IU South Bend HIPAA Guidance

 Related IT Policies

What are HIPAA laws?

In 1996, Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This law has been amended by the American Recovery and Reinvestment Act of 2009 (ARRA). HIPAA is the federal law that establishes standards for the privacy and security of health information, as well as standards for electronic data interchange (EDI) of health information.

How Does HIPAA Apply to IU South Bend?

HIPAA applies to covered entities; health care providers; health plans, defined by HIPAA as individual or group plans that provide or pay for health care, including employer plans; and health care clearinghouses.

At IU South Bend, HIPAA applies to any department, service, or group who collect, produce, or maintain records regarding physical or mental health which can be considered individually identifiable, regardless of whether or not they engage in electronic billing.

If you are in doubt as to whether HIPAA applies to you, please contact

PHI and ePHI

ePHI stands for Electronic Protected Health Information. It is any protected health information (PHI) which is created, stored, transmitted, or received electronically. Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following:

  • The individual’s past, present or future physical or mental health.
  • The provision of health care to the individual.
  • The past, present or future payment for health care.

Information is deemed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity.


Data are “individually identifiable” if they include any of the 18 types of identifiers. All of the following are considered identifiers of the individual or of relatives, employers, or household members of the individual:

1. Names

2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

4. Telephone Numbers;

5. Fax Numbers;

6. Electronic Mail Addresses;

7. Social Security Numbers;

8. Medical Record Numbers;

9. Health Plan Beneficiary Numbers;

10. Account Numbers;

11. Certificate/License Numbers;

12. Vehicle Identifiers and Serial Numbers, including License Plate Numbers;

13. Device Identifiers and Serial Numbers;
14. Web Universal Resource Locators (URLs);

15. Internet Protocol (IP) Address Numbers;

16. Biometric Identifiers, including Finger and Voice Prints;
17. Full Face Photographic Images and any Comparable Images; and
18. Any other unique identifying number, characteristic, or code.

What is ‘ePHI’

ePHI includes any medium used to store, transmit, or receive PHI electronically.
Examples include:

  • Personal Computers with their internal hard drives used at work, home, or traveling
  • University/IT managed mass storage, such as database servers,  departmental or personal drive space, or email
  • Third party offsite mass storage
  • External portable hard drives, including iPods
  • Removable storage devices such as USB memory sticks/keys, CDs, DVDs, and magnetic diskettes/tapes
  • PDA’s, smartphones
  • Electronic transmission includes data exchange (e.g., email or file transfer) via wireless, ethernet, modem, DSL or cable network connections.

As technology progresses, any new devices for storing, transmitting, or receiving ePHI electronically will be covered by the HIPAA Security Rule.

What standards does HIPAA impose?

HIPAA imposes the following standards on covered entities for the purpose of standardizing and protecting the use, disclosure and exchange of health information:

  1. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information.  The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
  2. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. 
  3. Standards for the handling of breach notifications should patient records be compromised.
  4. Standards to enable electronic interchange. HIPAA calls for the adoption of standards for certain transactions and data elements, such as health claim status, eligibility for a health plan, health plan enrollment/disenrollment.
  5. Standards that health care providers have standard national numbers that identify them on standard transactions. 
  6. The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.

What must I do if I am keeping medical records?

At IU South Bend, if you maintain medical records with individually identifiable data, you must adhere to HIPAA Privacy Rule, follow the HIPAA Electronics Transaction and Code Sets Rule, and if applicable, the national identifier requirement. Additionally, if you store or transmit HIPAA covered data, you must comply with all HIPAA security standards as outlined here:

 HIPAA Template Policies