Skip to main content

HIPAA Privacy Policies, Procedures & Training


Congress enacted HIPAA in 1996 as part of a broad health care reform effort. During its creation, emphasis shifted from promoting personal health insurance portability to standardizing the process of sharing insurance claims with medical insurers. Recognizing a great potential for abuse of computerized patient health data, Congress placed strict controls on the movement and care of health information through computer networks. They also allowed patients to exercise modest control over their own medical information. Doctors, hospitals and academic medical centers must comply with these regulations.

What does HIPAA do?

  • Establishes privacy and protection for patient health information;
  • Establishes patients' rights including the right to access, inspect and obtain copies of protected health information, to amend the record, to review a list of disclosures and to request that uses and disclosures be restricted;
  • Establishes electronic data interchange standards for eight transactions and claims attachments;
  • Attempts to reduce costs;
  • Provides severe penalties and sanctions to those found guilty; and
  • Empowers the Secretary of Health and Human Services and the Office of Civil Rights to pursue suspected violators.

When did HIPAA take effect?

HIPAA took effect gradually beginning on April 14, 2003. More regulations became active in subsequent months.

What information is protected?

Health information is data that relates to the past, present, or future physical, mental health condition of an individual or payment for the provision of health care to an individual transmitted or maintained regardless of its form. Protected Health Information (PHI) is health information that is or can be associated with an individual.

Who is regulated?

HIPAA applies to health plans, clearinghouses, and health care providers who transmit protected health information. Academic medical centers like the School of Medicine, which do business with or obtain PHI from them, must also comply with HIPAA.

What activities were affected at the School of Medicine?

Clinical care activities, human research, development, public relations, as computer and communication systems were modified to achieve HIPAA compliance.

What does HIPAA require?

  • Policies and procedures for use and disclosure of PHI, "minimum necessary" use and disclosure, data de-identification, notice of privacy practices, and patient rights;
  • Staff training;
  • Monitoring processes and systems; and
  • Documentation concerning compliance

What did the School of Medicine do to comply?

  • We established a joint SOM-UPI Oversight Committee in July 2002. This committee formed workgroups for each HIPAA issue, including clinical operations, development, administration, research, and information technology.
  • The workgroups, with the help of a consultant, determined where compliance efforts and resources needed to be focused.
  • These bodies consulted and collaborated with our campus and health care colleagues to harmonize plans and strategies.
  • We drafted joint information privacy and security policies.
  • We developed training materials.
  • We increased the security of our data networks and computers.

What are the penalties for non-compliance?

HIPAA carries civil and criminal penalties ranging from $100 per violation to $250,000 and 10-year imprisonment for disclosure of PHI performed with malicious harm or intent.

Who do I contact for questions?

Stanford Stass, MD
HIPAA Privacy Officer and Professor and Chair,
Department of Pathology, UMSOM

Matt Kramer
HIPAA Security Officer and Information Security Officer
University of Maryland Faculty Physicians Inc.
University of Maryland School of Medicine