HIPAA is a federal law that, among other things, focuses on protecting the privacy of personal health information (“protected health information” or “PHI”). This law affords certain rights to individuals regarding their PHI and imposes obligations upon many institutions that maintain such PHI. At Penn, the following entities are responsible for compliance with HIPAA privacy regulations: the University of Pennsylvania Health System (“UPHS”), the School of Medicine (“SOM”), the School of Dental Medicine (“SODM”), and HR Benefits program, as well as workforce members of other Penn offices that, while offering support to these entities, access PHI. Members of the workforce of the above entities must receive HIPAA training from their entity. The following serve as basic reminders of key HIPAA privacy principles:

  • Receive, use, and disclose PHI for purposes of treatment, payment, and healthcare operations. (See definitions). If you are using or disclosing PHI for purposes other than treatment, payment, or healthcare operations, please consult as necessary with the relevant Privacy Officer to determine whether and under what conditions such use or disclosure is permissible and if HIPAA accounting rules apply.
  • Adopt reasonable measures to protect PHI from unauthorized access, use, or disclosure. In considering what is reasonable, you should consider the extent to which paper records are kept in locked files or rooms; whether destruction of paper records is effective (shredding is recommended); the extent to which electronic records are accessible to unauthorized individuals; and other factors that may influence risk of unauthorized access.
  • Limit the amount of information you receive, use, and disclose to what is reasonably necessary for you to do your job. Take an extra few minutes to consider whether you can reduce the amount of health information involved.
  • Evaluate your agreements with vendors – especially those with access to our PHI or who create PHI on our behalf – and determine whether HIPAA business associate language is required for those contracts. If you have any questions on whether such language is required, or to obtain a copy of the required language, consult the relevant Privacy Officer.
  • If you have any questions, or believe that a violation of privacy has occurred, please contact the relevant Privacy Officer as soon as possible.