Patient/Health Information

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA), which became law in 1996, was intended to improve health insurance information portability and to simplify the administration of health care information.  The Administrative Simplification provisions of HIPAA dictated that national standards for electronic health care transactions and code sets; and national identifiers for providers, health plans, and employers were established which were intended to ensure security and privacy of health information.  This resulted in the improvement of the efficiency and effectiveness of the health care system through the establishment of standards for electronic data interchange. 

Under HIPAA, “covered entities” were required by law to be HIPAA compliant.  A covered entity is a health plan, a health care clearinghouse, or a health care provider who electronically transmitted any of the “defined” HIPAA transactions.  The University of Missouri had several areas which fell under the HIPAA definition of a covered entity and as such, we were required by law to be compliant.

HITECH Act 

The U.S. Department of Health and Human Services (HHS) issued regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached. These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).[1]

Navigation Menu

• Resources, Policies and Related Links
• Things to Remember
• Notice of Privacy Practices

Resources, Policies and Related Links

U.S. Department of Health and Human Services, Health Information privacy site:

• http://www.hhs.gov/ocr/privacy/

U.S. Department of Health and Human Services information for Covered Entities, Summary of the Privacy and Security Rules:

• http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html

Final HIPAA Privacy Rule:

• http://www.hhs.gov/hipaa/for-professionals/privacy/index.html

HIPAA Security Standards Final Rule:

• http://www.hhs.gov/hipaa/for-professionals/security/index.html

Health Information Technology for Economic and Clinical Health (HITECH) Act: (Breach Notification for Unsecured PHI -  Interim Final Rule – August 2009):

• http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

Breach Notification Rule:

• http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

Covered Components of the University of Missouri:

• Amended Designation of the Covered Components of the Curators of the University of Missouri

Things to Remember

The HIPAA Privacy Rule sets standards for how protected health information should be controlled by setting forth what uses and disclosures are authorized or required and what rights patients have with respect to their health information. 

The HIPAA Security Rule sets forth administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic protected health information (ephi).  The standards require covered entities to implement basic safeguards to protect ephi from unauthorized access, alteration, deletion, and transmission.

The Security Rule applies only to protected health information in electronic form.  The Privacy Rule applies to protected health information in any form, if it has once been transmitted electronically.

The Security Rule contains standards that must be adopted by a covered entity.  The Security Rule also contains “implementation specifications” that are designated as “required” or “addressable”. “Required” implementation specifications mean that a covered entity must implement that specification.

  “Addressable” means that a covered entity must assess whether the implementation specification is a reasonable and appropriate safeguard in its environment, and must implement the specification if so; if implementing the specification is not reasonable and appropriate, the covered entity must document why it would not be reasonable and appropriate to implement that specifications and must implement an equivalent alternative measure if reasonable and appropriate

Covered entities are required to do the following in general:

1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains or transmits;
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
3.  Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Regulations; and
4.  Ensure compliance with the security regulations by its workforce.

Notice of Privacy Practices

The University of Missouri Medical and Dental Benefit Plans Notice of Privacy Practices

For legal assistance, please contact the Office of the General Counsel at https://umsystem.edu/ums/gc/

[1] U.S. Department of Health and Human Services