Legal Aspects Manual

0130.005.10 Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) protects individuals’ medical records and other protected health information (PHI). This federal law provides further requirements and restrictions in addition to the other confidentiality provisions beginning at 0130.005.00 Confidentiality.

With certain exceptions, PHI refers to any individually identifiable health information. This includes information that identifies or can be used to identify the individual, information about physical or mental health, and payments for medical care. To be PHI, it must include medical information and a personal identifier. PHI includes but is not limited to:

  • information or codes that might indicate a health condition of the client
  • hospital and doctor records
  • the IM-60A form, Medical Report Including Physician’s Certification/Disability Evaluation
  • statement of charges from a hospital or other medical provider
  • verification of Supplemental Security Income for a person who is under the age of 65

The major provisions of HIPAA provide for:

  • in limited circumstances, giving the individual an opportunity to agree or object to uses and disclosure of PHI
  • requiring the use of a privacy notice
  • allowing individuals to access PHI
  • permitting individuals to request an amendment of PHI
  • allowing persons to request an accounting of disclosures of PHI
  • defining a minimum use standard
  • establishing who has access to PHI
  • civil and criminal penalties for violating the HIPAA standards
  • requiring workforce members to be trained on and to acknowledge the HIPAA privacy provisions
  • verifying the identity and authority of persons requesting a client’s PHI
  • allowing recipients to request restrictions on the use and disclosure of PHI
  • mandating that organizations have a privacy officer and a complaint officer