What is HIPAA?This presentation was created by

The University of Arizona Privacy Office,

The Office for the Responsible Conduct of Research

on March 5, 2014.

What Does HIPAA Stand For?• The Health Insurance Portability &

Accountability Act of 1996 is a federal law guarding the privacy of Protected Health Information.

• The overall purpose of HIPAA is:– Continuation of healthcare coverage and portability; and

– Ensure the security and privacy of individual health information.

HIPAA Has Three Rules:• The Privacy Rule

• The Security Rule

• The Breach Notification Rule

Who Must Follow the Privacy, Security and Breach Notification

Rules?1. Covered entities;

2. Business associates of covered entities; and

3. Subcontractors of business associates.

Which UA Departments Must Comply with HIPAA?

• The University of Arizona is a hybrid entity.

• If you are not sure if your clinic or department is a covered entity or business associate, please contact the UA HIPAA Privacy Office.

What Does HIPAA Require?• Under HIPAA, covered entities

and business associates are required to:– Develop and implement policies and procedures;

– Use appropriate safeguards; and– Ensure that employees and subcontractors receive training on federal, state and internal policies and procedures.

What Does HIPAA Protect?• Protected Health Information (PHI):

– Individually identifiable health information

– Transmitted or maintained in any form or medium by a covered entity or business associate.

• What is not PHI?– Employment records of a covered entity– FERPA records

HIPAA Also Protects Certain Rights…1. Notice of Privacy Practices;

2. Access to PHI; 3. Accounting of disclosures of PHI;4. Request to amend PHI;5. Request a restriction on the use and

disclosure of PHI;6. Request confidential communication(s);

and7. File formal complaint with CE or HHS.

What Can a Covered Entity or Business

Associate Do with PHI?• Covered entities and business associates may properly use or disclose PHI in the following circumstances:– For treatment, payment and healthcare operations;– With an authorization from the patient or personal representative;

– In limited circumstances, without an authorization if the patient was provided an opportunity to agree or object;

– Other circumstances (disclosure for public health reporting, as required by law, etc.) may permit the use or disclosure.

Remember:• It is never acceptable for an employee to look at PHI “out of curiosity.”

• Examples of best practices:– Do not share or give anyone your passwords.– Use passwords on screensavers and mobile devices.

– Use encryption on computers, mobile devices, flash drives, etc.

– Destroy or shred paper that could contain PHI.– Keep doors, cabinets and drawers locked.– Use extreme caution when it is necessary to travel with PHI.

– Review your internal policies and procedures.

What About Penalties for Breaches and Noncompliance?• Fines:

– A maximum penalty of $1.5 million for all violations of an identical provision.

• Criminal penalties:– Up to $50,000 and up to one year’s imprisonment.

– $250,000 and up to 10 years imprisonment if intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm.

What About Research?• Key points to remember:– HIPAA does not replace or override other federal regulations for human subjects research.

– Researchers must comply with HIPAA when using PHI in research and must protect the privacy of subjects.

– HIPAA impacts research by regulating how healthcare providers, health plans and healthcare clearinghouses may permit access to PHI.

– At UA, all human research studies involving PHI must be reviewed and approved in advance by the Human Subjects Protection Program and an IRB.

When Can a Covered Entity Disclose PHI for

Research?1. Authorization; or2. Waiver or partial waiver; or 3. With a Limited Data Set (and Data Use Agreement);

or4. Reviews PHI solely in preparation for research,

without collecting the PHI or recruiting subjects; or

5. Complete de-identification; or 6. Using PHI of decedents who have been deceased for

50+ years.

HIPAA Authorization Requirements:• Description of information to be used;

• Name or class of persons authorized to disclose information;

• Name or class of recipients of the information;• Description of research purpose;• Expiration date of authorization (can be “end of study”);

• Right to revoke authorization;• HIPAA protections may not apply to redisclosed information;

• Consequences of a refusal to sign an authorization; and

• Signature and date.

Remember…A healthcare provider’s right to access a patient’s PHI for health care purposes does not entitle that healthcare provider to access the same information for research purposes.

UA Notification Requirements• YOU have a responsibility to report

privacy or security breaches involving PHI to the UA HIPAA Privacy Office.

• Employees, volunteers, students or contractors of UA may not threaten or take any retaliatory action against an individual for exercising his or her rights under HIPAA.

The University of Arizona Commitment to Privacy

• UA is committed to protecting the privacy and integrity of individuals’ health information while supporting research and innovation.

• The HIPAA Privacy, Security and Breach Notification Rules recognize the importance and value of this commitment.

• Protecting Patient Health Information is a shared responsibility.

Questions?• If you have questions about this presentation or have privacy or HIPAA concerns, contact the UA HIPAA Privacy Office.– Email: PrivacyOffice@email.arizona.edu– Telephone: 520-621-1465– Office: 1618 E. Helen St.– Web: www.orcr.arizona.edu/hipaa

• Also, see the OCR website for helpful information and FAQs: http://www.hhs.gov/ocr/privacy/index.html