Healthcare is one of the most heavily regulated industries in the country. One of the broadest and most comprehensive sets of Federal healthcare regulations in America today is broadly labeled as ‘HIPAA’. Every one of us knows about HIPAA by now. As healthcare consumers, we have all seen and signed those Notices of Privacy Practices forms wherever we receive healthcare services. As Grafton employees, we are subject to its provisions from the provider standpoint.

HIPAA (the Health Insurance Portability and Accountability Act), HITECH (the Health Information Technology for Economic and Clinical Health act), and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights’ final omnibus rule (Final Rule) have established many boundaries around the privacy and security of patient health information. For convenience, I will use HIPAA to refer to this whole set of regulations.
Patient health information took a new name under HIPAA and became Protected Health Information (PHI). PHI is not specific to electronic information and applies equally to written records, telephone conversations, etc. According to the Department of Health and Human Services, PHI includes data that relates to:

• the individual’s past, present or future physical or mental health or condition or
• the provision of health care to the individual or
• the past, present, or future payment for the provision of health care to the individual


One of the provisions under HIPAA is that healthcare providers must appoint someone to be the Privacy Officer and someone to be the Security Officer, with the charge of ensuring that the organization complies with the Privacy and Security provisions in the regulations. At Grafton, and many other organizations, one individual combines those roles. Because HIPAA began with a focus strictly on electronic information, and as I was Grafton’s Chief Information Officer, I assumed the dual role.

In my next blog post, I’d like to address some of the most common problem areas that I have seen in ensuring that we as employees adhere to HIPAA’s provisions, provisions that may seem a nuisance sometimes. It may seem that way but if it was your own personal health information, I’m sure you would want it to be kept as confidential as possible. I know I would.