For a full list of policies, visit the Privacy Office's HIPAA Privacy Policies Overview

What is HIPAA?

HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. HIPAA does the following:

• Provides workers the ability to transfer and continue health insurance coverage when changing or losing a job
• Reduces healthcare fraud and abuse
• Mandates industry-wide standards for healthcare information on electronic billing and other processes
• Requires the protection and confidential handling of Protected Health Information (PHI)

What is PHI?

Individually identifiable health information, including demographic information, that is created or received by a covered entity and that relates to the past, present, or future physical or mental health of an individual, provision of healthcare to an individual, or past, present, or future payment for the provision of healthcare to an individual. The presence of at least one of 18 HIPAA-designated direct and indirect identifiers in a data set makes the whole data set Protected Health Information.

1. Name
2. Social Security numbers
3. Telephone numbers
4. Addresses and all geographic information smaller than a state
5. All elements of dates (except year), including date of: birth, admission, discharge, and death; and all ages over 89
6. Fax numbers
7. E-mail addresses
8. Medical record numbers
9. Health Plan Beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) addresses
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and comparable images
18. Any other unique identifying number, characteristic, or code: Any code or other means of record identification that is derived from PHI that must be removed in order for the data to be considered de-identified per the Safe Harbor method.

What is Use of PHI?

The sharing, employment, application, utilization, examination, or analysis of Protected Health Information within the Stanford Affiliated Covered Entity

What is Disclosure of PHI?

Release, transfer, provision of access to, or divulging in any manner of Protected Health Information outside the Stanford Affiliated Covered Entity

What is Stanford Affiliated Covered Entity (SACE)?

The single affiliated entity created by the joining of Stanford Health Care, Stanford Children's Hospital, University Healthcare Alliance, Lucile Packard Healthcare Alliance, ValleyCare, and the Stanford University HIPAA Components (SUHC). The SUHC is comprised of the healthcare components of Stanford University that are its healthcare providers (School of Medicine, Vaden Health Center, and the Occupational Health Center) and selected support units as designated by the Chief Privacy Officer of the University Privacy Office.

What is a “covered entity”?

A covered entity includes health plans and any health care provider that electronically transmits any health information as a part of billing.  Examples include hospitals, academic medical centers, and health providers that electronically submit claims to health plans or third-party administrators of health plans. 

Is Stanford University a “covered entity”?

Stanford University is considered a hybrid entity because certain components, those that fall into Stanford University’s HIPAA Components (SUHC), fall within the definition of covered entity under HIPAA, while many others fall outside the definition.  For example, nearly all parts of the School of Medicine (SoM), including Research Technology, fall within the SUHC. For more information about SUHC, please visit the University Privacy Office website. 

If my research involves the use of PHI, what steps do I take next?

If you are a researcher seeking to access, obtain, or use PHI from a HIPAA covered entity for research purposes, then HIPAA generally requires that you obtain a signed authorization for that use from the patient/participant, or otherwise justify an exception from that requirement.  In either case, you will be required to have an IRB-approved protocol.

What is HIPAA Waiver of Authorization?

HIPAA permits waivers of authorization for activities that are not part of the actual research but involve planning for the research, such as identifying individuals for recruitment or designing a research protocol. Waiver requests require IRB review and approval. Remember: Data received through a HIPAA waiver of authorization cannot be used for any purpose other than that which has been approved by the IRB.

To avoid obtaining the patient/participant’s authorization, you may:

1. Request from the IRB a partial (for recruitment purposes) or a full waiver of the Authorization requirement;
2. Request access to PHI through use of a limited data set;
3. Request access to PHI in preparation to research; or
4. Request access to PHI solely of decedents. 

For more information on exceptions to the HIPAA authorization requirement, including the required criteria for each category, visit the IRB’s human subject research website.

What is De-Identified Data?

Data is de-identified when (a) All 18 HIPAA-specific direct and indirect identifiers have been removed (Safe Harbor method) OR (b) Determined by expert opinion to have a low probability of re-identification (Expert Determination method). Contact the University Privacy Office for more information on expert determinations.

What is a Direct Identifier?

Information that relates specifically to an individual. HIPAA designates the following as direct identifiers: names; postal address information other than town or city, state, and zip code; phone numbers; fax numbers; email addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers including license plate numbers; device identifiers and serial numbers; URLs; IP addresses; biometric identifiers; and full face photographic images and any comparable images.

What is an Indirect Identifier?

Information that can be combined with other information to potentially identify a specific individual. HIPAA designates the following as indirect identifiers: city, state, and zip codes; elements of dates; and other numbers, characteristics, or codes not HIPAA-designated as direct identifiers.