LSU Health Logo

Office of Compliance Programs

Revised: January 22, 2018

HIPAA Privacy

HIPAA Privacy Workforce Training

The Health Insurance Portability & Accountability Act (HIPAA) requires that the University train all workforce members (faculty, staff, residents, students, volunteers and contractors) about the University’s HIPAA policies and those specific HIPAA required procedures that may affect the work you do for the University.


This presentation provides a summary of the HIPAA Privacy Rule.

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students, who deal with patient information on a regular basis, must understand and follow.

Important HIPAA Privacy Terms

This Training Program will Help YOU Understand…


What Does HIPAA Do?

HIPAA is the Health Insurance Portability and Accountability Act, a federal law that…

The Purpose of HIPAA?

To protect and enhance the rights of consumers by providing them with:

The Rule’s goal is to maintain the trust in the health care system and improve the quality, efficiency and effectiveness of health care delivery.

Promotes the balance of:

The HIPAA Privacy Rule in a nutshell

A covered entity (e.g. LSUHSC-NO and its faculty, staff and students) may not use or disclose protected health information (PHI)about a patient without that patient's written authorization unless the use or disclosure falls under one of the exceptions.

An Overview of the Law

Overview of the Law

Click on image for expanded view.


Training Methods Offered at LSUHSC-NO

HIPAA Provides for the Following:

Who is Impacted?

The organizations covered by HIPAA are defined as “covered entities.”

A “covered entity” can be any of the following:

LSUHSC-NO, as a health care provider, is a “covered entity” under HIPAA.

This means that the university must abide by the requirements of the HIPAA Privacy Rule.

Who Has to Follow the HIPAA Law?

All faculty, staff and students must comply with HIPAA.

What is Protected Health Information (PHI)?

PHI consists of two parts:

  1. Information that personally identifies the the patient (an identifier)
  2. Any information, including genetic information, whether oral or recorded in any form or medium, that:
    1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
    2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Examples of Patient Identifiers

Examples of What PHI is NOT…

Use and Disclosure of PHI

LSUHSC-NO faculty, staff and students may not use or disclose PHI without a patient’s written authorization unless the use or disclosure qualifies for one of the exceptions in the HIPAA regulations.

Common Disclosures of PHI Allowed WITHOUT a HIPAA Authorization Form 

Treatment, Payment, and Health Care Operations (TPO) Defined

Use and Disclosure Exception:

What is a HIPAA Authorization Form?

Examples of when a HIPAA Authorization is Required include, but are not limited to:

Invalid Authorizations

An authorization is considered invalid if the document has any of the following defects:

HIPAA Privacy regulations require very specific language be included in authorization documents. For that reason, only the HIPAA authorization forms available on the LSUHSC-NO's policy web pages or the authorization forms approved by the health care facility where you are working may be used to obtain a patient’s authorization to use or disclose their PHI.

Use of any other form will result in an Invalid Authorization and a Breach of PHI.

Who Has Access to PHI? The “Need to Know” Principles

PHI should be shared with as few individuals as needed to ensure patient care and then only to the extent demanded by the individual’s role.

The “Need to Know” Principles 

How Does “Need to Know” Translate into HIPAA?

HIPAA requires use of the Minimum Necessary concept:

                    TREATMENT is an EXCEPTION!

Never provide more information than what is needed!!

Minimum Necessary Rule (Exceptions)

The Minimum Necessary requirement does NOT apply in the following instances:

HIPAA Requires the University To:

Provide a copy of LSUHSC-NO’s Notice of Privacy Practices (NPP) Brochure when a patient First Visits an LSUHSC-NO clinic that describes:

Ask the patient to sign a written acknowledgment that he/she received the Notice of Privacy Practices.

Post the NPP at the location (ex. in the patient waiting room) and on the location’s website. (Contact the Office of Compliance Programs for NPP posters.)

Click here to view the related Privacy Policy.

Patient’s Rights

HIPAA Provides for specific Patient Rights, which include:

Right to Access 

Right to Request Amendment and Restrict Disclosure

If a patient requests an Amendment or Restriction of the PHI contained in their medical record, the health care provider must reference the corresponding HIPAA Privacy Policy contained in CM-53 AND contact the LSUHSC-NO Privacy Officer.

LSUHSC-NO must agree to the request of an individual to restrict disclosure of PHI about the individual to a health plan if:

Right to an Accounting of Disclosures

A patient has the right to receive an accounting of certain types of disclosures of Protected Health Information made by LSUHSC-NO for up to six (6) years prior to the date on which the accounting is requested. This includes any disclosures for reasons other than treatment, payment or operations.

Where Can I find The Privacy Policies and Procedures?

At LSHSC-NO, the HIPAA Privacy Policies and Procedures are contained in Chancellor’s Memorandum 53 available at:

How Does HIPAA Privacy Affect Providers?

LSUHSC-NO has a commitment to protect the privacy of the patient’s health information, in both medical and billing records. 

The privacy policies and procedures affect the tasks a provider performs, including aspects of physical security of PHI and the minimum necessary standard.

Protecting a Patient’s PHI is YOUR Responsibility

PHI can be compromised in many different ways. It is your responsibility to protect PHI in all situations so that you do not expose a patient’s PHI.

A patient’s PHI can be breached in any of the following ways. (This is not an inclusive list, but rather examples of various risks to PHI.)

Role of the Privacy Officer

Privacy Complaints

If anyone suspects or knows of mishandling or misuse of patient PHI, a complaint can be made to the:

How to Report a HIPAA Violation

Contact the LSUHSC-NO Privacy Officer or the Office of Compliance Programs via:

Penalties for HIPAA Violations

There is a tiered system for assessing the level and penalty of each violation:

Additional Penalties

As a Recap…

Getting Help

Office of Compliance Programs
433 Bolivar St.
Suite 807
New Orleans, LA. 70112