regulation of Medicine


The HIPAA Toolkit

July 31, 2019

HIPAA basics

What is HIPAA?

HIPAA is the "Health Insurance Portability and Accountability Act." The "accountability" portion of HIPAA is comprised of three rules - the Privacy Rule, the Security Rule, and the Breach Notification Rule - which: 

  • Give individuals important rights with respect to their protected health information ("PHI");
  • Set national standards for when covered entities and their business associates may use and disclose PHI;
  • Specify safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and availability of electronic protected health information ("ePHI"); and
  • Require covered entities to notify affected individuals whenever unsecured PHI has been breached.

Protected health information is “individually identifiable health information” held or transmitted by a covered entity or its business associate(s). “Individually identifiable health information” is information, including demographic information, that:

  • Relates to the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual; and
  • Identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual

Individually identifiable health information protected by the HIPAA Privacy Rule includes many common identifiers like one’s name, address, birth date, or Social Security Number. Other common PHI identifiers include:

  • All geographic subdivisions smaller than a state, including street address city, county, precinct, or zip code
    • The first three digits of a zip code do not constitute an identifier and may be included in de-identified information if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  • Telephone and fax numbers
  • Email addresses
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary number
  • Certification/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Names of relatives
  • URLs and IP addresses
  • Biometric identifiers, including fingers and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code

If health information does not include any identifiers AND there is no reasonable basis to believe that the remaining information could be used to identify a person, then it has been “de-identified.” De-identified health information is not considered PHI, and the Privacy Rule does not restrict its use and disclosure.

Also excluded from the definition of protected health information are:

  • Records covered by the Family Educational Rights and Privacy Act, 20 U.S.C. 1232g
  • Employment records held by a covered entity in its role as employer
  • Records regarding a person who has been deceased for more than 50 years

The Privacy and Breach Notification Rules apply to all PHI, whether electronic, paper, or oral. The Security Rule applies only to electronically created, transmitted, or stored PHI. 

Who must comply with HIPAA?

HIPAA's Privacy Rule applies only to "covered entities." However, the Health Information Technology for Economic and Clinical Health (HITECH) Act made the portions of the Privacy Rule directly applicable to business associates.

Covered entities are (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with certain “covered transactions,” such as the submission of health care claims for payment.

Covered entities can be institutions, organizations, or individuals. A health care provider is only considered a Covered Entity under HIPAA if the health care provider transmits health information in an electronic format in connection with a HIPAA covered transaction. Because virtually every provider submits data electronically, either through the use of an EMR or to bill payors, virtually every provider is a Covered Entity under HIPAA.

HIPAA's Security Rule applies to both covered entities and their business associates. 

What is a "covered transaction"?

Generally, covered transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities.

Covered transactions are any transmissions of information between two parties for purposes of carrying out financial or administrative activities related to health care involving:

  • Claims and encounter information
  • Payment and remittance advice
  • Claims status
  • Eligibility
  • Enrollment and disenrollment
  • Referrals and authorizations
  • Coordination of benefits
  • Premium payment
  • Other transactions that the Secretary may prescribe by regulation

What is a business associate?

A business associate is any person, other than a member of the covered entity’s workforce, or entity who:

  • On behalf of a covered entity, creates, receives, maintains, or transmits PHI for a function or activity regulated under HIPAA;
  • Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of PHI.


The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.