The below is a listing of FAQs regarding HIPAA and the secure handling of Protected Health Information (PHI).

Q.  What is Protected Health Information (PHI)?
A.  According to the federal definition, PHI is individually identifiable health information held or transmitted by a covered entity or its business associate regardless of form(electronic, paper, or oral). There are 18 elements considered to be Protected Health Information. De-identified PHI must be devoid of these identifiers. Please consult the TAMHSC PHI Use and Disclosure Policy for a listing of these 18 elements.

Q.  Are researchers exempt from the HIPAA privacy, security, and training requirements?
A.  No.  Individuals working with PHI must meet and maintain the HIPAA training, privacy, and security compliance requirements.

Q.  How may I encounter PHI?
A. You may encounter PHI via a variety of channels including working with research data that includes PHI, in a health fair, or completing a practicum experience in a health provider (covered entity) setting where you have access to PHI.

Q.  The work conducted at SPH is largely not clinical in nature. How and when does HIPAA apply?
A.  HIPAA privacy and security laws have been expanded to include Covered Entities as well as Business Associates. Therefore, while SPH does not provide health services, faculty, staff, and students may have access to PHI through research or other activities.

Q.  Who/what is a Covered entity?
A. Covered entities include health care providers, health plans, and healthcare clearinghouses.

Q.  Who/what is a Business Associate?
A.  A Business Associate is a person or organization that performs certain services or functions on behalf of the covered entity that involve the use or disclosure of PHI.

Q.  What is a Business Associate Agreement (BAA)?
A.  A Business Associate Agreement is legally binding agreement (a contract) between a Covered Entity and Business Associate that delineates the privacy and security requirements for PHI that is shared between organizations.

Q.  What HIPAA training is required for SPH researchers, staff, and students?
A.  All SPH employees are required to complete HIPAA training upon hire and annual thereafter via the TrainTraq System. HIPAA training is currently part of the required CITI training for students prior to admission. The HIPAA training through CITI is currently being expanded. Students engaged in practicum activities are required to complete the HIPAA/HITECH training of the organization where they complete their practicum requirements.

Q.  How often must I take the HIPAA training?
A. HIPAA training must be renewed annually.

Q.  Is the completion of the confidentiality and security statement required?
A.  Completion of the security statement is strongly encouraged.

Q.  How do I ensure my computer/laptop/tablet/database/server is secure?
A.  Investigators with projects that involve PHI should consult with the HIPAA privacy officer and The Office of Information Technology to ensure security and privacy compliance measures are met prior to receiving PHI. PIs should review their safeguards annually.  PHI should not be downloaded to tablets due to security issues. A link to the recommended free encryption software is available here.

Q.  Are HSC servers secure and HIPAA compliant?
A.  Yes.

Q.  Are cloud based providers considered HIPAA compliant?
A.  Use of cloud based providers for storing PHI is discouraged due to security issues.  Cloud based providers should sign a Business Associate Agreement (BAA) in advance of receiving/storing PHI.

Q.  What HIPAA requirements must practicum students follow?
A.  In addition to the required HIPAA training, students accessing PHI at covered entity sites (health care provider sites) are covered under the privacy/security compliance safeguards of the practicum site. Students engaged in practicum activities are required to complete the HIPAA/HITECH training of the organization where they complete their practicum requirements.

Q.  What should I do if I suspect a security breach? Who do I contact? 
A. A breach or suspected breach should be reported immediately to Dr. Jane Bolin (979-862-4238).

Q.  What are the repercussions for not ensuring HIPAA compliance?
 A.  Failure to comply with HIPAA requirements may result in extensive criminal and civil penalties and fines. 

Q.  Where can I learn more about HIPAA?
A.  The U.S. Department of Health and Human Services has an extensive website that provides an in-depth overview of the HIPAA requirements.