Compliance Information


Effective date: April 30, 2012

Violations and Penalties

In 2011, the US Department of Health and Human Services Office for Civil Rights increased HIPAA enforcement activities in accordance with HITECH mandates including issuing large penalties and settlements for noncompliance:

  • Cignet Health of Prince George’s County, MD  was fined $4.3 million for denying patients access to their records and related HIPAA violations.
  • Massachusetts General Hospital agreed to a $1 million settlement arising from paper records pertaining to 192 patients having been left behind on the Boston subway.
  • University of California at Los Angeles agreed to a $865,000 settlement arising from inappropriate access to celebrity records by staff members.
  • In the fall the US Department of Health and Human Services announced plans to audit 150 HIPAA Covered Entities over the next year for HIPAA compliance.

Reminders for Avoiding Violations at Yale

  • Everyone is required to report any potential breach of PHI. Some examples include:
    • Loss or theft of a laptop, external hard drive, thumb drive, or paper chart containing PHI
    • Access to PHI outside of an individual’s job responsibilities
    • Improper disposal of PHI such as failure to shred paper documents or securely delete electronic records prior to device disposal or re-purposing
    • Misdirected mailings, emails, or faxes
    • Malware infection on ePHI containing devices

Potential breaches should be reported to the Security Office hotline at 203.627.4665

  • Health information included in any presentations or seminars other than for the purpose of patient care, must be redacted of all identifiers including names, dates, medical record numbers etc.
  • PHI collected in the course of a research study is still PHI and must be handled with the same regard to privacy and security as clinical information.
  • VPN should be used for any remote access to Yale PHI. View more information on how to use VPN.
  • Non-Yale email services such as Gmail and Yahoo may not be used to send messages or attachments containing PHI.
  • Access to systems containing PHI is subject to electronic audit and monitoring by the University to ensure compliance with University policies on appropriate use and disclosure of protected health information.
  • Please keep in mind that the reminders from 2011 are still applicable and may be found below. Everyone is still required to ensure their devices are appropriately secured and to update your information as you add or discard devices.

Effective date: August 26, 2011

Yale University is committed to providing the highest quality health care, which includes respecting the right of patients and clinical research subjects to maintain the privacy and security of their health information. The standards for protecting health information are described in the federal law known as the Health Insurance Portability and Accountability Act (HIPAA). HIPAA and Yale’s HIPAA policies apply to individually identifiable information on past, present or future health care or payment for health care, which HIPAA calls “Protected Health Information” or “PHI.” PHI stored electronically is called “ePHI.”

Yale’s policies are designed to ensure the appropriate privacy and security of all PHI across the University, in compliance with the law. Yale’s HIPAA policies apply to all faculty, staff, trainees, students and others in Yale’s HIPAA Covered Components: the Schools of Medicine (excluding the School of  Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, Molecular Biophysics & Biochemistry, Neurobiology, Neuroscience, Pharmacology and WM Keck Biotechnology Resources Laboratory), Yale School of Nursing, Yale Health, Department of Psychology clinics and the Group Health Plan Component.

All faculty, staff, trainees, students and others in Yale’s HIPAA Covered Components must comply with Yale University’s Compliance Requirements.

Please review and familiarize yourself with the Compliance Information and Compliance Requirements. You are responsible for complying with these requirements.