Skip to main content

Organization and Policies

SMCCCD Home Organization and Policies Information Sharing: Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Information Sharing: Health Insurance Portability and Accountability Act of 1996 (HIPAA)

What is HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the privacy and security of individually identifiable health information, also known as protected health information, or “PHI.” Such information is held by "covered entities" such as health plans, health care clearinghouses, and most health care providers, as well as their respective business associates (i .e.,entities with access to health information in order to perform work on behalf of a covered entity).

The Standards for Privacy of Individually Identifiable Health Information, or Privacy Rule, establishes national standards for protection of an individual's identifiable health information and defines the circumstances under which this health information may be used or or disclosed. It requires specific protections to safeguard your personal health information, and provides for certain rights of the individual, including the right to examine and obtain a copy of personal health records, and to request corrections. 

In addition to the above protections, the Privacy Rule allows for the disclosure of certain health information in order to improve the quality and efficiency of individual care, as well as to protect public health and wellbeing. The Privacy Rule is designed to be flexible and comprehensive in order to cover the variety of uses and disclosures that need to be addressed. 

The Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, establishes a national set of security standards for protecting health information that is held or transferred in electronic form. The Security Rule delineates the technical, administrative, and physical safeguards that covered entities and business associates must put in place to secure electronic health information. The Security Rule enables a covered entity to implement policies, procedures, and technologies that are appropriate for its size, organizational structure, and the associated risks to electronic PHI. As such, it is designed to be flexible, scalable, and technology neutral. The U.S. Department of Health and Human Services Office for Civil Rights maintains responsibility for administering and enforcing the Privacy and Security Rules.

How Does HIPAA Function in Institutions of Higher Education? 

Basic Principle. As stated previously, the Privacy Rule aims to define and limit the circumstances in which an individual’s PHI may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except: (1) as the Privacy Rule permits or requires; or (2) as the individual subject of the information (or their personal representative) authorizes in writing.

Generally, HIPAA does not apply to health information in student records maintained by an Institution of Higher Education (IHE). Student health information maintained by an IHE is considered an education or treatment record and is protected by the Family Educational Rights and Privacy Act (FERPA). 

HIPAA may apply, however, to patient records at a university hospital, which may include records on students and non-students. It may also apply to the health records of non-students at a university health clinic.

HIPAA Guidance and Resources

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights has developed extensive guidance pertaining to the implementation of the HIPAA Privacy Rule and emergency situations. The Office for Civil Rights maintains a website with guidance on HIPAA, FERPA, and the release of PHI for common emergency preparedness issues and public health purposes (e.g., terrorism preparedness or disease outbreak investigations). For more detailed information or additional guidance, please refer to the HHS website: https://www.hhs.gov/hipaa/index.html