The Health Insurance Portability and Accountability Act (HIPAA) is a US law passed by Congress in 1996, which requires the protection and confidential handling of protected health information (PHI).

The Health Insurance Portability and Accountability Act (HIPAA) mandates safeguarding the privacy of patients and making sure patient data is suitably secured, with the requirements put in by the HIPAA Privacy Rule of 2000 and the HIPAA Security Rule of 2003.

HIPAA requires health care providers as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared.  The requirement applies to all forms of PHI, including electronic, paper, oral, etc. 

Protected Health Information (PHI)

Any personally identifiable demographic information, whether oral or recorded in any form or medium, that can be used to identify a patient.

HIPAA identifies the following PHI identifiers:

  • Names
  • All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  • Dates (other than years) directly related to an individual
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health insurance beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers including finger, retinal and voice prints
  • Full-face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code.
Covered Entity (CE)

HIPAA regulation defines a covered entity as healthcare providers, health plans, and healthcare clearinghouses involved in the transmission of protected health information (PHI). This transmission can take place for the purpose of payment, treatment, operations, billing, or insurance coverage. Covered entities can include organizations, institutions, or persons.

Health Care Providers include:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

... only if they transmit any information in electronic form, in connection with a transaction for which HHS has adopted a standard.

Health Plans include:

  • Health Insurance Companies
  • HMOs
  • Company Health Plans
  • Government Programs that pay for healthcare (Medicaid, Medicare and military and veterans health care programs)

Health Care Clearinghouses include entities that process non-standard health information which they receive from another entity, into a standard (i.e. standard electronic format or data contact) or vice versa.

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.

More information on HHS.Gov website.

Business Associate

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.

The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.  

Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.

Examples of Business Associates:

  • A third party administrator that assists a health plan with claims processing. 
  • A CPA firm whose accounting services to a health care provider involve access to protected health information. 
  • An attorney whose legal services to a health plan involve access to protected health information. 
  • A consultant that performs utilization reviews for a hospital. 
  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. 
  • An independent medical transcriptionist that provides transcription services to a physician. 
  • A pharmacy benefits manager that manages a health plan’s pharmacist network.  

More information on HHS.Gov website.


The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. 

The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. 

More information on HHS.gov website.

Health Information Privacy at GW is managed through the HIPAA Policy. The policy informs employees how PHI may be used and disclosed by the George Washington University Health and Welfare Benefit Plan, explain how participants can obtain access to their PHI and to comply with the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act and the related regulations (collectively, “HIPAA”).

We work closely with the GW community to reduce the risks to health information by:

  • Classifying protected health information (PHI) per the Health Insurance Portability and Accountability Act (HIPAA) and applying the required HIPAA security and privacy safeguards;
  • Classifying health information that is not defined as protected health information (PHI) and applying appropriate information security safeguards;

Online training

Various HIPAA training modules are available for students, staff and faculty:    

  • HIPAA Training for Covered Entities
  • HIPAA Training for Business Associates
  • HIPAA Security Training
  • HIPAA Privacy De-Identification 
  • HIPAA Training for Research (including training on De-Identification under HIPAA)

Click here to review the list of available online HIPAA training modules.

Additional Training Materials are offered by the US Department of Health & Human Services.