Skip navigation

Compliance and Ethics


Page Content


In 1996, Congress passed the Health Insurance Portability and Accountability Act,
or HIPAA.  The goal of HIPAA was to create national standards aimed at protecting sensitive patient health information (PHI) from disclosure through creation of the following rights for patients:

    • to request their medical records whenever they like.
    • to request amendment to their medical records when appropriate.
    • right to limit who has access to their personal health information.
    • right to choose how healthcare providers communicate with them.
    • right to complain about the unauthorized disclosure of their PHI.

Subsequent regulations identified several components necessary for compliance with HIPAA:

  1. The Privacy Rule protects reasonable security of physical records in all forms (PHI),  and requires the following of those entities subject to HIPAA: 
    • provide Notice of Privacy Rights indicating how PHI is used
    • adopt privacy policies and procedures
      • train employees to understand the privacy requirements and related policies and procedures
    • keep records containing PHI secure
    • limit access to “minimum necessary” with PHI only disclosed if authorized by the individual or allowed or permitted by regulations 
  2. The Security Rule-Provides for the security of electronic records (ePHI) by establishing "national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity”.  The rule consists of three types of safeguards: 
    • Administrative safeguards-“administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” (See The DHHS Security Standards- Administrative Safeguards)
    • Technical safeguards-“the technology and the policy and procedures for its use that protect electronic protected health information (ePHI) and control access to it” per §164.304. (See The DHHS Security Standards-Technical Safeguards)
    • Physical safeguards-the physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” (See The DHHS Security Standards-Physical Standards

For additional info, see the Security Rule Guidance Material web page

  1. The HIPAA Enforcement/Breach Notification Rule requires covered entities to notify patients when their unsecured protected heath information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI.

What is protected health information (PHI)?

  • Any information in the possession of covered entities that identifies the past, present or future physical or mental health of an individual, including, all communication media - written, verbal and electronic.
  • Examples of PHI include:
    • Name
    • Address
    • Zip Code
    • Names of relatives
    • Name of employer
    • DOB
    • Telephone number
    • Fax number
    • E-mail address
    • Finger or voice prints
    • Photographic images
    • SSN
    • Medical record number
    • Health plan beneficiary number
    • Account number
    • Certificate/license number
    • Vehicle or other device serial number
    • IP address any other unique identifier, character, code; and 
    • Any and all other identifying information reasonably useable to identify a patient 

Who are covered entities?

Covered entities include (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.

How does HIPAA affect USM?

The Health Insurance Portability and Accountability Act also known as HIPAA apply to covered entities.  USM is a covered entity to the degree that some units transmit health information in connection with transactions for which the U.S. Department of Health and Human Services (HHS) has adopted standards. 

What is a hybrid entity?

A hybrid entity conducts both covered and non-covered functions.

USM is an organization that conducts both covered and non-covered functions, and therefore, USM designates itself as a hybrid entity under HIPAA.

Which units are covered components?

USM declares itself a hybrid entity and has designated certain units as components of the overall USM covered entity.

For a list of such units, see the Hybrid Entity Policy 


General Questions- complianceFREEMississippi 

HIPAA Privacy Officer- Paul.WaltersFREEMississippi

HIPAA Security Officer-Allen.BaxterFREEMississippi