- Incident Notification Form (formerly Breach Notification Form)
- Stay Safe Online: ID Theft, Fraud & Victims of Cybercrime
- Request an Education In-Service
- Starting Gate Newsletter - HIPAA
The federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) protects the privacy and confidentiality of an individual’s health information.
Known as “protected health information” or “PHI”, the health information generally cannot be used or disclosed unless the individual who is the subject of the PHI has given prior written authorization or permission.
The individual* requests that a copy of the individual’s PHI or health records be sent the individual’s employer. The individual must provide prior written authorization before the records can be sent.
The individual would like a third party, not a treatment provider, to interview the individual’s treatment provider. The individual must provide prior written authorization that allows the treatment provider to discuss the individual’s treatment PHI with the third party.
HIPAA requires that an individual’s PHI is reasonably safeguarded. (Learn more about record disposal.) Loss of hard copy PHI or unencrypted electronic PHI can result in a breach of PHI that will require a breach notification letter to be sent to the affected individual.
Medical record documents left unattended in the cafeteria constitute a breach of PHI.
A laptop containing unencrypted PHI is stolen from a car. The loss of the laptop constitutes a breach of PHI.
A workforce member** accessing PHI for information about co-workers, friends, or family members out of curiosity (i.e., without a medical or business-related purpose). This unauthorized access constitutes a breach of PHI.
An individual has several basic rights associated with their Protected Health Information.
The Right to...
** Under HIPAA, "workforce member" means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. A person is acting under the authority of a covered entity or business associate if he or she is acting on its behalf. This may include a workforce member of a covered entity, an employee of a business associate, or even a business associate of a covered entity.
"Privacy is a fundamental right. As such it must be viewed differently than any ordinary economic good. . .
In 1890 Louis D. Brandeis and Samuel D. Warren defined the right to privacy as 'the right to be let alone.'
(See L. Brandeis, S. Warren, 'The Right To Privacy', 4 Harv.L.Rev. 193.)
More than a century later, privacy continues to play an important role in Americans' lives."
~ Preamble, Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82464, 82465 (Dec. 28, 2000).