HIPAA Requirements (At-A-Glance)

Author: Martin Voelk
March 26, 2015


the ability to read, write, modify, or communicate data/information or otherwise use any system resource (computer, servers, fax machine, etc.).

Administrative safeguards:

actions, and policies and procedures, to manage protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.


ensuring that a person is who they say the are.

Business Associate:

a person or entity who (1) on behalf of a covered entity performs or assists in a function or activity involving the Use or Disclosure of Individually Identifiable Health Information, including claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; repricing; and other functions and activities; or (2) provides legal, actuarial, accounting, consulting, Data Aggregation, management, administrative, accreditation or financial services that involves the disclosure of Individually Identifiable Health Information.

Business Unit

means one or more Workforce members who are subject to the HIPAA regulations and who are engaged in providing a specific product or service that involves Protected Health Information on behalf of the Covered Entity.


means the property that data or information is not made available or disclosed to unauthorized persons or processes.

Covered Entity

means entities to which the HIPAA rules apply and includes Health Plans, Health Care Clearinghouses and Health Care Providers who transmit any health information in electronic form in connection with a Transaction covered by HIPAA laws and regulations.

De-identified Health Information

means health information that is not individually identifiable health information. The following identifiers of the individual, relatives, employers or household members of the individual must be removed for data to be De-Identified:

(1) Name;
(2) Street address, city, county, precinct, zip code and equivalent geocodes;
(3) All elements of dates (except year) for dates directly related to an individual and all ages over 89;
(4) Telephone number;
(5) Fax number;
(6) Electronic mail address;
(7) Social Security Number;
(8) Medical record numbers;
(9) Health plan ID numbers;
(10) Account numbers
(11) Certificate/license numbers;
(12) Vehicle identifiers and serial numbers, including license plate numbers;
(13) Device identifiers and serial numbers
(14) Web addresses (URLs);
(15) Internet IP addresses;
(16) Biometric identifiers, including finger and voice prints;
(17) Full face photographic images and any comparable images; and (18) Any other unique identifying number, characteristic or code.


the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

Electronic media means:

( 1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card, thumb drive; or

(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media.

Certain transmission, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

Electronic protected health information:

individually identifiable health information that is transmitted or maintained in electronic media.


the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.


the physical premises and the interior and exterior of a building(s).

Individually Identifiable Health Information

is information that is a subset of health information, including demographic information collected from an individual, and:

(I) Is created or received by a Health Care Provider, Health Plan, employer, or Health Care Clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an Individual; the provision of Health Care to an Individual; or the past, present, or future payment for the provision of Health Care to an Individual; and
(A) Identifies the Individual; or
(B) reasonably could be used to identify the Individual.

Information system

means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

Physical safeguards

are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion(i.e. Keypad door entry).

Protected Health Information

means Individually Identifiable Health Information that is transmitted by electronic media; maintained in any electronic media; or transmitted or maintained in any other form or medium. Protected health information excludes Individually Identifiable Health Information in education records covered by the Family Educational Right and Privacy Act.

Security or Security measures

encompasses all of the administrative, physical, and technical safeguards in an information system.

Security incident:

the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Technical safeguards:

the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.


means the transmission of information between two parties to carry out financial or administrative activities related to Health Care. It includes the following types of information transmissions:

(1) Health care claims or equivalent encounter information (2) Health care payment and remittance advice
(3) Coordination of benefits
(4) Health Care claim status

(5) Enrollment and disenrollment in a Health Plan (6) Eligibility for a Health Plan
(7) Health Plan premium payments
(8) Referral certification and authorization

(9) First report of injury
(10) Health claims attachments
(11) Other transactions that the Secretary may prescribe by regulation


means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for your practice, is under the direct control of you whether or not they are paid by you.


means an electronic computing device, for example, a laptop or desktop computer, thin client, or any other device that performs similar functions, and electronic media stored in its immediate environment.