What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a federal law effective as of April 2003. This law protects the privacy of a patient’s personal and health care information. Violations of the law can result in fines up to $250,000 and in jail sentences up to 10 years.

Who has to follow the HIPAA law?
Everyone

When does the law have to be followed?
Now

Why is HIPAA important?
HIPAA protects our privacy and the security of information about us when we are patients. It’s the law and it’s the right thing to do.

What patient information must we protect?
All information about an individual who is a patient of a health care service is private or confidential. The information may be written on paper, saved on a computer or spoken. HIPAA refers to this information as Protected Health Information (PHI).

PHI includes:

• a person’s name, address, phone numbers, e-mail address, age, birth date, social security number
• medical records including the reason for seeking health care, diagnosis, prescribed treatment and medications, x-rays, lab work, test results
• billing records including claim information, referral authorizations, benefits explanations
• research records

If you have access to any of this information—including the simplest fact that a person received health services—and reveal it to someone who does not need to know it, you have broken the law and compromised a person’s confidentiality.

How does HIPAA affect you and your job?

• If you currently see, use or share a person’s protected health information as part of your job, HIPAA may change the way that you do your job.
• If you currently work directly with patients, HIPAA may change the way that you do your job.
• As part of your job, you must protect the privacy of PHI.

When can you use PHI?

You can only use PHI to do your job. You should, at all times, protect a person’s information as if it were your own information. You may

• Look at a person’s PHI only if you need it to do your job.
• Use a person’s PHI only if you need it to do your job.
• Give a person’s PHI to others when it is necessary for them to do their jobs.
• Talk to others about a person’s PHI only if it is necessary to do your job.

Need to Know?

Use common sense in making decisions about whether you need to see or share PHI to perform your job. Ask yourself, “Do I need to know this to do my job?” If you do not, do not access the information. It is none of your business! But if it is your business, you have nothing to worry about.

- top of page -

Sample situations

Story 1. A colleague of yours mentions seeing a series of billing records in SAR for a prominent campus basketball player. You have a friend who doesn’t work at the University who is a major fan of the team. Your friend regularly asks you for the “buzz” on campus about the team. What are you going to say when the question comes up?

Nothing that isn’t already in the media! Although the billing information may be of interest to the newspapers or your fan friends, you can’t tell anyone. Telling others about an individual’s information, unless it is a part of your job, is the wrong thing to do. That goes for that colleague of yours, as well.

Story 2. You use the same password for all the systems you are authorized to access as part of your job. One of the systems to which you have access is the University’s account receivable system (SAR); this system includes billing information from the University’s Health Center. A student who works for you occasionally uses your computer. You haven’t told the student about your password management technique, but he does know the password to unlock your desktop’s screen saver. You change your universal password periodically but keep it on a post-it note in your unlocked desk drawer. Doesn’t everyone?

It may be common, but it’s bad practice, and does not keep PHI secure. Do not compromise information security by sharing or making passwords available in any way.

Story 3: You are aware a student friend of yours has missed many classes of late and is not looking healthy. You have access to SAR, and because you are concerned, you are tempted to see if s/he has sought health care. Should you?

You should not compromise your access to this system by examining billing records you do not encounter in the performance of your duties. This would be a violation of the law.

- top of page -

What else should I be thinking about to protect privacy of PHI?

Strong computer security practices are protective of private information. These are some best practices to implement:

• Make sure that your computer is running updated anti-virus software. Right clicking on the "V Shield" icon on the task bar and selecting "About" will tell you when your virus definitions were last updated. The OIT Virus page has links to auto updating software.
• Use common sense when receiving attachments from strangers. Don't open a file unless you have reason to have expected to receive one.
• Pay attention to "cries for help" from your computer. If hackers have gained access, you might notice the disk drives chattering when you aren't asking the computer to do anything. Subtle changes to your desktop might suggest someone is running "remote control" software against you.
• Clear off disk drives before surplusing computers. Use a "disk wipe" program or a low level format.
• Use a screen saver that locks your desktop when you are away from your
  desk.
• Position your computer screen so that it cannot be easily viewed by passers-by.
• Do not store SAR data on local hard drives.
• Select a password that hackers will have difficulty guessing. 8 characters is a good number. Include letters, digits, and punctuation. Change your password every few months. If you have a Windows NT, 2000, or XP computer, make sure that the Administrator account on the computer also has a strong password.

- top of page -