Skip to site content

California Area Office logoCalifornia Area Office

Email - September 12, 2014 - HIPAA Reminders

From: Freeman, Marilyn (IHS/CAL
Sent: Friday, September 12, 2014 1:21 PM
Subject: HIPAA Reminders

Good morning!  I ran across this article Exit Disclaimer: You Are Leaving www.ihs.gov (By Healthcare IT News: Ready or Not: HIPAA gets tougher today) again this morning.  I believe it is still quite relevant even though it is one year old and changes referenced took effect on September 23, 2013.  Please take a few minutes to review the article. 

While the information is not all-inclusive, I think it is good to remind you of a few things:

The definition of a breach has changed.  The definition of a breach now states that "impermissible use or disclosure of PHI is presumed to be breached unless an entity demonstrates and documents low probability PHI was compromised."  This is a SIGNIFICANT CHANGE from the interim rule that stated “a breach compromised the security or privacy of protected health information and posed significant risk of financial, reputational or other harm to an individual – often called the harm standard.”

Business Associates are now held to the same standard as a covered entity. 

New Business Associate (BA) agreements were required to meet new standards effective September 23, 2013.
Existing Business Associate (BA) agreements were grandfathered in with a deadline of September 23, 2014 for a revised BA to be put in place.

Security Risk Analysis must be completed ANNUALLY to meet both HIPAA and Meaningful Use requirements.

Protected Health Information (PHI) must NEVER be transmitted via unencrypted email. 

Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.  The 18 elements of PHI are:

  1. Names
  2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Telephone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code;

All electronic storage devices must be encrypted. Electronic devices (computers, mobile devices, photocopier/scanners with storage) must be wiped clean before disposal.

Hard copy documents containing PHI (Protected Health Information) must be destroyed in a confidential manner that meets federal and state requirements. 

HIPAA Notice of Privacy Practices must be made available to patients in the following three ways:

At time of first service (or as soon as practical following)
Posted publicly.  The posting should be prominent and easily read.
On the facility website

I apologize for the length of this email.  Please let me hear from you with any questions/comments.

Warm Regards

Marilyn Freeman, RHIA
Clinical Application Coordinator