HIPAA and HITECH Summary

The HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule first became effective in 2003. It is designed to ensure that health plans and health care providers keep each individual’s health information as confidential and as securely safeguarded as is reasonably possible.

HIPAA Covered Entities

Health Care Providers Health Plans: All arrangements that pay the cost of medical care (medical, dental, vision, long-term care, health flexible spending accounts (FSA) and employee assistance programs (EPA) that provide more than referral services Self-insured health plan (medical, dental, vision or FSA), if it has more than 50 participants and/or uses a third-party administrator (TPA) Insurance company, is a health plan unto itself.

The HITECH (Health Information Technology for Economic and Health) Act enacted February 17, 2009 adds new privacy protection standards and requires covered entities to notify individuals and Department of Health and Human Services (HHS) of privacy breaches.

Protected Health Information (PHI) is individually identifiable information that is created or received by a plan and which relates to the past, present or future physical or mental health or condition of the person, relates to the past, present or future provision of health care, or relates to past, present or future payment of health care to the person. To be PHI, information must be created or received by the plan.

Information created or received by an employer, in its role as employer, is not PHI.

Medical information commonly received by an employer in its role as an employer which is not PHI, include FMLA leave requests, sick leave reports and accident reports. Plan enrollment information becomes PHI once it is delivered to the insurance company but may be disclosed to the employer. Utilization and/or biometric information may be disclosed to an employer in a “de-identified” format.

For more information regarding safeguards, procedures and sanctions, contact:

The insurance company that provides your plan

A provider specializing in Human Resource Administration

PHI identifies the individual to whom health information relates or creates a reasonable basis on the part of the disclosing entity for believing that the information may be used to identify the individual. Information from a plan may be “de-identified”by removing all HIPAA identifiers.

HIPAA lists 18 Identifiers


All geographical subdivisions smaller than a State (e.g. address);

Dates (e.g. date of birth, admission, discharge, death, treatment);

Phone numbers;

Fax numbers;

Electronic mail addresses;

Social Security Numbers (SSN);

Medical record numbers;

Health plan beneficiary numbers;

Account numbers;

Certificate/license numbers;

Vehicle identifiers and serial numbers;

Device identifiers and serial numbers;

Web Universal Resource Locators (URLs);

Internet Protocol (IP) address numbers;

Biometric identifiers, including finger, retinal and voice prints;

Full face photographic images and any comparable images; and

Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data).

Pacific Benefit Planners meets the requirements for the specified physical and technical safeguards. We have upgraded our file server and all passwords associated with access. Our practices for working with our clients to obtain and implement health plans meet standards for security including secure email, encrypted file server and cloud file storage.


Online Resources >

Looking for online services? We now offer individual insurance enrollment and online forms for your convenience. If you need assistance, please contact one of our agents.

What's New >

Get the latest news, updates about insurance, notices of events and more.