Does HIPAA Apply to Our Department?

Protected health information requires more stringent security. Here you can test your data against the a list of questions that will decide if you store any HIPAA data.

HIPAA (Health Insurance Portability and Accountability Act) places significant privacy and security requirements on health care practitioners and researchers. If HIPAA applies to your department, you will need to take additional steps in your risk analysis and response.

Does your department handle medical information that is combined in any way with one or more of the following personal health identifiers (PHI)? If the answer is “yes,” then HIPAA applies to your department.

  1. Names
  2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census the geographic unit formed by combining all zip codes with the same three initial digits contains less than 20,000 people
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code that is derived from or related to information about the individual 

For more information, researchers and other Agency 207 employees should contact Shirley Payne; Agency 209 employees should contact Jay Early.

http://www.healthsystem.virginia.edu/intranet/privacyoffice/

© 2009 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.