HIPAA Compliance

HIPAA is a federal law that, among other things, focuses on protecting the privacy of personal health information ("protected health information" or "PHI"). This law affords certain rights to individuals regarding their PHI and imposes obligations upon many institutions that maintain such PHI.

Protected Health Information is information:

• Sent or stored in any form
• That identifies the patient, or can be used to identify the patient
• That is created or received by a covered entity
• That generally is about a patient's past, present, and/or future treatment and payment of services

At Penn, the following entities are responsible for compliance with HIPAA privacy regulations: the University of Pennsylvania Health System ("UPHS"), the School of Medicine ("SOM"), and the School of Dental Medicine ("SODM"), the Living Independently for Elders ("LIFE") program, and HR Benefits program, as well as workforce members of other Penn offices that, while offering support to these entities, access PHI. Members of the workforce of the above entities must receive HIPAA training from their entity. The following serve as basic reminders of key HIPAA privacy principles:

• You may receive, use, and disclose PHI for purposes of treatment, payment, and healthcare operations. If you are using or disclosing PHI for purposes other than treatment, payment, or healthcare operations, please consult as necessary with the relevant Privacy Officer to determine whether and under what conditions such use or disclosure is permissible and if HIPAA accounting rules apply.
• You must adopt reasonable measures to protect PHI from unauthorized access, use, or disclosure. In considering what is reasonable, you should consider the extent to which paper records are kept in locked files or rooms; whether destruction of paper records is effective (shredding is recommended); the extent to which electronic records are accessible to unauthorized individuals; and other factors that may influence risk of unauthorized access.
• You should limit the amount of information you receive, use, and disclose to what is reasonably necessary for you to do your job. Take an extra few minutes to consider whether you can reduce the amount of health information involved.
• You should evaluate your agreements with vendors - especially those with access to our PHI or who create PHI on our behalf - and determine whether HIPAA business associate language is required for those contracts. If you have any questions on whether such language is required, or to obtain a copy of the required language, consult the relevant Privacy Officer.

HIPAA requires the University of Pennsylvania to sign confidentiality agreements with all Business Associates. A Business Associate is someone who does not work for the University of Pennsylvania and needs access to our patients' protected health information (PHI).

In order for the University to share PHI with a Business Associate, a Business Associate Agreement must be signed by both parties. Some examples of when a Business Associate Agreement may or may not be required are listed below.

Scenario	Business Associate Agreement with Supplier
Technical vendors who have access into computer systems or database containing PHI	Required
Accreditation organizations	Required
Temporary agencies that place personnel in areas where they may have access to PHI	Required
Record storage facilities	Required
Lawyers, accountants, consultants (non-university employees)	Required
A non-covered entity with access to PHI (e.g. orthotics manufacturer)	Not required if the entity is also a health care provider
Vendors who only have incidental access usually are not considered Business Associates (e.g., copy repair technicians)	Not Required

If you have any questions, or believe that a violation has occurred, please contact the relevant Privacy Office as soon as possible.

Related Links

• United States Department of Health and Human Services