University Compliance with
the Health Insurance Portability and
Accountability Act of 1996
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996.
It is a federal law effective as of April 2003. This law protects
the privacy of a patient’s personal and health care information.
Violations of the law can result in fines up to $250,000 and in jail sentences
up to 10 years.
Who has to follow the HIPAA law?
When does the law have to be followed?
Why is HIPAA important?
HIPAA protects our privacy and the security of information about
us when we are patients. It’s the law and it’s the right thing
What patient information must we protect?
All information about an individual who is a patient of a health
care service is private or confidential. The information may be written
on paper, saved on a computer or spoken. HIPAA refers to this information
as Protected Health Information (PHI).
- a person’s name, address, phone numbers, e-mail address, age,
birth date, social security number
- medical records including the reason for seeking health care, diagnosis,
prescribed treatment and medications, x-rays, lab work, test results
- billing records including claim information, referral authorizations,
- research records
If you have access to any of this information—including the simplest
fact that a person received health services—and reveal it to someone
who does not need to know it, you have broken the law and compromised
a person’s confidentiality.
How does HIPAA affect you and your job?
- If you currently see, use or share a person’s protected health
information as part of your job, HIPAA may change the way that you do
- If you currently work directly with patients, HIPAA may change the
way that you do your job.
- As part of your job, you must protect the privacy of PHI.
When can you use PHI?
You can only use PHI to do your job. You should, at all times, protect
a person’s information as if it were your own information. You may
- Look at a person’s PHI only if you need it to do your job.
- Use a person’s PHI only if you need it to do your job.
- Give a person’s PHI to others when it is necessary for them
to do their jobs.
- Talk to others about a person’s PHI only if it is necessary
to do your job.
Need to Know?
Use common sense in making decisions about whether you need to see or
share PHI to perform your job. Ask yourself, “Do I need to know
this to do my job?” If you do not, do not access the information.
It is none of your business! But if it is your business, you have nothing
to worry about.
- top of page -
Story 1. A colleague of yours mentions
seeing a series of billing records in SAR for a prominent campus basketball
player. You have a friend who doesn’t work at the University who
is a major fan of the team. Your friend regularly asks you for the “buzz”
on campus about the team. What are you going to say when the question
Nothing that isn’t already in the media! Although the billing information
may be of interest to the newspapers or your fan friends, you can’t
tell anyone. Telling others about an individual’s information, unless
it is a part of your job, is the wrong thing to do. That goes for that
colleague of yours, as well.
Story 2. You use the same password for
all the systems you are authorized to access as part of your job. One
of the systems to which you have access is the University’s account
receivable system (SAR); this system includes billing information from
the University’s Health Center. A student who works for you occasionally
uses your computer. You haven’t told the student about your password
management technique, but he does know the password to unlock your desktop’s
screen saver. You change your universal password periodically but keep
it on a post-it note in your unlocked desk drawer. Doesn’t everyone?
It may be common, but it’s bad practice, and does not keep PHI
secure. Do not compromise information security by sharing or making passwords
available in any way.
Story 3: You are aware a student friend
of yours has missed many classes of late and is not looking healthy. You
have access to SAR, and because you are concerned, you are tempted to
see if s/he has sought health care. Should you?
You should not compromise your access to this system by examining billing
records you do not encounter in the performance of your duties. This would
be a violation of the law.
- top of page -
What else should I be thinking about to protect privacy of PHI?
Strong computer security practices are protective of private information.
These are some best practices to implement:
- Make sure that your computer is running updated anti-virus software.
Right clicking on the "V Shield" icon on the task bar and
selecting "About" will tell you when your virus definitions
were last updated. The OIT
Virus page has links to auto updating software.
- Use common sense when receiving attachments from strangers. Don't
open a file unless you have reason to have expected to receive one.
- Pay attention to "cries for help" from your computer. If
hackers have gained access, you might notice the disk drives chattering
when you aren't asking the computer to do anything. Subtle changes to
your desktop might suggest someone is running "remote control"
software against you.
- Clear off disk drives before surplusing computers. Use a "disk
wipe" program or a low level format.
- Use a screen saver that locks your desktop when you are away from
- Position your computer screen so that it cannot be easily viewed by
- Do not store SAR data on local hard drives.
- Select a password that hackers will have difficulty guessing. 8 characters
is a good number. Include letters, digits, and punctuation. Change your
password every few months. If you have a Windows NT, 2000, or XP computer,
make sure that the Administrator account on the computer also has a
- top of page -