Project 3: HIPAA, PII, and PHI Training
9/16/2020 HIPAA
https://leocontent.umgc.edu/content/umuc/tus/cmit/cmit320/2208/learning-topic-list/hipaa.html?ou=510377 1/3
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996
to improve the security of the storage and use of health care data. These regulations
define how health care agencies must secure patients’ personal information and regulate
its disclosure.
IT staff members should understand how HIPAA applies to their work so they can
correctly handle sensitive information and demonstrate the organization’s compliance
with the law in order to protect patients and the organization (DNS Stuff,
n.d.). Unauthorized access or release of data can lead to problems for the individuals
whose data has been compromised and also fines and penalties for organization (Ashraf,
n.d.). Two important IT-related aspects of HIPAA are the Privacy Rule and the Security
Rule.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical
records and other personal health information and applies to health plans, health care
clearinghouses, and those health care providers that conduct certain health care
transactions electronically. The Privacy Rule requires appropriate safeguards to protect
the privacy of personal health information and sets limits and conditions on the uses and
disclosures that may be made of such information without patient authorization. The rule
also gives patients specific rights over their health information, including rights to examine
and obtain a copy of their health records, and to request corrections (HHS, "Privacy
Rule," n.d.).
The Privacy Rule protects all "individually identifiable health information" held or
transmitted by a covered entity or its business associate, in any form or media, whether
electronic, paper, or oral (HHS, "Summary of the HIPAA Privacy Rule," n.d.). The Privacy
Rule calls this information "protected health information (PHI)." PHI is information,
including demographic data, that relates to:
Learning Topic
9/16/2020 HIPAA
https://leocontent.umgc.edu/content/umuc/tus/cmit/cmit320/2208/learning-topic-list/hipaa.html?ou=510377 2/3
the individual’s past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the
individual, and that identifies the individual or for which there is a reasonable basis
to believe it can be used to identify the individual, such as name, address, birth date,
Social Security number).
HIPAA Security Rule
The Security Rule (HHS, "Summary of the HIPAA Security Rule," n.d.). requires covered
entities to maintain reasonable and appropriate administrative, technical, and physical
safeguards for protecting electronic personal health information (ePHI). Specifically,
covered entities must:
1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive,
maintain or transmit;
2. Identify and protect against reasonably anticipated threats to the security or
integrity of the information;
3. Protect against reasonably anticipated, impermissible uses or disclosures; and
4. Ensure compliance by their workforce.
Note that the concept of personal health information is very similar to the term personally
identifiable information (PII), which is a broader term used by the federal government to
indicate "any information about an individual maintained by an agency, including any
information that can be used to distinguish or trace an individual's identity, such as name,
Social Security number, date and place of birth, mother's maiden name, or biometric
records; an any other information that is linked or linkable to an individual," such as
medical, educational, financial, and employment information (GAO, 2008).
References
Ashraf, A. (n.d.). PII and PHI overview: What CISSPs need to know.
Infosec. https://resources.infosecinstitute.com/category/certifications-
training/cissp/domains/asset-security/protecting-privacy/#gref
Department of Health and Human Services (HHS). (n.d.). The HIPAA privacy
rule. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
9/16/2020 HIPAA
https://leocontent.umgc.edu/content/umuc/tus/cmit/cmit320/2208/learning-topic-list/hipaa.html?ou=510377 3/3
Department of Health and Human Services (HHS). (n.d.). The HIPAA security
rule. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
DNSStuff. (n.d.) What is HIPAA compliance? https://www.dnsstuff.com/what-is-hipaa-
compliance
United States Government Accountability Office (GAO). (2008). Privacy: Alternatives exist
for enhancing protection of personally identifiable
information. https://www.gao.gov/new.items/d08536.pdf
Resources
Provider Responsibilities Under HIPAA
(/content/umuc/tus/cmit/cmit320/2208/learning-resource-list/your-practice-
and-the-hipaa-rules.html?ou=510377)
Electronic Health Records, the HIPAA Security Rule, and Cybersecurity
(/content/umuc/tus/cmit/cmit320/2208/learning-resource-list/electronic-
health-records--the-hipaa-security-rule--and-cybersec.html?ou=510377)
Educating and Training Your Workforce
(/content/umuc/tus/cmit/cmit320/2208/learning-resource-list/educating-
and-training-your-workforce.html?ou=510377)
© 2020 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.