• Home
• Guidance

Guidance

In this section:

How Does HIPAA apply to Yale? What is Protected Health Information (PHI) & Electronic Protected Health Information (ePHI)? What standards does HIPAA impose? Training FAQs Researchers’ Guide to HIPAA Privacy Business Office Responsibilities for HIPAA Security HIPAA’s effect on personal computing & telecommunications at Yale University Guidance on the Use of Email containing PHI Fax Confidentiality Form Accounting for Billing Disclosures Yale University Training & Certification Telecommuting with PHI Glossary of essential HIPAA terms used in Yale’s HIPAA related policies & procedures HIPAA Authorization Checklist

---

Related Links:

Oracle Move/Gone/Leave Reports Manager Checklist for New Employee Orientation in a Covered Component Termination Checklist HealthIT.gov Cybersecure Training Game

---

How Does HIPAA Apply to Yale?

HIPAA applies to covered entities; health care providers; health plans, defined by HIPAA as individual or group plans that provide or pay for health care, including employer plans; and health care clearinghouses. Within Yale, HIPAA applies to:

• the School of Medicine (excluding the School of  Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, MolecularBiophysics & Biochemistry, Neurobiology, and Pharmacology), Yale Medical Group, Yale School of Nursing, Department of Psychology
• Yale University Health Services
• the University’s group health plan
• Other departments that may perform support functions for the health care components (e.g., the Provost’s Office or the Office of the Vice President and General Counsel).

If you are in doubt whether HIPAA applies to you, please contact hipaa@yale.edu.

PHI and ePHI

ePHI stands for Electronic Protected Health Information. It is any protected health information (PHI) which is stored, accessed, transmitted or received electronically. Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following:

• The individual’s past, present or future physical or mental health.
• The provision of health care to the individual.
• The past, present or future payment for health care.

Information is deemed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity.

Identifiers

Data are “individually identifiable” if they include any of the 18 types of identifiers, listed below, for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual:

• Name
• Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
• All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age if over 89)
• Telephone numbers
• Fax number
• Email address
• Social Security number
• Medical record number
• Health plan beneficiary number
• Account number
• Certificate/license number
• Any vehicle or other device serial number
• Device identifiers or serial numbers
• Web URL
• Internet Protocol (IP) address numbers
• Finger or voice prints
• Photographic images
• Any other characteristic that could uniquely identify the individual

Instead of removing the data, sometimes making the information more general is sufficient for de–identification; for example, replacing birth date with an age range.

See also the HIPAA policy on de–identification.

The “e” in ePHI

ePHI includes any medium used to store, access, transmit or receive PHI electronically.

Examples include:

• Personal Computers with their internal hard drives used at work, home, or traveling
• External portable hard drives, including iPods
• Magnetic tape or disks
• Removable storage devices such as USB memory sticks/keys, CDs, DVDs, and floppy diskettes
• PDA’s, smartphones
• Electronic transmission includes data exchange (e.g., email or file transfer) via wireless, ethernet, modem, DSL or cable network connections.

As technology progresses, any new devices for accessing, transmitting, or receiving ePHI electronically will be covered by the HIPAA Security Rule.

What standards does HIPAA impose?

HIPAA imposes the following standards on covered entities for the purpose of standardizing and protecting the use, disclosure and exchange of health information:

1. Privacy standards, developed by the Department of Health and Human Services, that address the use and disclosure of health information, patient consent and authorization for the use of information, patient rights to review their health information, request edits and demand an accounting of disclosures of health information.
2. Security standards for health information including administrative, technical and physical safeguards to ensure the integrity and confidentiality of health information and to protect against security breaches and unauthorized use or disclosure of health information.
3. Standards for the transfer of information among health plans needed, for example, for the coordination of benefits, sequential processing of claims.
4. Standards to enable electronic interchange. HIPAA calls for the adoption of standards for certain transactions and data elements, such as health claim status, eligibility for a health plan, health plan enrollment/disenrollment.
5. Standards for code sets for the data elements for the transactions covered above.
6. Standards for unique health identifiers for individuals, employers, health plans and health care providers.
7. Standards for electronic signatures.
8. Requirements related to notifying patients and DHHS in the event of a breach of PHI.