Health Insurance Portability and Accountability Act (HIPAA)

Overview

The Health Insurance Portability and Accountability Act (HIPAA) requires the protection and confidential handling of protected health information (PHI), which includes electronic protected health information (EPHI). 

Key Terms
  • Business Associate - a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a Covered Component. A member of the Covered Component's workforce is not a Business Associate. 
  • Covered Component - an area within a Hybrid Entity that is a health care provider, health plan, or health care clearing house that transmits health information in an electronic form in connection with a covered transaction. The University has identfied four Covered Components:
    • Office of Human Resources - Administration of Group Health Plan
    • Student Health Services and Pharmacy - Oakland Campus
    • The School of Dental Medicine
    • University Dental Health Services
  • Protected Health Information (PHI) - individually identifiable health information that is collected from an individual, created or received by a health care provider, health plan, health care clearing house, or other employee of one of the Covered Components of the university. PHI relates to the past, present or future physical or mental health or condition of an individual, the provision of healthcare to an individual; or the past, present or future payment for the provision of health care to an individual.
    • Electronic Protected Health Information (EPHI) - individually identifiable health information transmitted by electronic media or maintained in an electronic media. EPHI does not include education records or treatment records covered by FERPA, or employment records held by the university in its role as an employer. 
  • Hybrid Entity - An organization that performs both HIPAA-covered and non-HIPAA-covered functions as part of its business.
Regulation Requirements

The Privacy Rule

  • establishes a set of national standards for the protection of certain health information
  • addresses the use and disclosure of individual's health information (PHI) by Covered Entities
  • establishes standards for individuals' privacy rights to understand and control how their health information is used 

The Security Rule

  • establishes a set of national security standards for protecting certain health information that is held or transferred in electronic form
  • addresses the technical and non-technical safeguards that Covered Entities must put in place to secure individuals' EPHI
Pitt Practices

More information on Pitt's HIPAA practices can be found in University Policy CS 30 Health Insurance Portability and Accountability Act (HIPAA), and within the University's HIPAA Compliance Program.