CINXE.COM

<!DOCTYPE html>   <html lang="en" dir="ltr" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# sioc: http://rdfs.org/sioc/ns# sioct: http://rdfs.org/sioc/types# skos: http://www.w3.org/2004/02/skos/core# xsd: http://www.w3.org/2001/XMLSchema#">  <head> <meta http-equiv="X-UA-Compatible" content="IE=edge">  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="Generator" content="Drupal 7 (http://drupal.org)" /> <link rel="canonical" href="/security/breach-prevention/compliance-information" /> <link rel="shortlink" href="/node/99" /> <link rel="shortcut icon" href="https://hipaa.yale.edu/misc/favicon.ico" type="image/vnd.microsoft.icon" /> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=10, minimum-scale=1, user-scalable=yes" /> <title>Compliance Information | Health Insurance Portability and Accountability Act</title>  <link rel="shortcut icon" sizes="16x16 24x24 32x32 48x48 64x64" href="/sites/all/themes/yalenew_base/images/favicon.ico" type="image/vnd.microsoft.icon"> <link rel="icon" sizes="228x228" href="/sites/all/themes/yalenew_base/images/touch-icon-228.png"> <link rel="apple-touch-icon-precomposed" sizes="228x228" href="/sites/all/themes/yalenew_base/images/touch-icon-228.png"> <link type="text/css" rel="stylesheet" href="https://hipaa.yale.edu/sites/default/files/css/css_xE-rWrJf-fncB6ztZfd2huxqgxu4WO-qwma6Xer30m4.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://hipaa.yale.edu/sites/default/files/css/css_tmLW2XUIUfo7avAdmlR9Y5csxfSrCZwNNfiVQCd0_Q0.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://hipaa.yale.edu/sites/default/files/css/css_Ok1DDBVnqQ9-KgI-AMFE7nF2PlBEvlT_SeSUVL08ZBw.css" media="all" /> <link type="text/css" rel="stylesheet" href="//maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://hipaa.yale.edu/sites/default/files/css/css_SbupwLY96NaCH1HAe9Sy9EfHqQ1Kyj0Oq1Ed_4OscR4.css" media="all" /> <link type="text/css" rel="stylesheet" href="https://hipaa.yale.edu/sites/default/files/css_injector/css_injector_1.css?s9hdlu" media="all" /> <link type="text/css" rel="stylesheet" href="https://hipaa.yale.edu/sites/default/files/css_injector/css_injector_2.css?s9hdlu" media="all" /> <link type="text/css" rel="stylesheet" href="https://hipaa.yale.edu/sites/default/files/css_injector/css_injector_3.css?s9hdlu" media="all" /> <link type="text/css" rel="stylesheet" href="https://hipaa.yale.edu/sites/default/files/css_injector/css_injector_6.css?s9hdlu" media="all" />   <link type="text/css" rel="stylesheet" href="https://hipaa.yale.edu/sites/default/files/css/css_059BxwQdO3W6gC_prw0ohrQj1fWv8MiFJkqt4YP0qJk.css" media="all" />  <script type="text/javascript" src="https://hipaa.yale.edu/sites/all/libraries/respondjs/respond.min.js?s9hdlu"></script> <script type="text/javascript"> <![CDATA[//><!]]> </script> <script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script> <script type="text/javascript"> <![CDATA[//><!]]> </script> <script type="text/javascript" src="https://hipaa.yale.edu/sites/default/files/js/js_Hfha9RCTNm8mqMDLXriIsKGMaghzs4ZaqJPLj2esi7s.js"></script> <script type="text/javascript" src="https://hipaa.yale.edu/sites/default/files/js/js_WwwX68M9x5gJGdauMeCoSQxOzb1Ebju-30k5FFWQeH0.js"></script> <script type="text/javascript" src="https://hipaa.yale.edu/sites/default/files/js/js_oAfqXa2DIpUo7OsSlNsm_nI5oFs7NL4fMl1iZhnW5K8.js"></script> <script type="text/javascript" src="https://hipaa.yale.edu/sites/default/files/js/js_DTAfYFrWdyPCGwWtVg2VmSbP1KqFAlfZyeAcFZTbiNY.js"></script> <script type="text/javascript" src="https://www.googletagmanager.com/gtag/js?id=UA-9112073-12"></script> <script type="text/javascript"> <![CDATA[//><!]]> </script> <script type="text/javascript" src="https://hipaa.yale.edu/sites/default/files/js/js_UNPtX_ZGxcpSkJyp8ls50mHCG5a_tcqRFqN4KjkfLso.js"></script> <script type="text/javascript"> <![CDATA[//><!]]> </script> </head> <body class="html not-front not-logged-in page-node page-node- page-node-99 node-type-page yalenew-standard context-security two-sidebars nav-carbon block-carbon nav-serif block-font-serif block-outline"> <aside role='complementary' id="skip-link" aria-label="Skip to main content"> <a href="#main-content" class="element-invisible element-focusable">Skip to main content</a> </aside> <div class="region region-page-top" id="region-page-top"> <div class="region-inner region-page-top-inner"> </div> </div> <div class="page clearfix" id="page"> <header id="section-header" class="section section-header" role="banner"> <div id="zone-topper-wrapper" class="zone-wrapper zone-topper-wrapper clearfix yalenew-standard-topper"> <div id="zone-topper" class="zone zone-topper clearfix container-12"> <div class="grid-3 region region-topper-first" id="region-topper-first"> <div class="region-inner region-topper-first-inner"> <div class="topper-logo"><a href="http://www.yale.edu" class="y-icons y-yale y-univ"><span class="element-invisible">Yale University</span></a> </div> <div id="moved-main-nav-wrapper"> <button aria-expanded="false" id="nav-ready" class="nav-ready"><span class="element-invisible">Open Main Navigation</span></button> <div id="moved-main-nav" class="moved-main-nav" data-set="append-main-nav"></div> <button aria-expanded="true" id="nav-close" class="nav-close nav-hidden"><span class="element-invisible">Close Main Navigation</span></button> </div> </div> </div> <div class="grid-9 region region-topper-second" id="region-topper-second"> <div class="region-inner region-topper-second-inner"> <div class="block block-search block-form block-search-form odd block-without-title" id="block-search-form"> <div class="block-inner clearfix"> <div class="content clearfix"> <form class="search-form" role="search" aria-label="Site Search" action="/security/breach-prevention/compliance-information" method="post" id="search-block-form" accept-charset="UTF-8"><div><div class="container-inline"> <div class="form-item form-type-textfield form-item-search-block-form"> <label for="edit-search-block-form--2"><i class="fa fa-search"></i><span class="element-invisible">Search this site<span> </label> <input title="Enter the terms you wish to search for." class="custom-search-box form-text" placeholder="Search this site" type="text" id="edit-search-block-form--2" name="search_block_form" value="" size="15" maxlength="128" /> </div> <div class="form-actions form-wrapper" id="edit-actions"><input style="display:none;" type="submit" id="edit-submit" name="op" value="" class="form-submit" /></div><input type="hidden" name="form_build_id" value="form-lLAVx6TNSnDbsCOWJNtolFzVIbKykkHZt_2sHXTQ0J4" /> <input type="hidden" name="form_id" value="search_block_form" /> </div> </div></form> </div> </div> </div> <div class="block block-menu block-menu-secondary-menu block-menu-menu-secondary-menu even block-without-title" id="block-menu-menu-secondary-menu"> <div class="block-inner clearfix"> <div class="content clearfix"> <ul class="menu"><li class="first last leaf menu-contact-us"><a href="/contact-us"><span>Contact Us</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </div><div id="zone-branding-wrapper" class="zone-wrapper zone-branding-wrapper clearfix"> <div id="zone-branding" class="zone zone-branding clearfix container-12"> <div class="grid-10 region region-branding" id="region-branding"> <div class="region-inner region-branding-inner"> <div class="branding-data clearfix"> <h2 class="site-name"><a href="/" title="Home">Health Insurance Portability and Accountability Act </a></h2> </div> </div> </div> </div> </div></header> <main id="section-content" class="section section-content" role="main"> <div id="section-content-inner"> <div id="zone-menu-wrapper" class="zone-wrapper zone-menu-wrapper clearfix"> <div id="zone-menu" class="zone zone-menu clearfix yale-standard-menu container-12"> <div id="original-main-nav-wrapper"> <div id="original-main-nav" data-set="append-main-nav"> <div id="main-nav"> <div class="grid-12 region region-menu" id="region-menu"> <div class="region-inner region-menu-inner"> <nav id="main-menu-navigation" role="navigation" aria-label="Main Menu" class="navigation"> <div class="block block-system block-menu block-main-menu block-system-main-menu odd block-without-title" id="block-system-main-menu"> <div class="block-inner clearfix"> <div class="content clearfix"> <ul class="menu"><li class="first leaf menu-patient-rights"><a href="/patient-rights">Patient Rights</a></li> <li class="collapsed menu-policies-&-procedures"><a href="/policies-procedures-forms">Policies & Procedures</a></li> <li class="collapsed menu-security"><a href="/protecting-hipaa-data">Security</a></li> <li class="expanded active-trail menu-breach-prevention"><a href="/security/breach-prevention" class="active-trail">Breach Prevention</a></li> <li class="collapsed menu-resources"><a href="/resources">Resources</a></li> <li class="last collapsed menu-training"><a href="/training">Training</a></li> </ul> </div> </div> </div> </nav> </div> </div> </div> </div> </div> </div> </div> <div id="zone-content-wrapper" class="zone-wrapper zone-content-wrapper clearfix"> <div id="zone-content" class="zone zone-content clearfix container-12"> <div id="breadcrumb" class="grid-12"><nav class="breadcrumb" role="navigation" aria-label="You are here"><a href="/">Home</a><span class="tic"> > </span><a href="/security/breach-prevention">Breach Prevention</a><span class="tic"> > </span>Compliance Information</nav></div> <div id="moved-sidenav-wrapper" class="moved-sidenav-wrapper grid-12"> <div id="moved-sidenav" class="moved-sidenav" data-set="append-sidenav"></div> </div> <div class="grid-5 push-3 region region-content" id="region-content"> <div class="region-inner region-content-inner"> <a id="main-content" tabindex="-1"></a> <h1 class="title" id="page-title">Compliance Information </h1> <div class="block block-block block-97 block-block-97 odd block-without-title" id="block-block-97"> <div class="block-inner clearfix"> <div class="content clearfix"> <hr /> </div> </div> </div> <div class="block block-system block-main block-system-main even block-without-title" id="block-system-main"> <div class="block-inner clearfix"> <div class="content clearfix"> <article about="/security/breach-prevention/compliance-information" typeof="foaf:Document" class="node node-page node-published node-not-promoted node-not-sticky author-14 odd clearfix" id="node-page-99">  <span property="dc:title" content="Compliance Information" class="rdf-meta element-hidden"></span><span property="sioc:num_replies" content="0" datatype="xsd:integer" class="rdf-meta element-hidden"></span> <div class="content clearfix"> <div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><h2>Effective date: April 30, 2012</h2> <h4>Violations and Penalties</h4> <p>In 2011, the US Department of Health and Human Services Office for Civil Rights increased HIPAA enforcement activities in accordance with HITECH mandates including issuing large penalties and settlements for noncompliance:</p> <ul> <li>Cignet Health of Prince George’s County, MD was fined $4.3 million for denying patients access to their records and related HIPAA violations.</li> <li>Massachusetts General Hospital agreed to a $1 million settlement arising from paper records pertaining to 192 patients having been left behind on the Boston subway.</li> <li>University of California at Los Angeles agreed to a $865,000 settlement arising from inappropriate access to celebrity records by staff members.</li> <li>In the fall the US Department of Health and Human Services announced plans to audit 150 HIPAA Covered Entities over the next year for HIPAA compliance.</li> </ul> <h4>Reminders for Avoiding Violations at Yale</h4> <ul> <li>Everyone is required to report any potential breach of PHI. Some examples include: <ul> <li>Loss or theft of a laptop, external hard drive, thumb drive, or paper chart containing PHI</li> <li>Access to PHI outside of an individual’s job responsibilities</li> <li>Improper disposal of PHI such as failure to shred paper documents or securely delete electronic records prior to device disposal or re-purposing</li> <li>Misdirected mailings, emails, or faxes</li> <li>Malware infection on ePHI containing devices</li> </ul> </li> </ul> <p><strong>Potential breaches should be reported to the Security Office hotline at 203.627.4665</strong></p> <ul> <li>Health information included in any presentations or seminars other than for the purpose of patient care, must be redacted of all identifiers including names, dates, medical record numbers etc.</li> <li>PHI collected in the course of a research study is still PHI and must be handled with the same regard to privacy and security as clinical information.</li> <li>VPN should be used for any remote access to Yale PHI. <a href="https://yale.service-now.com/it?id=support_article&sys_id=0a16c0a92b93e840fcb01abf59da15d6">View more information on how to use VPN.</a></li> <li>Non-Yale email services such as Gmail and Yahoo may not be used to send messages or attachments containing PHI.</li> <li>Access to systems containing PHI is subject to electronic audit and monitoring by the University to ensure compliance with University policies on appropriate use and disclosure of protected health information.</li> <li>Please keep in mind that the reminders from 2011 are still applicable and may be found below. Everyone is still required to ensure their devices are appropriately secured and to update your information as you add or discard devices.</li> </ul> <h2>Effective date: August 26, 2011</h2> <p>Yale University is committed to providing the highest quality health care, which includes respecting the right of patients and clinical research subjects to maintain the privacy and security of their health information. The standards for protecting health information are described in the federal law known as the Health Insurance Portability and Accountability Act (HIPAA). HIPAA and Yale’s HIPAA policies apply to individually identifiable information on past, present or future health care or payment for health care, which HIPAA calls “Protected Health Information” or “PHI.” PHI stored electronically is called “ePHI.”</p> <p><a href="http://https://hipaa.yale.edu/">Yale’s policies</a> are designed to ensure the appropriate privacy and security of all PHI across the University, in compliance with the law. Yale’s HIPAA policies apply to all faculty, staff, trainees, students and others in Yale’s HIPAA Covered Components: the Schools of Medicine (excluding the School of Public Health, the Animal Resources Center, and the basic science departments: Cell Biology, Cellular and Molecular Physiology, Comparative Medicine, History of Medicine, Immunobiology, Microbial Pathogenesis, Molecular Biophysics & Biochemistry, Neurobiology, Neuroscience, Pharmacology and WM Keck Biotechnology Resources Laboratory), Yale School of Nursing, Yale Health, Department of Psychology clinics and the Group Health Plan Component.</p> <p>All faculty, staff, trainees, students and others in Yale’s HIPAA Covered Components must comply with Yale University’s <a href="/security/breach-prevention/compliance-requirements">Compliance Requirements</a>.</p> </div></div></div> </div> <div class="clearfix"> <nav class="links node-links clearfix"></nav> </div> </article> </div> </div> </div> <div class="block block-block block-17 block-block-17 odd block-without-title" id="block-block-17"> <div class="block-inner clearfix"> <div class="content clearfix"> <p><strong>Please review and familiarize yourself with the <a href="/security/breach-prevention/compliance-information">Compliance Information</a> and <a href="/security/breach-prevention/compliance-requirements">Compliance Requirements</a>. You are responsible for complying with these requirements.</strong></p> <hr /> </div> </div> </div> </div> </div> <div class="grid-3 pull-5 region region-sidebar-first sidebar yale-standard-sidebar" id="region-sidebar-first"> <div class="region-inner region-sidebar-first-inner"> <div class="original-sidenav" data-set="append-sidenav"> <div id="additional-nav" class="addnav-ready"> <span class="additional-nav-button"><a id="additional-nav-button" role="button" aria-expanded="false" tabindex="0"><span class="ready">Additional Navigation</span><span class="close">Close</span></a></span> <nav class="block block-menu-block block-9 block-menu-block-9 odd has-subject" id="block-menu-block-9" role="navigation" aria-label="Breach Prevention"> <div class="block-inner clearfix"> <h2 class="block-title">Breach Prevention</h2> <div class="content clearfix"> <div class="menu-block-wrapper menu-block-9 menu-name-main-menu parent-mlid-0 menu-level-2"> <ul class="menu"><li class="first leaf active-trail active menu-mlid-714 menu-compliance-information"><a href="/security/breach-prevention/compliance-information" class="active-trail active-trail active">Compliance Information</a></li> <li class="leaf menu-mlid-1131 menu-compliance-requirements"><a href="/security/breach-prevention/compliance-requirements">Compliance Requirements</a></li> <li class="leaf menu-mlid-716 menu-advice-for-applications"><a href="/security/breach-prevention/advice-applications">Advice for Applications</a></li> <li class="leaf menu-mlid-684 menu-for-everyone"><a href="/security/breach-prevention/breach-prevention-everyone">For Everyone</a></li> <li class="leaf menu-mlid-715 menu-for-servers"><a href="/security/breach-prevention/breach-prevention-servers">For Servers</a></li> <li class="leaf menu-mlid-723 menu-safe-harbor-encryption"><a href="/security/breach-prevention/safe-harbor-encryption">Safe Harbor Encryption</a></li> <li class="leaf menu-mlid-853 menu-smartphones"><a href="https://cybersecurity.yale.edu/minimumsecuritystandards">Smartphones</a></li> <li class="last leaf menu-mlid-734 menu-workstations"><a href="https://your.yale.edu/policies-procedures/procedures/1610-pr03-network-configuration-security">Workstations</a></li> </ul></div> </div> </div> </nav> </div> </div> </div> </div> <div class="grid-4 region region-sidebar-second sidebar yale-standard-sidebar-second" id="region-sidebar-second"> <div class="region-inner region-sidebar-second-inner"> <aside class="block block-block block-4 block-block-4 odd has-subject" id="block-block-4" role="complementary" aria-label="Reporting an Incident, Lost or Stolen Data, or Device"> <div class="block-inner clearfix"> <h2 class="block-title">Reporting an Incident, Lost or Stolen Data, or Device</h2> <div class="content clearfix"> <p><a href="/sites/default/files/files/HIPAA%20Incident%20Reporting%20Form.doc">Report a Privacy Concern (paper form)</a></p> <p><a href="https://yalesurvey.qualtrics.com/SE/?SID=SV_8CCh5idmc4FFia9">Report a Privacy Concern (on-line)</a></p> <p><a href="https://cybersecurity.yale.edu/get-help/report/report-incident">Security Incident Reporting </a></p> </div> </div> </aside> </div> </div> </div> </div> </div> </main> <footer id="section-footer" class="section section-footer" role="contentinfo"> <div id="zone-footer-wrapper" class="zone-wrapper zone-footer-wrapper clearfix"> <div id="zone-footer" class="zone zone-footer clearfix container-12"> <div class="grid-2 region region-footer-first" id="region-footer-first"> <div class="region-inner region-footer-first-inner"> <div class="footer-logo"><a href="http://www.yale.edu" class="y-icons y-yale y-mark"><span class="element-invisible">Yale</span></a></div> </div> </div> <div class="grid-6 region region-footer-second" id="region-footer-second"> <div class="region-inner region-footer-second-inner"> <p class="copyright"> <a href="https://usability.yale.edu/web-accessibility/accessibility-yale">Accessibility at Yale</a> · <a href="http://www.yale.edu/privacy-policy">Privacy policy</a> <br> Copyright © 2025 Yale University · All rights reserved </p> <div class="block block-footer-message block-footer-message block-footer-message-footer-message odd block-without-title" id="block-footer-message-footer-message"> <div class="block-inner clearfix"> <div class="content clearfix"> <p>HIPAA | PO Box 208255 | New Haven, CT 06520-8255 | <a href="mailto:hipaa@yale.edu">hipaa@yale.edu</a></p> </div> </div> </div> </div> </div> <div class="grid-4 region region-footer-third" id="region-footer-third"> <div class="region-inner region-footer-third-inner"> <div class="block block-menu sharing block-menu-social-buttons block-menu-menu-social-buttons odd block-without-title" id="block-menu-menu-social-buttons"> <div class="block-inner clearfix"> <div class="content clearfix"> <ul class="menu"><li class="first leaf menu-facebook"><a href="https://www.facebook.com/YaleUniversity" title=""><span>Facebook</span></a></li> <li class="leaf menu-twitter"><a href="http://www.twitter.com/yale" title=""><span>Twitter</span></a></li> <li class="leaf menu-flickr"><a href="http://www.flickr.com/photos/yaleuniversity" title=""><span>Flickr</span></a></li> <li class="leaf menu-itunes"><a href="http://itunes.yale.edu" title=""><span>iTunes</span></a></li> <li class="last leaf menu-youtube"><a href="http://www.youtube.com/yale" title=""><span>YouTube</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </div></footer> </div> <div class="region region-page-bottom" id="region-page-bottom"> <div class="region-inner region-page-bottom-inner"> </div> </div> <script type="text/javascript"> <![CDATA[//><!]]> </script> <script type="text/javascript" src="https://hipaa.yale.edu/sites/default/files/js/js_JMVekk522eOkII71K9F5yD4Su-iRqPdTR_-LxjPAtMk.js"></script> </body> </html>