HIPAA Update J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu

Application of HIPAA HIPAA By Policy Health Care Provider Health Care Plan Clearinghouse By Contract There are two ways you can be “obligated” to implement HIPAA, By Policy or By Contract By Policy: Health Care Provider (Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies) ...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard. Health Plan (Health Insurance Companies, HMOs, Company Health Plans, Government Programs_ Health Care Clearinghouse (process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. By Contract: You sign a contract indicating that you will implement HIPAA safeguards.

Essential Definitions Health Information (including genetic information, whether oral or recorded in any form or medium): Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and  Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.  Individually Identifiable Health Information (IIHI): Includes demographic information that reasonably identifies an individual Created or received by a health care provider/clearinghouse/plan Relates to physical or mental health of an individual past, present, or future Involves past, present, or future payment for the provision of health care to an individual Protected Health Information (PHI) IIHI (that is transmitted or maintained electronically or in any other forum or medium) but EXCLUDES: IIHI in education records covered by FERPA IIHI in employment records in the unit’s role as an EMPLOYEE Health Information – Data Protection IAW 2.214 Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:  Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and  Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.  Individually identifiable health information – IAW 2.217 Individually identifiable health information is information, including demographic data, that relates to:  the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or  the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).  Protected Health Information – IAW 2.217 Protected Health Information is all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.  University Units that collect, use, transmit, and/or store IIHI but are not designated as UH Covered Components are still required to: (1) protect IIHI in accordance with applicable HIPAA privacy and security policies and (2) comply with the operational procedures set forth herein.