Key Concepts

How Does HIPAA Apply to Yale?

HIPAA applies to covered entities; health care providers; health plans, defined by HIPAA as individual or group plans that provide or pay for health care, including employer plans; and health care clearinghouses. Within Yale, HIPAA applies to:

  • the School of Medicine (excluding the School of  Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, Molecular Biophysics & Biochemistry, Neurobiology, Pharmacology and WM Keck Biotechnology Resources Laboratory).
  • Yale School of Nursing
  • Yale Health
  • Department of Psychology clinics
  • the University’s group health plan
  • Other departments that may perform support functions for the health care components (e.g., the Provost’s Office or the Office of the Vice President and General Counsel).

If you are in doubt whether HIPAA applies to you, please contact hipaa@yale.edu.

What is Protected Health Information (PHI) & ePHI?

ePHI stands for Electronic Protected Health Information. It is any individually identifiable health information, including genetic information and demographic information, collected from an individual, whether oral or recorded in any form or medium that is created or received by a covered entity (Yale School of Medicine (excluding the School of  Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, MolecularBiophysics & Biochemistry, Neurobiology, and Pharmacology), Yale School of Nursing, Yale Health, Department of Psychology Clinics and the Group Health Plan component)

PHI encompasses information that identifies an individual or might reasonably be used to identify an individual and relates to:

  • The individual’s past, present or future physical or mental health or condition of an individual; OR
  • The provision of health care to the individual; OR
  • The past, present or future payment of health care to an individual.

Information is deemed to identify an individual if it includes either the patient’s name or any other information that taken together or used with other information could enable someone to determine an individual’s identity. (For example: date of birth, medical records number, health plan beneficiary numbers, address, zip code, phone number, email address, fax number, IP address, license numbers, full face photographic images or Social Security Number see Policy 5039 for a list of HIPAA Identifiers)

PHI excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA) (records described in 20 USC 1232g(a)(4)(B)(iv)) and employment records held by a covered entity in its role as employer.  PHI also excludes information related to individuals who have been deceased for more than 50 years. (see also definitions of “health information” and “individually identifiable health information”)

The “e” in ePHI

ePHI includes any medium used to store, access, transmit or receive PHI electronically.

Examples include:
  • Personal Computers with their internal hard drives used at work, home, or traveling
  • External portable hard drives, including iPods
  • Magnetic tape or disks
  • Removable storage devices such as USB thumb drives, CDs, DVDs, and floppy diskettes
  • PDA’s, smartphones
  • Electronic transmission includes data exchange (e.g., email or file transfer) via wireless, ethernet, modem, DSL or cable network connections.

As technology progresses, any new devices for accessing, transmitting, or receiving ePHI electronically will be covered by the HIPAA Security Rule.

Overview of HIPAA Standards

HIPAA imposes the following standards on covered entities for the purpose of standardizing and protecting the use, disclosure and exchange of health information:

  1. Privacy standards, developed by the Department of Health and Human Services, that address the use and disclosure of health information, patient consent and authorization for the use of information, patient rights to review their health information, request edits and demand an accounting of disclosures of health information.
  2. Security standards for health information including administrative, technical and physical safeguards to ensure the integrity and confidentiality of health information and to protect against security breaches and unauthorized use or disclosure of health information.
  3. Standards for the transfer of information among health plans needed, for example, for the coordination of benefits, sequential processing of claims.
  4. Standards to enable electronic interchange. HIPAA calls for the adoption of standards for certain transactions and data elements, such as health claim status, eligibility for a health plan, health plan enrollment/disenrollment.
  5. Standards for code sets for the data elements for the transactions covered above.
  6. Standards for unique health identifiers for individuals, employers, health plans and health care providers.
  7. Standards for electronic signatures.
  8. Requirements related to notifying patients and DHHS in the event of a breach of PHI.

Identifiers

Data are “individually identifiable” if they include any of the 18 types of identifiers, listed below, for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual:

  • Name
  • Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
  • Telephone numbers
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voice prints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

Instead of removing the data, sometimes making the information more general is sufficient for de–identification; for example, replacing birth date with an age range.

See also the HIPAA policy on de–identification.

Accounting for Billing Disclosures

HIPAA requires that we track disclosures of PHI for purposes other than releases for TPO or releases with patient authorization except in limited circumstances. The P of TPO has some instances which could lead to disclosures requiring accounting and others which would not. The decision is based on whether or not we are disclosing based on inaccurate information provided by the patient/provider vs. errors in the processing, whether intentional or not.

Examples
  1. Cases where the disclosure would need to be listed in the accounting for disclosures log:
    • Clinical trial procedures incorrectly billed to insurance instead of to sponsor
    • Computer error in batch processing either through programming error or any other computer glitch
    • Mailing errors such as mismatch of letter and envelope
  2. Cases where the disclosure would not need to be listed in the accounting for disclosures log:
    • Patient/hospital provides inaccurate information
    • Patient has changed coverage and has not provided updated information

HIPAA’s effect on personal computing & telecommunications

HIPAA (Health Insurance Portability and Accountability Act) is a federal law aimed at protecting health information by establishing standards for the use and disclosure of individually identifiable health information (known as Protected Health Information or PHI) that is created or received by a health care entity.

HIPAA has several components relating to the privacy of health information and the security of information systems.

Here are some best practices to help you safeguard your data and information about what ITS is doing to make privacy and security better and easier. Please note these apply to the use of Yale protected health information (PHI) both on– and off–campus. Learn more about PHI.

Data Privacy

Unless you use encryption, email and instant messaging are not private communications mechanisms. We are investigating user-friendly options for encryption, but in the meantime you should avoid using PHI in email and instant messaging.

Similarly, it is easy to misplace portable electronic devices (e.g., laptop, notebook and sub–notebook computers, hand-held computers, palmtops, PDA’s, and smart phones) and thus critical that you take extra measures to protect the data on those devices by using password protection and encryption. Again, we are evaluating solutions and urge caution in your use of PHI with these devices. We will soon require that wireless devices be registered before connecting to the University network.

To ensure privacy, personal computing devices that create, receive or distribute PHI will require secure configurations that may include creation of access logs, and/or restricting login access to authorized individuals.

Finally, do not share your passwords, and change them frequently.

Physical Security

The physical security of computing devices in offices, labs, and at home is of utmost importance. The physical security of portable devices requires even greater diligence. Solutions include investing in privacy screens, turning monitors away from casual viewers, relocating devices and storing devices in secured locations.

Virus Protection

Virus protection is a critical security measure for all personal computing devices and is freely available to the Yale community. If you use PHI on a Windows or Apple personal computer, you must implement virus protection. We are exploring virus protection solutions for all major computing platforms, including Unix and PDAs.

Disposing of/Recycling Old Computers

Computing devices must have their data completely removed; traces of data remain even after erasing data or reformatting disks. Thorough removal will probably entail a complex process including opening the system. ITS is exploring both self-service and fee–for–service solutions.

University Voice Mail System

The Voice Mail system has a default password that is the same for all users. Be certain that you have changed your voice mail password from the default to avoid unauthorized access to your messages.

We will continue to inform you of the impact of HIPAA on your work at Yale.

Telecommuting with PHI

Performance of Yale duties involving protected health information (PHI) offsite requires implementation of the same standards for privacy and security of PHI as is available on–campus. In addition, arrangements for staff to temporarily telecommute must comply with all applicable personnel practices (see YSM HR Policies and Procedures).

If it is decided that telecommuting is appropriate, the following items should be considered regarding the privacy and security of PHI:

  • Follow recommendations for off–campus computers.
  • HIPAA Privacy and Security training must be completed.
  • Protected Health Information must be transported in a secure manner (for example: locked case)
  • When transporting PHI, the vehicle must be secured during any stops along the way (for example: locked trunk or locked doors). PHI or electronic devices should not be left visible in the car.
  • Protected Health Information must be stored in a secure place away from public or family exposure/access.
  • Use of home computers for University business requires that anti-viral and anti-spyware software be current.
  • Data should not be stored on non–Yale–owned computers.
  • Any University documents stored offsite, in the home or on any other electronic device must not be accessible to anyone other than the Yale employee. Password protection and automatic log–off procedures must be utilized on the offsite device and paper records must be physically secured.
  • Any University documents that are printed on an offsite or home computer must be secured and properly disposed of in a closed secure receptacle according to Yale University policy (i.e. Shred–It containers).

Yale University Training & Certification

Please see Training FAQ.