Page 5 of 9 

Who needs to follow HIPAA rules?

Not every organization is subject to HIPAA rules. Many other organizations follow different or less strict rules for protecting protected health information.

Who needs to follow HIPAA? Who does NOT need to follow HIPAA?
  • Healthcare Providers: most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists
  • Health Insurers: health insurance companies, HMOs, company health plans, government programs such as Medicare and Medicaid
  • Employers
  • Life insurance companies and workers compensation carriers
  • Schools and school districts
  • State agencies like child protective service
  • Law enforcement agencies and municipal offices

Check to see if your organization is subject to HIPAA rules.

What information is protected under HIPAA?

Information protected under HIPAA is called Protected Health Information (PHI). PHI can be written, spoken or in an electronic format (ePHI). For example, PHI can be in written or typed information added to medical records. It can also be in conversations between doctors and others about your care or treatment. Health insurance or computer files with patient billing information also includes PHI. The specific types of protected health information (PHI) that are protected under HIPAA include:

  • Contact information
    • Name
    • Address (all geographic subdivisions smaller than state, including street address, city, county, ZIP code)
    • Telephone numbers
    • FAX number
    • E-mail address
  • Electronic contact information
    • Web URL (web address)
    • Internet Protocol (IP) address numbers
  • Dates related to a patient or their care
    • Birth or death date
    • Admission or discharge date
  • Identifying numbers
    • Social Security Number
    • Medical record number
    • Health plan beneficiary number
    • Account number
    • Certificate/license number
  • Device or vehicle numbers
    • Device identifiers or serial numbers
    • Any vehicle or other device serial number
  • Pictures, finger prints, voice recordings (digital or analog)
  • Any other characteristic that could uniquely identify the individual

Examples of PHI in Your Work Setting

PHI in your work setting may be written, spoken or electronic. Examples of PHI include:

  • Clinic notes, lab results, or treatment records in a medical record
  • Voice messages left on a patient’s answering machine to confirm an appointment
  • Conversations about patients between doctors or nurses
  • Doctor’s recorded voice transcription of a patient’s clinic visit
  • Filled prescription bottles
  • Pictures of patients on a public website
Video: What is required for HIPAA compliance?

What is De-identified information?

“Identifiers” can connect a person to their medical information (examples include: name, date of birth, treatment date, SSN). When the identifiers are removed it is “de-identified.” De-identified information is sometimes used when researchers want to study a treatment, but they do not need patient’s names. Medical students also study patient cases once the identifiers have been removed.

How do you keep information private and secure? >>>

Page 5 of 9