1. HIPAA Update J. T. Ash University of Hawaii System
HIPAA Compliance Officer

2. Application of HIPAA HIPAA By Policy Health Care Provider
Health Care Plan
Clearinghouse
By Contract
There are two ways you can be “obligated” to implement HIPAA, By Policy or By Contract
By Policy:
Health Care Provider (Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies) ...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
Health Plan (Health Insurance Companies, HMOs, Company Health Plans, Government Programs_
Health Care Clearinghouse (process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
By Contract: You sign a contract indicating that you will implement HIPAA safeguards.

3. Essential Definitions
Health Information (including genetic information, whether oral or recorded in any form or medium):
Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 
Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 
Individually Identifiable Health Information (IIHI):
Includes demographic information that reasonably identifies an individual
Created or received by a health care provider/clearinghouse/plan
Relates to physical or mental health of an individual past, present, or future
Involves past, present, or future payment for the provision of health care to an individual
Protected Health Information (PHI)
IIHI (that is transmitted or maintained electronically or in any other forum or medium) but EXCLUDES:
IIHI in education records covered by FERPA
IIHI in employment records in the unit’s role as an EMPLOYEE
Health Information – Data Protection IAW 2.214
Health information means any information, including genetic information, whether oral or recorded in any form or medium, that: 
Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 
Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 
Individually identifiable health information – IAW 2.217
Individually identifiable health information
is information, including demographic data, that relates to: 
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or 
the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). 
Protected Health Information – IAW Protected Health Information is all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. 
University Units that collect, use, transmit, and/or store IIHI but are not designated as UH Covered Components are still required to: (1) protect IIHI in accordance with applicable HIPAA privacy and security policies and (2) comply with the operational procedures set forth herein.