Skip to main content

HIPAA Privacy Policies, Procedures & Training


Congress enacted HIPAA in 1996 as part of a broad health care reform effort. During its creation, emphasis shifted from promotingpersonal health insurance portability to standardizing the process of sharing insurance claims with medical insurers. Recognizing a great potential for abuse of computerized patient health data, Congress placed strict controls on the movement and care of health information through computer networks. They also allowed patients to exercise modest control over their own medical information. Doctors, hospitals and academic medical centers must comply with these regulations.

What does HIPAA do?

  • Establishes privacy and protection for patient health information;
  • Establishes patients rights including the right to access, inspect and obtain copies of protected health information, to amend the record, to review a list of disclosures and to request that uses and disclosures be restricted;
  • Establishes electronic data interchange standards for eight transactions and claims attachments;
  • Attempts to reduce costs;
  • Provides severe penalties and sanctions to those found guilty; and
  • Empowers the Secretary of Health and Human Services and the Office of Civil Rights to pursue suspected violators.

When did HIPAA take effect?

HIPAA took effect gradually beginning in April 14, 2003. More regulations became active in subsequent months.

What information is protected?

Health information is data that relates to the past, present, or future physical, mental health condition of an individual or payment for the provision of health care to an individual transmitted or maintained regardless of its form. Protected Health Information (PHI) is health information that is or can be associated with an individual.

Who is regulated?

HIPAA applies to health plans, clearinghouses and health care providers who transmit protected health information. Academic medical centers like the School of Medicine who do business with or obtain PHI from them must also comply with HIPAA.

What activities were affected at the School of Medicine?

Clinical care activities, human research, development, public relations as well as computer and communication systems were modified to achieve HIPAA compliance.

What does HIPAA require?

  • Policies and procedures for use and disclosure of PHI, "minimum necessary" use and disclosure, data de-identification, notice of privacy practices and patient rights;
  • Staff training;
  • Monitoring processes and systems; and
  • Documentation concerning compliance

What did the School of Medicine do to comply?

  • We established a joint SOM-UPI Oversight Committee in July, 2002. This committee formed workgroups for each HIPAA issue including clinical operations, development, administration, research, and information technology.
  • The workgroups with the help of a consultant determined where compliance efforts and resources needed to be focused.
  • These bodies consulted and collaborated with our campus and health care colleagues to harmonize plans and strategies.
  • We drafted joint information privacy and security policies.
  • We developed training materials.
  • We increased security of our data networks and computers.

What are the penalties for non-compliance?

HIPAA carries civil and criminal penalties ranging from $100 per violation to $250,000 and 10-yr imprisonment for disclosure of PHI performed with malicious harm or intent.

Who do I contact for questions?

HIPAA Privacy Officer for the School of Medicine
Stanford Stass, M.D.,
Professor and Chair, Department of Pathology

HIPAA Security Officer for the School of Medicine
Sharon Bowser, MBA
Associate Dean and Chief Information Officer (CIO)