Protected Health Information (PHI) and HIPAA Compliance
What is Protected Health Information?
- PHI is individually identifiable health information held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper, or oral. More information can be found on the Health and Human Services website.
What is the Health Insurance Portability and Accountability Act (HIPAA)?
- National standards to protect an individual's medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those health care providers that conduct certain health care transaction electronically. The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients' rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
- HIPAA has three components, all of which are enforced by the federal Office for Civil Rights:
- HIPAA Privacy Rule: protects the privacy of individual identifiable health information.
- HIPAA Breach Notification Rule: requires covered entities and business associates to provide notification following a breach of unsecured PHI.
- HIPAA Security Rule: sets standards for the security of electronic PHI.
How do I know if I am affected by the HIPAA privacy rule?
- The HIPAA privacy rule affects research and researchers when:
- Research requires access to and/or use of PHI that is created or maintained by covered entities, or
- A covered entity or component of KSU performs research that creates or generates PHI.
What should I do if my research involves access to PHI?