HIPAA

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was designed to improve the efficiency and effectiveness of the healthcare system. In response to the original HIPAA law, Health and Human Services (HHS) published an additional regulation referred to as the Privacy Rule that relates directly to organizations involved in healthcare operations that transmit health information electronically. Typical organizations covered by HIPAA include:

  • Health plans;
  • Health care clearinghouses; AND
  • Health care providers who conduct certain financial and administrative transactions electronically, such as billing and fund transfers.

Penn State University is considered a hybrid entity under HIPAA as a covered orgniaization whose activities include both covered and non-covered functions. As such, there are several units, known as covered components, that are required to meet specific standards of privacy practice under the Act. For more information on who is a covered component and their responsibilities under HIPAA, please see AD22 - Health Insurance Portability and Accountability Act (HIPAA)  

The Privacy Rule

The Privacy Rule establishes Federal protections for the privacy of protected health information (PHI), which is defined as individually identifiable health information transmitted or maintained in any form or medium including paper records. Explicitly, PHI:

  • Relates to the past, present or future physical or mental health condition.
  • Relates to the provision of health care or the past, present, or future payment for the provision of health care.
  • Identifies individual or could reasonably be used to identify individual.
    AND
  • Has been transmitted or maintained in any form or medium (electronic, paper, oral).
     

Forms

Investigators who utilize PHI in their research may need to complete one or more of the following forms:


For additional information about obtaining protected health information , please see our Accessing PHI for Research page.