Protected Health Information
The Health Insurance Portability and Accountability Act of 2003 (HIPAA) is a federal law designed to protect individuals' medical records and other health information. It sets boundaries for how the information can be used and shared.
Protected Health Information (PHI) is personal, identifable information about individuals which is created or received by a health plan, provider or health care clearinghouse. It includes such identifiers as:
- name
- address
- email address
- birth date (except year)
- Social Security number
- employee number
- claim number
- health plan beneficiary number
Most managers will not have access to PHI. However, if you handle PHI as part of your job, you should become familar with the law for how such information can be used or transmitted. You should be aware that PHI includes written documents, electronic files and verbal information.
If an employee wishes to speak to you about health status or a benefits claim, you may discuss the benefits side of the situation, but you may not discuss specific medical aspects. A manager may contact the Benefits Office for an employee if the employee asks him or her to do so. The manager may not keep any copies of PHI or discuss the employee's health situation with any other person except the benefits coordinator or plan administrator.
If you have questions, please contact John Black or the Benefits Office.
For more information:
- Frequently Asked Questions about HIPAA (.pdf)
- A Guide to HIPAA for Individuals Outside the Firewall (.pdf) - for those who do not have to handle PHI
- A Guide to HIPAA for Individuals Inside the Firewall (.pdf) - for those who do have to handle PHI