HIPAA Privacy Rule

Definitions

Protected health information (PHI) is health information that:

  1. is transmitted or maintained in any form (electronic, oral, paper) by a covered entity; and
  2. identifies the individual or could reasonably be used to identify the individual; and
  3. relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

Covered entity is a:

  1. health plan;
  2. health care clearinghouse (billing service); or
  3. health care provider that transmits health information electronically.

Key points --

  • The Privacy rule applies only to individually identifiable health information that is maintained by a covered entity.
  • If the health information is individually identifiable and if it is held by a covered entity, it is likely to be "protected health information."
  • The University of Iowa is considered a "hybrid entity" because it is a single legal component with both covered (e.g., UI Health Care, student health, College of Dentistry) and non-covered functions.

HIPAA Links

University of Iowa:

University of Iowa HIPAA web site

Introduction to HIPAA in Research at Iowa - slides that describe HIPAA at the UI

UI Researchers' Frequently Asked Questions - FAQ

UIHC HIPAA web site

Sample Letter for Non-UI Covered Entities who provide UI Researchers access to PHI without patient authorization

Federal:

HIPAA Privacy Rule federal web site- Office of Civil Rights

Privacy Rule Summary

NIH Information for Researchers on the HIPAA Privacy Rule

AAMC Project to Monitor the Effects of HIPAA on Research