Welcome to your HIPAA compliance training course at ProHIPAA. This course is for anyone who needs a greater understanding of the importance of safeguarding Protected Health Information (PHI) and the ways in which you can do that, whether you're a trusted medical professional or a business associate who supports a medical professional or healthcare organization.

In this course, you'll learn:

  • Why cybercriminals want protected health information
  • All the HIPAA/HITECH requirements
  • The current state of HIPAA compliance

This course also includes sections on:

  • Why PHI is valuable
  • Recent data breaches
  • Current industry fines
  • The importance of encrypted email
  • Your responsibilities under the HIPAA law

Keep these in mind as you proceed through this course, as well as a few important course objectives:

  • The importance of government regulations
  • The current state of HIPAA/HITECH and your obligations under the law
  • How you can better protect and properly handle all PHI and ePHI

Thanks for choosing ProHIPAA. Let's begin!

A Word About PHI (Protected Health Information)

Since safeguarding PHI is the entire reason for HIPAA's existence, let's take a closer look at what constitutes Protected Health Information.

PHI is that health information that can identify an individual to whom the information belongs to. HIPAA's Privacy Rule was established to help protect PHI while in the care of either covered entities or business associates. This includes whether a covered entity or business associate is sending, receiving, or storing this information.

Covered Entities and PHI

A covered entity is:

  • A healthcare provider that conducts administrative and financial transactions in electronic form.
  • A healthcare clearinghouse.
  • A health plan.

The most common examples of a covered entity are your doctor's office and your dentist's office.

Business Associates and PHI

HHS.gov defines a business associate as, “A person or entity (other than a member of the covered entity's workforce) that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of protected health information.”

A common example of a business associate would be a third-party billing service that handles payment transactions on behalf of your doctor's or dentist's office.

What Information is Considered PHI?

The two key elements to whether or not a piece of information can be considered PHI are:

  • The H stands for Health, so the information in question must be healthcare-related.
  • The information also must be identifiable. If the information in question cannot be used to identify the person it belongs to, then it isn't considered PHI.

Common pieces of information that are identifiable are names, addresses, dates of birth, and social security numbers. Everything an identity thief needs.

There are actually 18 HIPAA identifiers, which will be listed at the end of this section.

Protected Health Information can include:

  • Demographic info
  • Medical records, lab reports, etc.
  • Services and procedures
  • Payment and billing info

PHI can be found in three forms:

  • Electronic form
  • On paper
  • Delivered orally/spoken

HIPAA Identifiers

Remember that for information to be considered PHI, it must be identifiable. Here are 18 identifiers as outlined in the Privacy Rule.

  • Names (Full or last name and initial).
  • All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  • Dates (other than year) directly related to an individual.
  • Phone numbers.
  • Fax numbers.
  • Email addresses.
  • Social security numbers.
  • Medical record numbers.
  • Health insurance beneficiary numbers.
  • Account numbers.
  • Certificate and license numbers.
  • Vehicle identifiers (including serial numbers and license plate numbers).
  • Device identifiers and serial numbers.
  • Web Uniform Resource Locators (URLs).
  • Internet Protocol (IP) address numbers.
  • Biometric identifiers, including finger, retinal, and voice prints.
  • Full face photographic images and any comparable identifying images
  • Any other unique identifying number, characteristic, or code, except the unique code assigned by the investigator to code the data.