HIPAA 100 Training Manual
Table of Contents
I. Introduction 1
II. Definitions 2
III. Privacy Rule 5
IV. Security Rule 8
V. A Word About Business Associate Agreements 10
CHICAGO DEPARTMENT OF PUBIC HEALTH
I. Introduction: Under the Health Insurance Portability and Accountability Act (HIPAA), the
City of Chicago is a hybrid entity, and has designated as its health care components the
following departments: Public Health, Fire, Aging (case management division), Finance
(Benefits Management Office), Law, Revenue, and the Office of Emergency Management and
The Chicago Department of Public Health (CDPH) is a hybrid-covered entity as well as the
local public health authority as defined under HIPAA. The CDPH has implemented a
compliance plan with the federal rules and regulations applicable to the HIPAA Standards for
Privacy of Individually Identifiable Health Information, Standards for Electronic Transactions,
and the Security Rule.
To address compliance with HIPAA, the following three sets of rules have been issued by the
United States Department of Health and Human Services (DHHS):
• The Standards for Electronic Transactions or Transactions and Code Set (TCS) Rule
establishes technical specifications for conducting electronic health care transactions
using standard formats approved by the Department of Health and Human Services
(DHHS). The TCS Rule applies primarily to activities related to billing processes.
(Compliance date: October 16, 2003)
• The Privacy Rule regulates the use and/or disclosure of any individually identifiable
health information maintained by health plans, health care clearinghouses, and health
Care providers. (Compliance Date: April 14, 2003)
• The Security and Electronic Signature Standards (Security Rule) is aimed at ensuring
the security and integrity of computer systems that store and transmit Protected Health
Information (PHI). (Compliance date: April 20, 2005.)
The material contained in this training packet should provide CDPH workforce members with a
basic understanding of HIPAA rules and how they apply to CDPH. Questions regarding these
materials, or other HIPAA queries should be posed to the CDPH HIPAA Compliance Officer a
II. HIPAA Definitions:
Business associate - A person who:
(a) On behalf of a health care component, but other than in the capacity of a member of
the workforce of the component, performs, or assists in the performance of:
(i) A function or activity involving the use or disclosure of individually identifiable
health information, including claims processing or administration, data
analysis, processing or administration, utilization review, quality assurance,
billing, benefit management, practice management, and repricing; or
(ii) Any other function or activity regulated by HIPAA; or
(b) Provides, other than in the capacity of a member of the workforce of the health care
component, legal, actuarial, accounting, consulting, data aggregation, management,
administrative, accreditation, or financial services to or for the component where the
provision of the service involves the disclosure of PHI from such component, or
from another business associate of such component, to the person.
CMS-Centers for Medicare and Medicaid programs
Designated record set - A group of records maintained by or for a health care component
(a) The medical records and billing records about individuals maintained by or for a health
(b) The enrollment, payment, claims adjudication, and case or medical management
record systems maintained by or for a health plan; or
(c) Used, in whole or in part, by or for the covered entity to make decisions about
Disclosure - The release, transfer, provision of access to, or divulging in any other manner of
information outside the entity holding the information.
Health care component - A component or combination of components of a hybrid designated
by the hybrid entity in accordance with 45 CFR 164.504(c)(3)(iii). The health care
components, as designated by the City of Chicago are as follows: Department on Aging (case
management division), Department of Public Health (all programs except Epidemiology and
Birth/Death Records), Department of Fire, Department of Revenue, and the Department of
Law (Municipal Prosecutions, Commercial & Policy Litigation, Torts, Regulatory & Aviation
Litigation and Individual Defense divisions).
Health care operations - Any of the following activities of the health care component to the
extent that the activities are related to covered functions:
(a) Conducting quality assessment and improvement activities, including outcome
evaluation and development of clinical guidelines, provided that the
obtaining of generalizable knowledge is not the primary purpose of any such
studies resulting from such activities; population-based activities relating to
improving health or reducing health care costs, protocol development, case
management and care coordination, contacting of health care providers and
patients with information about treatment alternatives; and, related functions
that do not include treatment;
(b) Reviewing the competence or qualifications of health care professionals, evaluating
practitioner and provider performance, health plan performance, conducting
training programs in which students, trainees, or practitioners in areas of
health care learn under supervision to practice or improve their skills as
health care providers, and training of non-health care professionals,
accreditation, certification, licensing, or credentialing activities;
(c) Underwriting, premium rating, and other activities relating to the creation,
renewal or replacement of a contract of health insurance or health benefits,
and ceding, securing or placing a contract for reinsurance of risk relating to
claims for health care (including stop-loss insurance and excess of loss
(d) Conducting or arranging for medical review, legal services, and auditing
functions, including fraud and abuse detection and compliance programs;
(e) Business planning and development, such as conducting cost-management
and planning-related analyses related to managing and operating the entity,
including formulary development and administration, development or
improvement of methods of payment or coverage policies; and,
(f) Business management and general administrative activities of the entity.
HHS - United States Department of Health and Human Services.
Hybrid entity - A single legal entity:
(a) That is a covered entity;
(b) Whose business activities include both covered and non-covered functions; and
(c) That designates health care components in accordance with 45 CFR 164.504(c)(3)(iii).
Institutional Review Board (IRB) - A committee group comprised of City of Chicago
personnel and community representatives with varying backgrounds and professional
experience that review and approve the research protocols involving human subjects.
Individually Identifiable Health Information - Information that is a subset of health
information, including demographic information collected about an individual, and:
(a) Is created or received by a health care provider, health plan, employer or health care
(b) Relates to the past, present, or future physical or mental health or condition of an
individual; the provision of health care to an individual; or the past, present, or future
payment for the provision of health care to an individual; and,
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can
be used to identify the individual.
Limited data set - A subset of protected health information that excludes the direct identifiers
listed below. All the direct identifiers must be removed for the individual and relatives
employers, or household members of the individual.
(2) Postal address information, other than town or city, State, and zip code;
(3) Telephone numbers;
(4) Fax numbers;
(5) Electronic mail addresses;
(6) Social security number;
(7) Medical record numbers;
(8) Health plan beneficiary numbers;
(9) Account numbers;
(10) Certificate/license numbers;
(11) Vehicle identifiers and serial numbers, including license plate numbers;
(12) Device identifiers and serial numbers;
(13) Web Universal Resource Locators (URLs);
(14) Internet Protocol (IP) address numbers;
(15) Biometric identifiers, including finger and voice prints; and
(16) Full face photographic images and any comparable images.
Payment - The activities undertaken by (1) the health plan to obtain premiums or to determine
or fulfill its responsibility for coverage and provision of benefits under the health plan; or (2) a
health care component or health plan to obtain or provide reimbursement for the provision of
Personal representative - Any adult who has decision-making capacity and who is willing to
act on behalf of a patient. A personal representative includes an individual who has authority,
by law or by agreement from the individual receiving treatment, to act in the place of the
individual. This includes parents, legal guardians or properly appointed agents, like those
identified in a Durable Power of Attorney, or individuals designated by state law.
Protected health information (PHI) - Individually identifiable health information that is (a)
transmitted by electronic media; (b) maintained in any electronic medium; or (c) transmitted or
maintained in any other form or medium. Protected health information excludes individually
identifiable health information in employment records held by a covered entity in its role as
Qualified protective order - An order of a court or of an administrative tribunal or a
stipulation by the parties to the litigation or administrative proceeding that:
(a) Prohibits the parties from using or disclosing the PHI for any purpose other than the
litigation or proceeding for which such information was requested; and
(b) Requires the return to the covered entity or destruction of the PHI (including all copies
made) at the end of the litigation.
Records - Means any item, collection, or grouping of information that includes protected
health information and is maintained, collected, used, or disseminated by or for a health care
TPO - Means treatment, payment or health care operations.
Use - With respect to individually identifiable information, the sharing, employment,
application, utilization, examination, or analysis of such information within an entity that
maintains such information.
III. THE PRIVACY RULE: The increasing sophistication of information technology continues to
make it easier to move patient information from one source to another. This, however, has
raised serious concerns about how that information is used and /or disclosed.
The Privacy Rule establishes a national standard for protecting an individual’s medical records
and other PHI. Moreover, the Privacy Rule is intended to give patients greater control over
the use of their health information. Importantly, the Privacy Rule not only creates new patient
rights with respect to PHI, it also establishes significant civil and criminal sanctions for the
misuse or unauthorized disclosure of PHI.
A. Protected Health Information: Protected Health Information (PHI) is individually identifiable
health information “Individually-Identifiable Health Information” is any information that is
received or created by the health provider that relates to the past, present or future physical or
mental health condition of an individual, or the payment of health care services rendered to an
individual, or the payment of health care services rendered to an individual, and reasonably
identifies the individual. Simply put, any record or form with information that CDPH
employees receive or generate, whether electronic, oral or written, that contains health
information or information that might reasonably identify the individual constitutes PHI and is
covered under the Privacy Rule. PHI excludes any information about employees that are held
by the City in its role as an employer. For example, this would exclude individually identifiable
information that is collected from an employee by the City about leave requested under the
Family and Medical leave Act (FMLA).
PHI covers a wide array of oral, written and electronic material. Some examples of PHI in the
Chicago Department of Public Health include the following:
• Lab reports / requests
• Billing Forms
The following, alone or in combination with each other, are examples of Patient Identifiers:
• Telephone number
• Fax number
• E-mail address
• Social Security Number
• Medical record number
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images
• Health plan beneficiary numbers
• Account number
• Certificate / license number
• Vehicle identifiers and serial numbers, including license plates numbers
• Device identifiers and serial numbers
• Web universal resource locators (URL’s)
B. Disclosure of PHI: Generally, CDPH may disclose PHI, without patient authorization, for
treatment, payment or health care operations.
Treatment - No authorization is needed to refer a patient to a specialist or to discuss
a patient’s treatment with another health care provider.
Payment - No authorization is needed to discuss PHI when obtaining payment
information from a patient’s health plan.
Health Care Operations - No authorization is needed to disclose PHI to a CDPH
employee who is conducting an audit of patient files.
Other examples of permitted disclosures include if a patient requests in writing for a copy of
his/her records for him/herself; if a CDPH patient authorizes CDPH to release his/her patient
records to a third party, such as a family member, attorney, or other provider; or, if a legally
valid subpoena is issued as determined by the CDPH attorney and the Law Department. If, as
a member of the CDPH workforce, you are ever in doubt or unclear as whether to release
PHI, err on the side of caution, and ask your supervisor or the CDPH HIPAA Compliance
Officer for assistance.
C. City of Chicago Notice of Privacy Practices: The Privacy Rule mandates that all patients
shall be offered a written copy of the City’s Notice of Privacy Practices. (See Addendum # 3)
This notice describes to the patient how his/her medical information may be used and
disclosed. In addition, the patient should sign a form acknowledging that a written copy of the
Notice was offered. This completed form is to be placed in the patient’s record and maintained
for six years. (See Addendum # 4)
The following summarizes the contents of the City of Chicago Notice of Privacy Practices..
Patients Rights Regarding Protected Health Information
• To request restrictions on uses and disclosures
• To receive confidential communication
• To access PHI
• To receive an accounting of disclosures
• To inspect or copy records
• To request an amendment of protected health information
• To receive the City of Chicago Notice of Privacy Practices
• To file complaints with the City of Chicago Privacy Officer and / or the Office of Civil
Other Uses and Disclosures Allowed Without Authorization
• Public health risks
• Health oversight activities
• Lawsuits and similar proceedings
• Law enforcement
• Deceased patients
• Serious threats to health or safety
• National security
• Worker’s compensation
The Privacy Rule applies to all forms of patients’ PHI, whether electronic, written, or oral.
In adhering to Privacy Rule, CDPH workforce members must always strive to protect the
individual patient’s health information by promoting appropriate access and use of PHI.
IV. Security Rule
A. The primary objective of the HIPAA Security Rule is to protect the confidentiality,
integrity, and availability of ePHI (electronic protected health information).
• Confidentiality ensures that data or information is not made available or disclosed
to unauthorized persons or processes.
• Integrity guarantees that data or information has not been altered or destroyed in
an unauthorized manner.
• Availability provides that data or information is accessible and usable upon
demand by an authorized person.
The three standards for compliance under the HIPAA Security Rule address
administrative, physical, and technical safeguards.
• Administrative Safeguards: Those actions, policies, an procedures that manage
the selection, development, implementation, and maintenance of security
measures to protect ePHI and to manage the conduct of CDPH’s workforce in
relations to the protection of that information.
• Physical Safeguards: Security measures to protect CDPH’s electronic
information systems and related buildings and equipment from natural and
environmental hazards and unauthorized intrusion.
• Technical Safeguards: The technology and policy and procedures for its use that
protect ePHI ad control access to it.
B. ePHI Safeguards: The Administrative, Physical, and Technical safeguards are broad
categories with specific implementation requirements under each one. The City of
Chicago HIPAA Policies address each Security Rule requirement related to these
safeguard. CDPH has implemented its own HIPAA Security Rule policies. The following
topics are primary areas of concern for CDPH systems.
i. Password Usage and Management: Each user must have and use a unique
User Login ID and password that identifies him/her as the user of the
information system. The User Login ID is only created upon a written request
to CDPH OMIS. The user is responsible for managing their account, using
his/her ID and maintaining his/her password Users may not allow anyone for
any reason to have access to any information system using another user’s
unique User Login ID and password. When technically feasible, each
information system will automatically require users to change passwords at a
pre-determined interval as determined by the program in consultation with
OMIS, based on the criticality and sensitivity of the ePHI (electronic Protected
Health Information) contained within the network, system, application, and/or
database. When not technically feasible to automate required password
changes, the program supervisor is responsible for implementing manual
procedures, with assistance from OMIS as necessary, to ensure that
passwords are changed on a regular basis
ii. Virus protection: The City of Chicago will install on all workstations anti-virus
software to prevent transmission of malicious software. This software will be
regularly updated. Portable workstations, e.g., PDAs, laptops, etc., are also
subject to the same safeguards and protections as stationary (desktop)
iii. E-mail: Protected Health Information is not to be transmitted via e-mail.
iv. Incident Response: In the event of an emergency where user workstations at
various facilities are unable to access ePHI, workstations locally connected to
the servers that store ePHI shall be provided. As an alternative, to the extent
possible, ePHI may be copied onto other media and maintained securely at
other facilities. If copies are made, they should be digitally encrypted and
secured so only authorized users can access the data contained on them.
Finally, the City of Chicago has identified an incident response team to
respond to critical system issues including, but not limited to, security issues.
v. Hand Held Devices: Portable workstations, e.g., PDAs, laptops, etc., are
subject to the same safeguards and protections as stationary workstations.
Portable workstations shall be maintained in a safe and secure manner when
transported. Personally owned computers may not be connected to the
business network. Access to e-mail and/or the portal is acceptable only with
prior OMIS approval.
vi. Laptop Security: Only if the portable electronic device has documented,
working antivirus software, will it be permitted to connect to the network.
Laptops must have log-on or power-on passwords. Laptops that contain PHI,
even briefly, should not be shared among programs users. Lost or stolen
laptops must be reported to OMIS immediately.
vii. Access Control Issues: The level of security assigned to a user of the City’s
and CDPH’s information systems is based on the minimum necessary
amount of data access required to carry out legitimate job responsibilities.
Blanket access will not be provided for any user. Access categories are role-
based and defined by the importance of the applications running on the
information system, the value or sensitivity of the ePHI on the information
system, security controls on the information system, security controls on the
workstation utilized to access the information system, and the extent to which
the information system is connected to other information systems.
viii. Individual Accountability: The HIPAA Sanction Policy is included as part of
the 'Violations and Enforcement of this Policy Section" of the City of
Chicago's Information Management Policy located at
df. IN addition, HIPAA rules allow for fines at the individual level for violations
of the rules.
ix. Desktop Security: The City of Chicago maintains an intranet page
(http://home.cityofchicago.org/VirusAlert/BIS-NIT-DS-001.htm) that contains
security update information. In addition, the City sends out security reminders
on a monthly basis to all users reminding them to make sure their
workstations are adequately protected
V. A Word About Business Associate Agreements: All contracts, including but not
limited to intergovernmental agreements, memoranda of understanding, and delegate
agency agreements, with business associates related to PHI and/or ePHI (electronic
Protected Health Information) must include language and requirements regarding
adherence to HIPAA standards and rule by the contractor. The CDPH HIPAA Officer will
provide current City of Chicago HIPAA Business Associates Agreement language upon
CDPH programs are responsible for informing the CDPH HIPAA Compliance Officer of
any violations of HIPAA by contractors, including delegate agencies and subcontractors.
The HIPAA Compliance Officer will work with programs, as appropriate, to ensure that
contractors in question have access to HIPAA information. If violations of HIPAA are
continuous or frequent, or contractors are resistant to becoming HIPAA compliant, the
matter will be brought to the attention of the City of Chicago HIPAA Officers, for inquiry