HIPAA and HITECH
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed in 1996 affecting the health care and insurance industries. As the name suggests, the legislation has several goals.
One of the objectives of HIPAA (referred to as Administrative Simplification) is to improve the efficiency of the health care system through the increased use of electronic information systems. The law allows the Department of Health and Human Services (DHHS) to develop regulations setting universal standards for electronic transactions between health care providers and insurance companies.
Another key goal of HIPAA is to protect the privacy and confidentiality of protected health information by setting and enforcing standards around the use of such information. DHHS requirements are incorporated into UW-Madison’s policies concerning the privacy, confidentiality, and security of protected health information.
The Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted as part of the American Recovery and Reinvestment Act of 2009, went into effect as an Interim Final Rule on August 24, 2009, and was issued as a Final Rule on January 25, 2013 — to promote the adoption and meaningful use of health information technology. HITECH addresses privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of HIPAA.
Covered Entity is the term that the HIPAA regulations use to describe each of the businesses and health care providers subject to HIPAA. Specifically, covered entities are health plans, health care clearinghouses and health care providers (both institutions and individual providers) who transmit any health information in electronic form to carry out certain financial or administrative activities related to health care — such as submitting health care claims or encounter information, making health care payments, and coordinating benefits.
A hybrid entity is an institution with both HIPAA-covered and non-covered functions or “components.” UW-Madison is a hybrid entity. The HIPAA-covered functions of the institution are referred to as the “health care component.” For example, the clinical departments within the School of Medicine and Public Health are part of the UW-Madison Health Care Component (UW HCC) while the School of Education and the School of Human Ecology are not.
Affiliated Covered Entities
When two or more separate legal entities with common ownership or control designate themselves as a single entity for purposes of HIPAA, this is called an “affiliated covered entity” or an “ACE.” UW-Madison’s Health Care Component (except University Health Services, the Athletic Department, and part of the Wisconsin State Laboratory of Hygiene), the University of Wisconsin Medical Foundation, Inc., and the University of Wisconsin Hospitals and Clinics Authority are an affiliated covered entity (UW ACE). This means that sharing of PHI among the parties of the UW ACE is a “use” and not a “disclosure.”
Protected Health Information (PHI)
PHI is the term HIPAA uses to describe the specific patient information that HIPAA protects. PHI is “individually identifiable health information” maintained or transmitted by a health care provider. PHI does not include individually identifiable health information in personnel records or education records covered by the Family Educational Right and Privacy Act (“FERPA“).
Individually Identifiable Health Information
Individually identifiable health information is a subset of health information, including demographic information, collected from an individual and: (1) is created or received by a health care provider; (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (3) either identifies the individual or can reasonably be used to identify the individual.
Protecting Patient Privacy
In short, unless an exception is met under HIPAA, a health care provider may not use or disclose PHI without the authorization of the patient or the patient’s legally authorized representative. No authorization is required for health care providers to use or disclose PHI for treatment, payment or health care operations (e.g. quality review, reviewing qualifications of health care providers, training students, conducting legal review, and managing and operating the health care entity). Except for treatment, health care providers must use the minimum necessary amount of PHI.
HIPAA allows for the exchange of PHI for purposes of treatment, payment, and health care operations. The HIPAA Privacy Rule is intended to protect patients’ health information, but not to impede or interfere with patient care or safety.
Treatment is the “provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party.” This includes:
- Consulting with the patient’s other healthcare providers
- Providing PHI when referring or transferring a patient to a laboratory, nursing home, or outside provider or hospital
- Sharing patient information with other workforce members involved in the patient’s care with a need to know the PHI
- Discussing the patient’s condition or treatment regimen in the patient’s room with other health care providers or trainees (e.g. other faculty physicians, residents, medical students, or nurses)
Payment encompasses all activities to obtain payment or be reimbursed for services provided or the provision of health care. This includes:
- Determining eligibility, reviewing services, and adjudicating claims
- All billing and collection activities, including those of another provider or covered entity for its treatment of the patient
- Utilization review
Health Care Operations are “certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.” They include:
- Case management, care coordination
- Quality assessments
- Accreditation, certification, licensing, and credentialing
- Legal, audit, privacy, compliance
- Business planning and development
- Administrative activities, including customer service, employee relations activities, transfer of assets, fundraising
- Education and training programs
- Abuse and neglect investigations
If the sharing is not for the purposes of treatment, payment or health care operations, then you may not share PHI unless you have authorization from the patient or there another legal basis which permits the sharing. If you are unsure whether another legal basis applies, do not share the PHI without contacting the UW-Madison Privacy Officer (contact information on the right side of this page) or the UW-Madison Office of Legal Affairs Health Law Team (608-263-7400).
Even if use or disclosure of PHI is permitted under the Privacy Rule, care must be taken to:
- Eliminate all of the personal identifiers which are not essential to the purpose for which the PHI is being used or disclosed.
- Use or disclose only the minimum necessary amount of PHI necessary to satisfy the purpose of the use or disclosure.
Minimum Necessary Standard
When using or disclosing PHI, or requesting PHI from another covered entity, a health care provider must make reasonable efforts to limit the PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. The minimum necessary standard does not apply to uses and disclosures for treatment, to the patient, subject to an authorization, as required by law, or to comply with the provisions of HIPAA.
De-identified Data Set
De-identified means that the health information or data set does not identify an individual and that there is no reasonable basis to believe that the information in the data set can be used to identify an individual. Under HIPAA, health information is considered “de-identified” if 18 criteria are removed from the data set. These criteria include direct identifiers, such as name and address, but also include other indirect identifiers, such as dates directly related to the individual (e.g. date of birth, admission date, discharge date) and zip code. For more information, see UW-Madison’s policy on de-identification.
Use and Disclosure of De-identified Data
If health information or a data set is “de-identified” as that term is defined in HIPAA, then it can be used or disclosed without patient authorization and without meeting an exception to the requirement for authorization under HIPAA.
Please consult with the UW-Madison HIPAA Privacy or Security Officer for assistance in de-identifying PHI.
Limited Data Set
A Limited Data Set can contain dates related to the individual (birth date, death date, etc.) and dates of services as well as geographic information at the level of town or city, state and 5-digit zip code. A LDS is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
- Postal address information (other than town or city, state, and 5-digit zip code)
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
Use of Limited Data Sets
A covered entity may use or disclose a LDS from its records containing PHI for research, public health, or health care operations, without patient authorization or (in the case of research) a waiver of authorization. To do so, the covered entity must execute a Data Use Agreement (DUA) that binds the LDS recipient to use or disclose the LDS only for limited, specified purposes. The DUA must establish who is permitted to use or receive the LDS and must also require recipients to use appropriate safeguards to protect the LDS from unauthorized disclosure and not attempt to identify or contact the individuals whose PHI is contained in the LDS.
Use and Disclosure
With respect to individually identifiable health information, use means the sharing, utilization, examination, or analysis of such information within the covered entity that maintains such information.
Disclosure is the release, transfer, access to, or divulging in any manner of information outside of the covered entity holding the information. In some cases, a covered entity must keep a log which accounts for disclosures of an individual’s PHI and must provide that log to the individual upon request. Uses of PHI within the covered entity do not require such accounting.
Use of PHI Internally or Disclosure PHI Externally
When PHI is shared within the UW Affiliated Covered Entity (ACE), it is being “used.” When PHI is shared outside of the ACE (e.g. with someone outside of the UW-Madison Health Care Component, the UW Hospital and Clinics or the UW Medical Foundation) it is being “disclosed.”
The Privacy Rule allows the use or disclosure of PHI:
- For treatment (including treatment in the course of research)
- For payment
- For health care operations (including education programs)
- With authorization by the individual
- When compelled by law
In addition, all research is subject to special requirements under the Privacy Rule which govern the handling of PHI. Please see HIPAA Researchers for more information.
Speaking with an Attorney
You may not speak with an attorney without a signed authorization from the patient — even if that attorney represents the patient. Please review the information available here about subpoenas and requests from attorneys, and contact the UW-Madison Office of Legal Affairs Health Law Team with any questions.
Speaking with a Police or other Law Enforcement Officer
If the officer is in the course of investigating child abuse and identifies the child by name, the officer is entitled to records or other information from a health care facility upon request. If the officer asks for a patient by name, health care providers may confirm the presence of a patient in the health care facility, except when the patient is there for substance abuse treatment. In most other cases, officers must have patient authorization or a court order to access records or other information about patients. Contact the UW-Madison Office of Legal Affairs Health Law Team for more information (608-263-7400).
Providing Information to an Insurance Company
Both HIPAA and Wisconsin law authorize, in response to a written request, the disclosure of any information (may be oral) or written material “reasonably related” to the injury which your patient claims was the result of a work-related accident. Such disclosure may be made to the employee, employer, worker’s compensation insurer, or the Wisconsin Department of Workforce Development or its representative. Please review the information available here about worker’s compensation matters, and contact the UW-Madison Office of Legal Affairs Health Law Team with any questions.
Take care to protect PHI from accidental disclosure:
- Use a fax cover sheet when faxing PHI, double check the fax number to be sure it is correct, and be sure the intended recipient is available to pick up the fax when delivered.
- Keep all paper files containing PHI locked in file cabinets.
- If you print copies of documents with PHI, remove them immediately from any shared printer.
- Password-protect all portable devices that contain PHI, and password-protect all documents on such portable devices. DO NOT share passwords.
- Eliminate all names and other identifiers when creating presentations which include health information.
- Don’t refer to patient or research subject names and other identifiers in conversations with colleagues in public areas.
- Place computer screens so they are not readily visible by people passing by.
- Remember to erase the hard drives on all machines that scan and copy documents (e.g. fax machines, copiers, and scanners) before returning them to a vendor or sending them to SWAP.
Accounting for Disclosures
Individuals have certain rights with respect to their PHI, including the right to receive an accounting of all disclosures made to people or groups outside of the covered entity for purposes other than for treatment, payment, health care operations or with authorization by the individual. This means that individuals within the UW HCC must maintain records of disclosures they make outside the UW HCC (or outside of the UW ACE) for all other purposes (including for disclosures required by law) and make these records available to individuals when requested.
Electronic HIPAA Breaches
Unintended HIPAA breaches frequently occur through the loss or theft of portable electronic devices (smartphones, laptops, portable hard drives) with unencrypted PHI, through phishing and other cybersecurity attacks, and through human errors involving misdirected PHI.
Using Box to store PHI
At present, only “Secured” Box folders may be used to store data or other information containing PHI; these folders are configured by HIPAA Security Coordinators to have more security than standard Box folders otherwise available through UW-Madison. Contact your HIPAA Privacy or Security Coordinator with questions about storing PHI in a Secured Box Folder.
Phishing is the attempt to acquire login credentials such as usernames and passwords by masquerading as a trustworthy entity in an electronic communication, usually email. Phishing relies upon social engineering to complete its goal. Phishing attempts regularly occur at UW-Madison and can result in a breach of PHI. If you receive an email that you suspect is a phishing attempt, do not open it. If you open an email that you suspect is a phishing attempt, do not click on any links. The UW Office of Cybersecurity encourages you to learn how to recognize and report phishing attempts!
When necessary, emails containing PHI should only be sent inside of UW Health or inside UW-Madison’s Health Care Component (i.e., among email addresses ending in uwhealth.org or wisc.edu only). Any other emails sent containing PHI must be encrypted absent patient/subject consent.
- Never send PHI using external email accounts (e.g. Gmail, Yahoo, Hotmail).
- You are prohibited from auto-forwarding your wisc.edu or uwhealth.org emails to any other accounts.
- Verify email addresses of intended recipients and pay close attention to any frequent contacts’ email addresses (to be sure an email doesn’t pre-populate with the wrong recipient’s address).
- Be sure research-related use of email complies with the IRB’s email guidance.
- See HIPAA Policy 8.6 for more information.
Strong passwords are long (at least 8 characters) and contain a mixture of upper and lower case characters, numbers and special characters. See the UW-Madison password standard policy.
You are never allowed to share passwords. Please note that even your local IT staff should never request your password. If anyone asks you for your password, please report this to your supervisor and to UW IT security staff. If you feel that your password has been compromised in any way, please contact UW IT security staff.
Disposing of PHI
PHI that is no longer needed for its intended use should be confidentially destroyed. PHI in hard copy should be placed in locked, confidential disposal bins or shredded. For assistance in the destruction of electronic PHI, please contact the UW-Madison HIPAA Privacy or Security Officer. Just “deleting” electronic data does not destroy the data. Please note that PHI may be contained in copier memory and must be destroyed before disposing of a copier. Examine all equipment being sent to SWAP (or otherwise being disposed of) to make sure it does not contain any CDs or other mobile devices that may contain PHI. Please carefully examine all file cabinets being sent to SWAP (or otherwise disposed of) to make sure that no documents remain in the drawers (or are stuck behind drawers). See Policy #8.7 “Destruction/Disposal of Protected Health Information” for more detail.
Taking PHI When Leaving UW-Madison
In most cases, you will not be allowed to take the PHI that you obtained as an employee of UW-Madison with you when you leave UW-Madison. Please consult with the UW-Madison HIPAA Privacy Officer for advice regarding the possibility of taking de-identified data or limited data sets when you leave UW-Madison.
Technical Support at UW-Madison
Contact the HIPAA Security Officer or your unit’s HIPAA Security Coordinator with cybersecurity questions or for guidance on compliance with the Security Rule.
Storing and Encrypting PHI on a Portable Device
Only use USB drives that provide built-in encryption – many are available at the DoIT Tech Store. Standard mechanisms, such as bitlocker (PCs) and FileVault (Macs), can be used to encrypt laptops. Cell phones used to access or store PHI must be password protected and configured to allow a remote memory wipe. Any portable device that is to contain PHI must be registered with your IT department.
Consequences of HIPAA Violations
Possible Consequences to UW-Madison
UW-Madison, as a HIPAA covered entity, can be subject to significant civil monetary penalties, mandated corrective action plans, and monitoring by the federal government as a result of noncompliance with HIPAA. Breaches of PHI must be reported to the affected individual and to the federal government, and large breaches must also be reported to the local press.
Possible Consequences to Employees
Disciplinary action up to and including termination, depending on the nature of the violation, may be imposed for violations of HIPAA and for violations of the policies and procedures of UW-Madison regarding HIPAA and the privacy and security of PHI. Additionally, employees of covered entities may also be criminally liable for knowingly obtaining or disclosing PHI in violation of HIPAA. Fines can range up to $250,000 and imprisonment can be up to ten years for the most serious offenses (those which involve intent to personally gain from the violation or to maliciously harm the individual who is the subject of the PHI).
Suspect a Breach of Privacy?
Report the incident as soon as possible using the online HIPAA Incident Report Form, even if the person who discovered the incident was not involved in causing the incident. After you complete the HIPAA Incident Report Form, UW-Madison’s HIPAA Privacy Officer and HIPAA Security Officer will begin investigating the incident and develop an appropriate plan for follow-up in accordance with UW-Madison’s policy about the Reporting of HIPAA Incidents and Notifications in the Case of Breaches of Unsecured PHI.