Office of
Research Services

HIPAA Basics

In 1996, Congress enacted the Health Insurance Portability and Accountability Act (“HIPAA”) to provide greater access to health insurance and to improve the efficiency of health care administration.

HIPAA included Administrative Simplification provisions that required the U.S. Department of Health and Human Services (“HHS”) to set national standards and regulations for transmitting certain health information and for protecting patient privacy.

HHS promulgated regulations under the Administrative Simplification provisions including the Privacy Rule, the Security Rule, the Enforcement Rule, as well as transaction and code set standards that apply to electronic exchanges involving the transfer of information. These regulations:

  1. protect the privacy of Protected Health Information (“PHI”);
  2. protect the security of PHI; and
  3. standardize transactions for electronic data interchange of health care data.

HIPAA applies to Covered Entities: health care providers, health insurance plans, and health care clearinghouses. Covered Entities must comply with HIPAA’s requirements to protect the privacy and security of health information and provide individuals with certain rights with respect to their PHI.

In January of 2013, the U.S. Department of Health and Human Services issued a Final Omnibus Rule (“Final Rule”) modifying HIPAA and implementing provisions of the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”). The Final Rule further strengthens the privacy and security protections for health information established under HIPAA.

Penalties and enforcement

The HHS’ Office of Civil Rights (“OCR”) is responsible for enforcing HIPAA’s Privacy and Security Rules. Additionally, HITECH granted State Attorneys General the authority to bring civil actions and obtain damages on behalf of state residents for violations of the HIPAA Privacy and Security Rules.

HIPAA establishes both civil monetary penalties and federal criminal penalties for the impermissible use or disclosure of unsecured PHI in violation of HIPAA’s Privacy and Security Rules. Civil penalties range from $100 per violation per incident, to $1,500,000 for all such violations of a single provision in a calendar year. Criminal penalties include fines up to $250,000 and up to ten (10) years imprisonment.

Privacy Requirements

HIPAA contains detailed requirements for the use and/or disclosure of PHI. Covered Entities may only use and disclose PHI as permitted by HIPAA or more protective state laws.

Under HIPAA, an individual or business who performs a function or service on behalf of a Covered Entity that involves the creation, receipt, transmission, use or disclosure of PHI of the Covered Entity is a Business Associate. Every Business Associate must sign a Business Associate Agreement with the contracting Covered Entity that describes the Business Associate’s compliance responsibilities under HIPAA, including using appropriate safeguards to prevent any impermissible use or disclosure of PHI and ensuring any subcontractors do so as well. The Final Rule extended responsibility for HIPAA compliance to Business Associates. A Business Associate who violates HIPAA is now subject to the same civil and criminal penalties as Covered Entities. In the event a Business Associate violates HIPAA, the University may still be held responsible for the Business Associate’s actions.

The University and its Business Associates must make reasonable efforts to ensure that each use or disclose, requests only the minimum necessary PHI required to accomplish the job for which the PHI is needed. For routine disclosures, this may be achieved by creating policies and procedures that limit the PHI disclosed. For other disclosures, an individualized review will be required. When treating providers are sharing PHI for treatment purposes, this minimum necessary requirement does not apply. To ensure that only the minimum necessary PHI is used or disclosed, the University will define role-based access to PHI to ensure that the right people are handling PHI in the appropriate way.

HIPAA also addresses use of PHI for research purposes. HIPAA requires either a patient authorization or a waiver of the authorization requirement for the use, disclosure or creation of identifiable health information for research.

An authorization is not required for research using only “de-identified” data. If a researcher uses health information from which direct identifiers have been removed, then no authorization is required but the researcher must enter into a Data Use Agreement with the Covered Entity that holds the records.

HIPAA addresses the need for Covered Entities to respect patient confidentiality when engaging in marketing or development activities. Consistent with current University practice, these activities must be conducted in accordance with HIPAA and University policies.

HIPAA defines marketing as a communication about a product or service that encourages the recipient of that communication to purchase the product or service. For most marketing activities, HIPAA requires a signed authorization from the individual to whom the marketing is directed. Marketing does not include face-to-face communications made by a Covered Entity to an individual; promotional gifts of nominal value provided to individuals by a Covered Entity; prescription refill reminders or information about a drug currently prescribed for an individual. Nor does HIPAA consider communications for care management or to recommend alternative treatments to constitute marketing, unless a provider has received payment from a third party for making the communication.

For fundraising activities, HIPAA allows the use and disclosure of only certain demographic information and other PHI without a signed patient authorization. Additionally, each fundraising solicitation must include an easy means for the recipient to opt out of receiving fundraising communications in the future.

These policies apply to all individuals in any office, department or section which seeks to use PHI for marketing and/or fundraising purposes.

Under the HIPAA Privacy Rule individuals have the following rights:

  1. Right to a notice of a Covered Entity’s privacy practices.
  2. Right to request restrictions and confidential communications concerning PHI.
  3. Right to request a restriction to a health plan of a health care item or service for which the individual, or someone on his/her behalf other than another health plan, has paid in full out of pocket.
  4. Right to obtain access to PHI for inspection and copying, including the right to an electronic copy of PHI
  5. Right to obtain an accounting of certain disclosures.
  6. Right to request amendment of PHI.
  7. Right to notice of a breach of his/her unsecured PHI.

The University must adhere to HIPAA’s administrative requirements, including the following:

  1. Designation of a privacy official responsible for development of policies and procedures for the use and disclosure of PHI.
  2. Implementation of an internal complaint process to handle complaints relating to HIPAA and to explain privacy procedures.
  3. Ongoing workforce training.
  4. Implementation of administrative, technical and physical safeguards to protect the confidentiality, integrity, and availability of PHI.
  5. Development and enforcement of sanctions for failure to comply with policies and procedures.
  6. Development of procedures to mitigate adverse effects of a prohibited impermissible use or disclosure of unsecured PHI.
  7. Enforcement of the HIPAA requirement and University policy prohibiting retaliation against a person for exercising individual rights or filing a complaint.

The Security Rule establishes the national security standards to protect individuals’ electronic PHI created, received, used, or maintained by a Covered Entity (or Business Associate). The Security Rule mandates administrative, physical, and technical safeguards to ensure the confidentiality, integrity, availability, and security of electronic PHI. UMKC is required to apply these standards to all health information pertaining to an individual that is electronically maintained or transmitted and must:

  • Assign responsibility for security to a person or organization.
  • Assess security risks and determine the major threats to the security and privacy of PHI.
  • Establish a program to address physical security, personnel security, technical security controls, security incident response, and disaster recovery.
  • Certify the effectiveness of security controls.
  • Develop policies, procedures, and guidelines for the use of personal computing devices (workstations, laptops, hand-held devices).
  • Ensure mechanisms are in place that allow, restrict, and terminate access (access control lists, user accounts, etc.) appropriate to an individual’s status, change of status, or termination.
  • Implement access controls that may include encryption, context-based access, role-based access, or user-based access; audit control mechanisms, data authentication, and entity authentication.