My Mosaic‎ > ‎Mosaic News‎ > ‎

What is HIPAA and HITECH? Where do I report violations?

posted Mar 19, 2018, 7:51 AM by Randall Donner   [ updated Mar 19, 2018, 7:52 AM ]

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) protect the privacy and security of an individual’s Protected Health Information, or “PHI”. Because of the services that Mosaic provides to the people we serve, Mosaic is considered a Covered Entity and must comply with HIPAA/HITECH.

Protected Health Information (PHI) is any individually identifiable health information held by a covered entity or its business associate (vendor), in any form or media, whether electronic, paper or oral that can be linked to a specific individual. PHI includes, but is not limited to, the following types of information:

  • name,
  • address,
  • phone number,
  • email address,
  • patient account and medical record numbers,
  • birth date,
  • Social Security Number,
  • full-face photographic images and any comparable images.

What do employees need to know about HIPAA/HITECH?

A major purpose of the HIPAA/HITECH is to define and limit the situations in which a person’s PHI may be used or disclosed by covered entities such as Mosaic. The laws have strict reporting requirements and timelines to the Federal Government if PHI is disclosed in a manner not consistent with the law. Therefore, if you believe PHI has been released improperly, please let the Compliance Department know as soon as possible, using one of the following methods:

  • Via email at;
  • Via the Compliance Hotline at 800.443.4899; or
  • Call 877.366.7242 and ask for a member of the Compliance Department.

Examples of the types of disclosures that should be reported to the Compliance department include:

  • The progress notes from a doctor’s visit of a person served are left out on a table and a guardian of another person served views the document;
  • An ISP is emailed to the wrong person;
  • Two employees think they are having a private conversation about a person served but realize people unaffiliated with Mosaic may have overheard them;
  • A full face picture is posted of a person served on an agency Facebook account without first securing proper authorization from the person’s guardian (ADCI-PR form);
  • A work laptop is stolen out of a car (this can also be reported to IT)

*Note: this is not an exhaustive list, when in doubt, contact the Compliance Department.

Remember: Not only is protecting PHI required by law, it is also the right thing to do for the people we serve.  HIPAA gives people the right to say how and when personal information about them will be used.  This is consistent with our values and efforts to empower people we serve to exert more control over their lives.