top of page


Note to Users: This notice is NOT the same as your health plan's Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Notice of Privacy Practices, which describes in detail how your health plan uses and discloses your individually identifiable health information. Your health plan has a Notice of Privacy Practices, which includes policies for using and disclosing your information, including information you provide to OXUM HEALTH AND WELLNESS (OHW). This is managed by your health plan, not by OXUM HEALTH AND WELLNESS, so we can't let you know of changes or updates. If you would like to read a copy of your health plan's Notice of Privacy Practices, please ask your provider for a copy.

The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections. The Privacy Rule is at 45 CFR Part 160 and Subparts A and E of Part 164. The following is a summary of key elements of the Privacy Rule and is not a complete or comprehensive guide to compliance. Entities regulated by the Rule are obligated to comply with all of its applicable requirements and should not rely on this summary as a source of legal information or advice.

What Information is Protected:

The Privacy Rule protects all "individually identifiable health information" held or transmitted by OXUM HEALTH AND WELLNESS  (OHW) or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." "Individually identifiable health information" is information, including demographic data, that relates to:

  • the individual's past, present or future physical or mental health or condition,

  • the provision of health care to the individual, or

  • the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that OHW maintains in its capacity as an employer.

Basic Principle: A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual's protected health information may be used or disclosed by OHW  MUST not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual's personal representative) authorizes in writing.

Required Disclosures: OHW  must disclose protected health information in only two situations: (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (b) to HHS when it is undertaking a compliance investigation, compliance review, or an enforcement action.

Permitted Uses and Disclosures: OHW  is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations: (1) to the Individual (unless required for access or accounting of disclosures); (2) treatment, Payment, and Health Care Operations; (3) opportunity to Agree or Object; (4) incident to an otherwise permitted use and disclosure; (5) public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations

Examples of HIPAA Violations:

  • Accessing health information of coworkers, family members, politicians and celebrities

  • Throwing PHI into the trash - All PHI material MUST be placed in a secure shredder

  • Sharing patient information with unauthorized persons'

  • Telling friends or relatives about patients who use OHW services

Non-compliance with HIPAA regulations can result in:

Penalties for civil violations:

  • HIPAA violation: Unknowing

    • Penalty range: $100 - $50,000 per violation, with an annual maximum of $25,000 for repeat violations

  • HIPAA violation: Reasonable Cause

    • Penalty range: $1,000 - $50,000 per violation, with an annual maximum of $100,000 for repeat violations

  • HIPAA violation: Willful neglect but if the violation is corrected within the required time period

    • Penalty range: $10,000 - $50,000 per violation, with an annual maximum of $250,000 for repeat violations

  • HIPAA violation: Willful neglect and is not corrected within the required time period

    • Penalty range: $50,000 per violation, with an annual maximum of $1.5 million

Criminal penalties:

  • The DOJ handles criminal violations of HIPAA. As with the HIPAA civil penalties, there are different levels of severity for criminal violations

  • Covered entities  and specified individuals, as explained below, who "knowingly" obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year

  • Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison

  • Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm permit fines of $250,000 and imprisonment up to 10 years

If an employee(s) sees another staff member misusing PHI, the incident must be reported to OHW 

Security Rule

HIPAA regulations also include a Security Rule. Effective on April 21, 2005, the Security Rule set the standard to ensure the privacy of electronic protected health information. OHW  has implemented the requirements of the Rule and continually monitors and manages the required security controls.

bottom of page