HIPAA: Privacy Information Security | WKCTC

Program Finder

HIPAA: Privacy Information Security

HIPAA imposes new restrictions on the use and disclosure of Personal Health Information (PHI) and gives patients greater access and protection to their medical records.

  • Individually Identifiable Health Information (IIHI) relating to the past, present or future health condition of the individual and is transmitted or maintained in any form (electronically, orally or on paper).
  • Examples: Name, address, dates of service, date of birth, social security number, etc.

What is Disclosure and Use?

  • Use: Shared, examined, applied or analyzed within an entity that holds the information.
  • Disclosure: Release, transferred, or made accessible to anyone outside the entity holding the information.

When can PHI be Used/Disclosed?

PHI can be used or disclosed for:

  • Treatment, Payment, Healthcare Operations (TPO)
  • With authorization from the individual
  • Disclosure to the patient
  • Incidental uses

When is Authorization Required?

Generally speaking, for uses other than, Treatment, Payment, Hospital Operations

An authorization is a written document, signed by the patient, that specifically allows the covered entity to disclose PHI with patient’s permission.

When is authorization not required?

  • To maintain a patient directory
  • To inform family members of patient location, general condition, or death
  • Public health activities
  • Coroners, medical examiners, funeral directors, organ donations
  • To avert a serious threat to health and safety
  • Make sure the least amount of health information is shared to accomplish the task.
  • Identify those who regularly access PHI and the types of PHI necessary for proper TPO of the patient.
  • The Patient Notice is a required document that outlines the common uses of PHI.
  • Must contain patient's rights and the covered entity's legal duties.
  • Must be made available in print.
  • Must be displayed at the site of service and posted on a web site.
  • Recognizing what types of security issues may arise in the workplace; and
  • Knowing what actions to take in the event of a security breach.
  • The HIPAA Security Rule requires that everyone in the workforce is trained.
  • Members of the workforce include volunteers.
  • Always report anything unusual.
  • Notify your supervisor if you suspect a security incident.
  • Never share your ID or password with anyone.
  1. Hidden under the keyboard - Keeping a computer password on a yellow post-it note.
  2. I'll do it my way - Not listening to or following security procedures.
  3. On, gone, not locked - Walking away from the computer, leaving it unlocked or not turned off.
  4. Gee, what's in this attachment - Unknown email attachments can cripple by carrying viruses.
  5. Weak passwords - Passwords based on information easily accessible to others.
  6. Loose lips - Talking in public about things you shouldn't
  7. Laptops with legs - Laptops left unsecured and unattended are vulnerable to theft.
  8. Law enforcement - Managers and supervisors need to ensure ongoing compliance.
  9. The threat within - Statistically, most security breaches originate inside the organization.
  10. Update now - Security updates don't do any good unless they are loaded on your computer.
  • HIPAA requires that we assign a "Privacy Officer" and "Information Security Officer"
  • This person will be responsible for overseeing all privacy policies and procedures.
  • This person will be the contact person for receiving complaints.
  • Institute a training program for Volunteers.
  • Civil penalties from $100 to $25,000
  • Criminal penalties up to $250,000 and 10 years in prison