Health Insurance Portability and Accountability Act

At Yale University, we are committed to providing quality health care which includes respecting patients' and clinical research subjects’ rights to maintain the privacy of their health information and ensuring appropriate security of all protected health information. The standards for protecting patient health information are described in the federal law known as the Health Insurance Portability and Accountability Act (HIPAA). This Web site provides information and guidance on the policies and procedures related to HIPAA compliance at Yale University.

The American Recovery and Reinvestment Act (ARRA) and HIPAA

The American Recovery and Reinvestment Act of 2009 includes legislation known as the Health Information Technology for Economic and Clinical Health (HITECH) Act which promotes the use of electronic health records (EHRs) by providing incentives to health care providers who convert their medical records from paper files to EHRs. Congress recognized the increased risk to the privacy and security of protected health information (PHI) with widespread adoption of EHRs and amended the HIPAA requirements to mitigate these risks. Some key changes are outlined below:

Effective February 17, 2009

• State attorneys general can enforce HIPAA
• Civil and monetary penalties increased to maximum of $1.5 million and minimal penalty of $100 per violation imposed except in very limited cases
• Funds collected from civil penalties distributed to the Department of Health and Human Services (DHHS) for enforcement activities and to patients harmed by the violation
• Individuals as well as covered entities can be held accountable for HIPAA violations

Effective September 23, 2009

• Patients and clinical research subjects, DHHS, and in some cases the media, must be notified in the case of a breach of protected health information (PHI).

Effective February 17, 2010

• Business Associates are directly accountable for HIPAA compliance in addition to contractual requirements.
• Patients may request restrictions to billing disclosures when they self-pay
• Limited Data Sets are considered the default standard for complying with HIPAA’s Minimum Necessary standard
• Patients may request electronic copies of their PHI when the data is held in an EHR and that their records be sent to others in an electronic format.
• Limitations and prohibitions on using PHI for marketing and fundraising are strengthened and sale of PHI is prohibited.

Phased in beginning 1/1/2011

• All disclosures of PHI from an EHR must be accounted for, including those for treatment, payment and healthcare operations

Regulations and guidance on these issues are evolving and we will periodically update this site as new information becomes available.