In this section:
How Does HIPAA Apply to Yale?
HIPAA applies to covered entities; health care providers; health plans, defined
by HIPAA as individual or group plans that provide or pay for health care,
including employer plans; and health care clearinghouses. Within Yale, HIPAA
- the School of Medicine (excluding the School of Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, MolecularBiophysics & Biochemistry, Neurobiology, and Pharmacology), Yale Medical Group, Yale School of Nursing, Department
- Yale University Health Services
- the University’s group health plan
- Other departments that may perform
support functions for the health care components (e.g., the Provost’s
Office or the Office of the Vice President and General Counsel).
are in doubt whether HIPAA applies to you, please contact
PHI and ePHI
ePHI stands for Electronic Protected Health Information. It is any protected
health information (PHI) which is stored, accessed, transmitted or received electronically. Protected Health Information (PHI) under HIPAA means any information
that identifies an individual and relates to at least one of the following:
- The individual’s past, present or future physical or mental health.
- The provision of health care to the individual.
- The past, present or future payment for health care.
Information is deemed to identify an individual if it includes either the
individual’s name or any other information that could enable someone to determine
the individual’s identity.
Data are “individually identifiable” if they include any of the
18 types of identifiers, listed below, for an individual or for the individual’s
employer or family member, or if the provider or researcher is aware that the
information could be used, either alone or in combination with other information,
to identify an individual:
- Address (all geographic subdivisions smaller than state, including street
address, city, county, zip code)
- All elements (except years) of dates related to an individual (including
birth date, admission date, discharge date, date of death and exact age if
- Telephone numbers
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Any vehicle or other device serial number
- Device identifiers or serial numbers
- Web URL
- Internet Protocol (IP) address numbers
- Finger or voice prints
- Photographic images
- Any other characteristic that could uniquely identify the individual
Instead of removing the data, sometimes making the information more general
is sufficient for de–identification; for example, replacing birth date with
an age range.
See also the HIPAA
policy on de–identification.
The “e” in ePHI
ePHI includes any medium used to store, access, transmit or receive PHI electronically.
- Personal Computers with their internal hard drives used at work, home,
- External portable hard drives, including iPods
- Magnetic tape or disks
- Removable storage devices such as USB memory sticks/keys, CDs, DVDs, and
- PDA’s, smartphones
- Electronic transmission includes data exchange (e.g., email or file transfer)
via wireless, ethernet, modem, DSL or cable network connections.
As technology progresses, any new devices for accessing, transmitting, or
receiving ePHI electronically will be covered by the HIPAA Security Rule.
What standards does HIPAA impose?
HIPAA imposes the following standards on covered entities for the purpose
of standardizing and protecting the use, disclosure and exchange of health
- Privacy standards, developed by the Department of Health and Human Services,
that address the use and disclosure of health information, patient consent
and authorization for the use of information, patient rights to review their
health information, request edits and demand an accounting of disclosures
of health information.
- Security standards for health information including administrative, technical
and physical safeguards to ensure the integrity and confidentiality of health
information and to protect against security breaches and unauthorized use
or disclosure of health information.
- Standards for the transfer of information among health plans needed, for
example, for the coordination of benefits, sequential processing of claims.
- Standards to enable electronic interchange. HIPAA calls for the adoption
of standards for certain transactions and data elements, such as health claim
status, eligibility for a health plan, health plan enrollment/disenrollment.
- Standards for code sets for the data elements for the transactions covered
- Standards for unique health identifiers for individuals, employers, health
plans and health care providers.
- Standards for electronic signatures.
- Requirements related to notifying patients and DHHS in the event of a breach of PHI.