Quick guide to HIPAA

Prepared by Privacy Office within the Office of the Chief Risk Officer

What is HIPAA?

HIPAA is acronym for Health Insurance Portability and Accountability Act of 1996. HIPAA does the following:

  • Provides worker the ability to transfer and continue health insurance coverage when changing or losing a job
  • Reduces healthcare fraud and abuse
  • Mandates industry-wide standards for healthcare information on electronic billing and other processes
  • Requires the protection and confidential handling of Protected Health Information

What is PHI?

Individually identifiable health information, including demographic information, that is created or received by a covered entity and that relates to the past, present, or future physical or mental health of an individual, provision of healthcare to an individual, or past, present, or future payment for the provision of healthcare to an individual. The presence of at least one of 18 HIPAA-designated direct and indirect identifiers in a data set makes the whole data set Protected Health Information.

  • Name
  • Geographic information smaller than state
  • Dates more precise than year, and all ages greater than or equal to 90 years of age
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Account numbers
  • Certificate or license number
  • Vehicle identifiers and serial numbers including license plate
  • Device identifiers and serial numbers
  • URLs
  • IP address numbers
  • Biometric identifiers: A biological or behavioral characteristic of an individual that can be used to identify the individual. Examples include finger and voice prints.
  • Full face photographic images and comparable images
  • Health plan beneficiary numbers
  • Any other unique identifying number, characteristic, or code: Any code or other means of record identification that is derived from PHI that must be removed in order for the data to be considered de-identified per the Safe Harbor method. Examples can be found on the HHS website.

What is Use of PHI?

The sharing, employment, application, utilization, examination, or analysis of Protected Health Information within the Stanford Affiliated Covered Entity

What is Disclosure of PHI?

Release, transfer, provision of access to, or divulging in any manner of Protected Health Information outside the Stanford Affiliated Covered Entity

What is Stanford Affiliated Covered Entity (SACE)?

The single affiliated entity created by the joining of Stanford Health Care, Stanford Children's Hospital, University Healthcare Alliance, Lucile Packard Healthcare Alliance, ValleyCare, and the Stanford University HIPAA Components (SUHC). The SUHC is comprised of the healthcare components of Stanford University that are its healthcare providers (School of Medicine, Vaden Health Center, and the Occupational Health Center) and selected support units as designated by the Chief Privacy Officer of the University Privacy Office.

What is a “covered entity”?

A covered entity includes health plans and any health care provider that electronically transmits any health information as a part of billing.  Examples include hospitals, academic medical centers, and health providers that electronically submit claims to health plans or third-party administrators of health plans. 

Is Stanford University a “covered entity”?

Stanford University is considered a hybrid entity because certain components, those that fall into Stanford University’s HIPAA Components (SUHC), fall within the definition of covered entity under HIPAA, while many others fall outside the definition.  For example, nearly all parts of the School of Medicine (SoM), including Research IT, fall within the SUHC. For more information about SUHC, please visit the University Privacy Office website. 

If my research involves the use of PHI, what steps do I take next?

If you are a researcher seeking to access, obtain, or use PHI from a HIPAA covered entity for research purposes, then HIPAA generally requires that you obtain a signed authorization for that use from the patient/participant, or otherwise justify an exception from that requirement.  In either case, you will be required to have an IRB-approved protocol.

What is HIPAA Waiver of Authorization?

HIPAA permits waivers of authorization for activities that are not part of the actual research but involve planning for the research, such as identifying individuals for recruitment or designing a research protocol. Waiver requests require IRB review and approval. Remember: Data received through a HIPAA waiver of authorization cannot be used for any purpose other than that which has been approved by the IRB.

To avoid obtaining the patient/participant’s authorization, you may:

  1. Request from the IRB a partial (for recruitment purposes) or a full waiver of the Authorization requirement;
  2. Request access to PHI through use of a limited data set;
  3. Request access to PHI in preparation to research; or
  4. Request access to PHI solely of decedents. 

For more information on exceptions to the HIPAA authorization requirement, including the required criteria for each category, visit the IRB’s human subject research website.

What is de-identified data?

Data is de-identified when (a) All 18 HIPAA-specific direct and indirect identifiers have been removed (Safe Harbor method) OR (b) Determined by expert opinion to have a low probability of re-identification (Expert Determination method). Contact the University Privacy Office at privacy@stanford.edu for more information on expert determinations.

What is a direct identifier?

Information that relates specifically to an individual. HIPAA designates the following as direct identifiers: names; postal address information other than town or city, state, and zip code; phone numbers; fax numbers; email addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers including license plate numbers; device identifiers and serial numbers; URLs; IP addresses; biometric identifiers; and full face photographic images and any comparable images.

What is an indirect identifier?

Information that can be combined with other information to potentially identify a specific individual. HIPAA designates the following as indirect identifiers: city, state, and zip codes; elements of dates; and other numbers, characteristics, or codes not HIPAA-designated as direct identifiers.