HIPAA Privacy and Security


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the use and disclosure of individually identifiable information or protected health information (PHI) created or received by covered entities.

Dubuque Internal Medicine is a covered entity meaning it is a single legal entity with components that are covered under HIPAA. The Dubuque Internal Medicine HIPAA Privacy & Security Compliance Committee has identified a areas that must comply with HIPAA. HIPAA Affected Areas refer to those units that have access to PHI, as defined by HIPAA, because the unit is a covered healthcare component (healthcare provider or a health plan), provides services to covered components and as such receives PHI to perform those tasks.

Key Concepts:

HIPAA Affected Areas must safeguard PHI during storage, use and disclosure. These safeguards apply to the Privacy and Security of the data and must include:

  • Administrative Safeguards (e.g. policies, procedures, training, DUAs & BAAs)
  • Physical Safeguards
  • Technical Safeguards

Patients have Rights to:

  • Notice of Privacy Practices (How their information may be used)
  • Inspect & copy PHI
  • Accounting of Disclosures (Record of disclosures of PHI for other than TPO & without their permission)
  • Request to Amend their record
  • Request for Confidential Communications
  • Request for Restrictions related to certain uses and disclosures
  • Give permission to allow certain uses and disclosures such as for research purposes
  • File a Complaint