of Freddie’s medical file sent by his doctor, she was shocked that it contained his entire medical history, including records of his past substance abuse treatment.

Did Freddie’s doctor violate HIPAA?
Correct. It is a violation of HIPAA for any covered entity to disclose more than the minimum amount of protected health information required for a particular purpose. Freddie only authorized information related to his workplace arm injury to be disclosed to his employer; any additional disclosure violates HIPAA's privacy provisions.
Incorrect. Try selecting another answer


Margie is undergoing treatment for an anxiety disorder and doesn’t want her partner to know. Margie asks her doctor to keep their communications confidential and to leave messages only on Margie’s personal voicemail.

How does HIPAA apply to such a request for confidentiality?
Incorrect. Try selecting another answer.
Incorrect. Try selecting another answer.
Correct. HIPAA establishes a “floor” of privacy standards that all covered entities, including doctors, must uphold. HIPAA gives patients the right to request that covered entities take reasonable steps to ensure confidential communication. This includes honoring patient requests concerning where to leave messages or how the patient should be contacted.


As the office manager for a physical therapy clinic, Mindy makes several calls a day to remind people of their scheduled appointments. She knows HIPAA protects confidential medical information and wants to make sure she doesn’t violate its disclosure restrictions.

Which of the following are considered allowable disclosures under HIPAA?
Correct. While HIPAA provides protections from certain uses and disclosures of protected health information, it is not intended to create a barrier to patient treatment or medical care. It is acceptable for a covered entity to use or disclose information for treatment, payment or healthcare operations – for example, to discuss patient care, to inform patients of treatment alternatives, to remind them of appointments, to coordinate their care, and to perform activities such as audits and obtaining payment or billing information.


Tom’s son fell at his hockey practice and hit his head on the ice. Thankfully, his son was wearing a helmet, but he later complained that his head hurt so Tom took him to the local urgent care clinic. After they were settled in a room, waiting for the doctor, Tom noticed a medical chart labeled with their last name on the room door. He wonders if this is a violation of his son’s privacy.

Does the HIPAA Privacy Rule allow clinics and doctor’s offices to place patient charts on the doors of patient rooms?
Incorrect. Try selecting another answer.
Incorrect. Try selecting another answer.
Correct. Yes, the Privacy Rule permits this practice as long as the facility takes reasonable and appropriate measures to protect the patient’s privacy. Incidental disclosures to others that might occur as a result of the charts being left in the box are permitted, if reasonable safeguards are taken, such as limiting access to certain areas, ensuring that the area is supervised, escorting non-employees in the area or placing the patient chart in the box with the front cover facing the wall.


While researching his family history online, Perry discovered a security breach at a hospital in his former hometown. He found his father’s – and hundreds of other patients' – name, Social Security number and medical record number on a public website. Perry believes the hospital did not sufficiently protect his father’s PHI, as required by HIPAA.

What safeguards should the hospital have in place to protect patient PHI?
Correct. The HIPAA security standards are organized into four categories: administrative, physical, technical and network. It is important for covered entities to maintain security for each category. Technical and network safeguards, as well as awareness training, may have prevented the unlawful access and posting of patient PHI from the hospital’s database.


Brian is responsible for ensuring the security of electronic protected health information at his company. He is considering how to satisfy HIPAA’s “reasonable safeguards” requirement while minimizing the disruption to workflow or infrastructure at his organization.

What steps might Brian consider as he attempts to improve the security of ePHI?
Incorrect. Try selecting another answer.
Correct. Conducting a “risk analysis” is a good first step to determine how to improve security, by discovering the company’s vulnerabilities and taking appropriate actions to mitigate any risk.


As Tonya waits for her dental exam, she notices that the office receptionist has left her computer unattended and the screen unlocked. The screen is only at a slight angle from the reception window, and Tonya looks at the document on the screen; it contains billing information for several patients who had appointments earlier in the day. Tonya is concerned that the information isn’t better secured.

Is it a potential violation of HIPAA to leave an unlocked and unattended billing computer where it can be seen easily from the reception area?
Correct. Electronic information must be protected by limiting access to it. Leaving a computer unlocked and unattended puts patient information at risk. It is reasonable to think that information left in plain view – on a computer screen or elsewhere – may be accessed and misused. The HIPAA Security Rule requires covered entities to protect information against any reasonably anticipated threats.
Incorrect. Try selecting another answer


Jan participated in an online survey about her daily diet and whether she has experienced various illnesses and health conditions. The fitness magazine sponsoring the survey intends to use the information for an upcoming article. At the end of the survey, Jan completed an informational form that includes her full name, email address and zip code. Jan believes that the health information she provided to the survey is protected by HIPAA, so she isn’t concerned about providing such detailed information about her medical history.

Is Jan correct that HIPAA applies to the survey?
Incorrect. Try selecting another answer
Correct. When protected health information is given voluntarily to a non-covered entity, the information is not protected under HIPAA. Many online self-directed health sites are not covered under HIPAA; only those under the direction of covered entities or their business associates must abide by HIPAA when handling PHI.


Thank you for taking UNH’s HIPAA On-line Training!

Once you have finished all of the review questions click ‘Certify Completion’.

Certify Completion

Additional Information