What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Among other things, the law includes the Privacy Rule, which creates national standards to protect the privacy of individuals’ protected health information (PHI), and the Security Rule, which establishes standards for securing PHI in electronic form.
The Privacy Rule has been in effect since April 2003. Stanford University and Stanford Hospitals have adopted policies that promote compliance with the Privacy and Security Rules. Stanford University policies can be found on this website along with links to hospital policies.

What is PHI?

PHI includes all individually identifiable health information (including information in research databases and tissue bank samples with identifiers) relating to the:
  • Past, present, or future physical or mental condition of an individual
  • Provision of health care to an individual
  • Past, present or future payment for the provision of health care to an individual
Health information is individually identifiable if it contains any of the following:
  • Names
  • Geographic subdivisions smaller than a state
  • Dates (except year) directly related to an individual, including birth date, health care service admission or discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, unless aggregated into a single category of ages over 89
  • Telephone numbers
  • Fax numbers
  • E-mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/Driver’s license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic or code
PHI that is either transmitted by electronic media or maintained in electronic media is referred to as electronic protected health information, or ePHI.

Which groups at Stanford are subject to the HIPAA Privacy and Security Rules?

Entities covered by HIPAA are health care providers, health plans (including employer’s sponsored plans), and healthcare clearing houses (e.g., billing agent).
Stanford Hospital, Lucile Packard Children’s Hospital, and portions of Stanford University are Covered Entities as health care providers. Health information collected and/or used by our medical staff and clinical research projects are PHI and subject to the Privacy and Security Rules.
Since not all of Stanford University’s functions meet the definition of a Covered Entity, Stanford has excluded certain programs that have no need to create, use, receive or disclose PHI from the Covered Entity. For example, the School of Education and the School of Law are not included in the Stanford University HIPAA Components (SUHC). SUHC is the group of health care components of Stanford University that are its health care providers (e.g., School of Medicine, Vaden Health Center) and selected support units which by the nature of their function have a need to share PHI with the health care providers. SUHC has joined with SHC and LPCH to create an overarching Covered Entity that is known as the Stanford Affiliated Covered Entity. This association enables the sharing of PHI between the three organizations.
Stanford University, as an employer, sponsors and maintains various ERISA health benefits plans that are subject to HIPAA. Stanford refers to these covered Plans as the Group Health Plans (GHP). These include the University’s Educated Choices Flexible Benefits Program (Plan 513), the Post-retirement and Post-employment Benefit Plan (Plan 516), the Postdoctoral Affiliates Welfare Benefit Plan (Plan 517), and the Welfare Benefit Plan for Certain Affiliated Medical Faculty (Plan Number 518) and other plans as modified, added, and eliminated in the future.
Schools, programs, departments and labs included in SUHC must develop special administrative procedures to comply with these policies. A complete list of all Stanford covered entities can be found at http://hipaa.stanford.edu.

What are the limitations on how we can use PHI internally or disclose PHI externally?

The Privacy Rule establishes permitted uses and disclosures of PHI by Covered Entities such as Stanford. When PHI is shared within the Stanford Affiliated Covered Entity, it is being “used”. When PHI is shared outside of the Covered Entity (either with someone in a Stanford department not included in the SUHC or with someone outside of Stanford) it is being “disclosed”.
The Privacy Rule allows the use or disclosure of PHI:
  • For treatment (including treatment in the course of research)
  • For payment
  • For health care operations (including education programs)
  • With authorization by the individual
  • When compelled by law
In addition, all research is subject to special requirements under the Privacy Rule which govern the handling of PHI.
Individuals have certain rights with respect to their PHI, including the right to receive an accounting of all disclosures made to people or groups outside of the Stanford Affiliated Covered Entity for purposes other than for treatment, payment, health care operations or with authorization by the individual. This means that each organization within the Stanford Affiliated Covered Entity must maintain records of disclosures outside the Covered Entity for all other purposes (including for health care operations and when compelled by law) and make these records available to individuals when requested.

How do I know if I can share PHI?

There is a 3 pronged test to determine whether you can use or share PHI:
  1. Is the disclosure for treatment, payment or health care operations purposes?
  2. If not, do you have authorization from the patient?
  3. If not, is there another legal requirement for disclosure?
If you answer “yes” to any of the questions above, then you may share PHI both within and outside the Covered Entity. If the answer is “no” to any of the questions above, do not share the PHI without contacting your Privacy Officer. Records must be kept only of those disclosures outside of the Stanford Affiliated Covered Entity compelled by law as well as any disclosures that are not permitted under the Privacy Rule.
Even if use or disclosure of PHI is permitted under the Privacy Rule, care must be taken to:
  • Eliminate all of the personal identifiers which are not essential to the purpose for which the PHI is being used or disclosed.
  • Use or disclose only the minimum necessary amount of PHI necessary to satisfy the purpose of the use or disclosure.
Example 1: You are part of the School of Medicine. You want to ask a researcher outside of the School to help you analyze some data. First, check to see if you have an authorization from the patient. If you do, you may share the information once you have eliminated all identifiers from the data that are not necessary for the assistance you seek. If you do not have authorization, you should eliminate all personal identifiers from the information.
Example 2: You are part of the School of Medicine and are in the café talking about your research with a colleague from the School of Engineering lab across the hall. In the course of your conversation you want to share a picture showing the artificial limb on one of the subjects of your study. Without authorization, you may talk about the subject and show the photo so long as you do not refer to the subject by name, you cover up the subject’s face in the photo, and you eliminate all other personal identifiers listed above. Do not share any PHI about your research population without authorization and without ensuring it is the minimum necessary for the purpose of the disclosure.
Example 3: You are part of the School of Medicine. You get a request for information from the private physician of one of the subjects in your research study on heart disease. She has been diagnosed with cancer unrelated to your project. You may share PHI gathered in your research records with a private doctor to the extent necessary for the patient’s treatment.

What additional rules apply to research using PHI?

HIPAA affects an investigator’s ability to collect and otherwise access PHI. The Privacy Rule requires certain procedural steps prior to releasing PHI to any investigator for use in research. This is true whether or not the investigator is in or outside of the Stanford Affiliated Covered Entity. Therefore, the Privacy Rule impacts the ability of one Stanford investigator to share PHI with another Stanford investigator or with investigators connected with other Covered Entities, such as NIH or another academic medical center. When PHI is to be shared for research purposes, a HIPAA authorization must be added to the research informed consent or a waiver of the HIPAA authorization for the research use must be obtained from the IRB.
You may review the privacy policy governing research projects at Stanford at http://hipaa.stanford.edu.

How does HIPAA impact my activities if I am in a Stanford Covered Entity?

Inclusion in a Stanford covered entity will ensure that PHI can be made readily available by and shared with SHC, LPCH, School of Medicine and the other SU health care components as needed to achieve your unit’s objectives. Special procedures need to be in place for those not in the Covered Entity to receive and use PHI:
Check the individual’s authorization to determine if PHI may be disclosed and/or used in the manner proposed, especially before sharing information with someone outside of the School of Medicine or the Hospitals. Without prior authorization every disclosure of PHI outside of the Stanford Affiliated Covered entity must be documented in the patient records. This includes information disclosed in the course of casual conversations, information disclosed as the result of sharing data, and information disclosed when seeking assistance from a colleague outside of your lab.
Take care to protect PHI from accidental disclosure:
  • Use a fax cover sheet when faxing PHI, double check the fax number to be sure it is correct, and be sure the intended recipient is available to pick up the fax when delivered.
  • Keep all files containing PHI locked in file cabinets.
  • Password protect all computer files containing PHI, and don’t share passwords.
  • Eliminate all names and other identifiers when doing presentations including PHI.
  • Don’t share subject names and other identifiers in conversations with colleagues outside of your department or lab.
  • Place computer screens so they are not readily visible by people passing by.
  • Don’t send PHI by e-mail if at all possible. When necessary, be sure it is encrypted.

What standards are established by the Security Rule?

The HIPAA Security Rule establishes administrative, physical and technical safeguards to secure protected health information that is (i) transmitted by electronic media or (ii) maintained in electronic media. Electronic protected health information is commonly referred to as ePHI.
The Security Rule requires that Covered Entities restrict access to ePHI to only those workforce members or business associates who require access to that data in order to perform their job functions. Systems access controls and procedures must be in place on all information systems that maintain ePHI to guard against unauthorized access to such data. Security mechanisms and procedures must be implemented to limit access to facilities and physical areas in which information systems that maintain or access ePHI are housed.
Computing devices must be installed, configured and located in a way that minimizes the unauthorized or incidental disclosure of ePHI. Managers and workforce members are responsible for employing appropriate safeguards to deter unauthorized access in the workplace and on their computing devices and storage media.
When ePHI is transmitted over an electronic communications network (e.g., file transfer, email), the ePHI must be secured against unauthorized access and modification. The sender must use a secure electronic messaging system (e.g., secure email) that has been approved by the Stanford Information Security Officer. If a secure system is not used to transfer the ePHI, then the ePHI must be encrypted.
System Owners are responsible for establishing appropriate auditing mechanisms and procedures to detect potential security incidents involving ePHI. Contingency plans must be developed and implemented for each information system for responding to and recovering from system outages or other emergencies that may damage or make unavailable the system or ePHI.
Stanford University has developed security policies to support these and other HIPAA Security Rule requirements. These policies can be found at http://hipaa.stanford.edu/.

Last modified Mon, 15 Jul, 2013 at 12:55