At Yale University, we are committed to providing quality health care which includes respecting patients' and clinical research subjects’ rights to maintain the privacy of their health information and ensuring appropriate security of all protected health information. The standards for protecting patient health information are described in the federal law known as the Health Insurance Portability and Accountability Act (HIPAA). This Web site provides information and guidance on the policies and procedures related to HIPAA compliance at Yale University.
FairWarning Audit Training
Revised HIPAA Regulations
In January, the US Department of Health and Human Services Office of Civil Rights (HHS OCR) released revisions to HIPAA to incorporate most of the changes mandated by the HITECH Act and the Genetic Information Nondiscrimination Act (GINA). The following list provides highlights of some of the changes that are expected to impact the Yale community:
Breach reporting requirements:
The definition of a breach was revised to remove the harm threshold in determining if an incident qualifies as a “Breach.” The new definition requires reporting of all breaches of unsecured PHI unless a risk assessment determines that the PHI has been “compromised.” It is expected that these changes will increase the number of incidents that will need to be reported.
The revised regulations now allow combining HIPAA authorizations for future unspecified research with the study specific HIPAA Authorization as long as the document adequately describes that future use of the data or specimens is possible and the authorization allows the individual to separately agree to such future uses of their PHI.
Business Associate requirements:
Individuals or entities that create, receive, transmit, maintain, use or disclose PHI on our behalf continue to be required to enter into a Business Associate agreement however they are now directly accountable to HHS OCR for HIPAA compliance and are required to also enter into a Business Associate Agreement with any of their subcontracts that will handle PHI.
Covered Entities may now use limited health information such as department of service and outcome information to inform fundraising initiatives. However all fundraising must provide clear and conspicuous information on how one can opt out of future fundraising and we are obligated to abide by any patient’s request to not be contacted.
Health information of individuals who have been deceased for more than 50 years is no longer subject to HIPAA requirements.
Health information of decedents may also be released to family and friends that were involved in the decedents care unless the decedent had indicated an interest in restricting access.
Patient Access to Records
Patients may request electronic copies of their records if the information is already maintained in an electronic form and we must provide that copy within 30 days.
Patients (and parents or guardian in the case of minors) can request immunization records be sent directly to schools without signing a HIPAA authorization.
Restrictions on Release of Records
Patients who have paid in full for their treatment can request that such treatment information not be released to their health insurer.
Notice of Privacy Practices
Additional information is required in the notice of privacy practices and the revised document or a summary must be prominently posted for patients.
Health Plans must send a revised notice at the time of their next annual mailing.
Health insurers and employers are barred from discriminating based on an individual’s genetic information. For example, genetic sequencing information cannot be used to determine insurance rates.
Sale of PHI
Except in limited circumstances financial remuneration in exchange for PHI or for marketing activities is prohibited without patient authorization. Research contracts that require PHI be shared with the study sponsor are generally excluded from being considered to constitute a “sale” of PHI.
The Secretary of HHS is mandated to investigate all reports suggesting violations arising from willful neglect. Penalties include incarceration and fines up to $1.5 million per incident.
If you have any questions about HIPAA and the revised HIPAA regulations, feel free to contact the HIPAA Privacy Office at firstname.lastname@example.org or 432-5919.
At this time, members of the Yale community may be particularly interested in the information related to breach notification.