Serving Colorado's Counties

Technical Update vol. 26 no 37 - Understanding HIPAA

September 13, 2022

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 with the primary goals of ensuring continuous health insurance coverage for people who have lost or changed jobs and lowering costs by standardizing rules for storing and transmitting protected health information (PHI). Part of the act deals with the safety and security of PHI. The Office for Civil Rights (OCR), part of the U.S. Department of Health & Human Services (HHS), offers training for health care organizations on the civil rights, health information privacy, and patient confidentiality laws that they are subject to under HIPAA. The OCR also audits organizations for compliance with HIPAA laws and investigates complaints concerning possible violations.


HIPPA fines use a tiered system. A first-tier fine, which they define as a violation where “the covered entity did not know and could not reasonably have known of the breach,” can range from $100 to $50,000 per violation or per record with a maximum fine of $1.5 million per year for each violation. A fourth tier fine, in which “the covered entity ‘acted with willful neglect’ and failed to make a timely correction,” ranges from $50,000 to $1.5 million per incident. The OCR may also levy criminal charges in certain instances, adding additional litigation costs to the fines. Penalties like these can be ruinous to small and mid-size organizations, so you must verify that you and any business with whom you might share PHI comply with HIPAA guidelines.

HIPAA Guidance

The HHS provides numerous publications that offer guidance and training on HIPPA regulations at If your organization deals with PHI, take the time to review and assess the security measures used to protect that information. PHI includes 18 unique, personally identifiable information elements, including names, phone numbers, vehicle identifiers, email addresses, and medical records. Educate your employees on what information is and is not protected under HIPAA to limit the risks of data breaches and the accompanying fines.

What This Means for Counties

County employees who handle PHI should be trained on HIPAA regulations and protections. As a service to our members, CTSI offers a Training Library of relevant, curated films on a wide range of human resources, workplace safety, and other work-related topics at If you would like to learn more about HIPAA, the Training Library offers two films, HIPAA Overview and HIPAA Crash Course. You may also contact our Loss Control department at 303 861 0507 for additional training resources. 

A PDF of this Technical Update is available here.

News & Updates

Technical Update vol. 27 no. 5 - The Power of Pooling

County Technical Services, Inc. (CTSI) has served Colorado counties for 39 years. County commissioners first envisioned CTSI as a way to empower counties by creating a collective purchasing pool. The […]

Read More
Technical Update vol. 27 no. 4 - Out-of-State Remote Work

With the increase in telecommuting and remote work since the pandemic, employers are receiving more employee requests to work remotely outside of Colorado. While out-of-state work arrangements can help with […]

Read More
2023 CTSI Human Resources Consultant Survey

We have had numerous requests from membership to put back in place an HR function as we have had in the past, as part of our loss prevention to assist […]

Read More
Read More
Technical Update vol. 27 no. 3 - Hand Injuries are Common and Preventable

According to the US Department of Labor, injuries to hands account for nearly 25% of all lost-time in the workplace. That’s a total of 110,000 injuries per year. Yet, cuts, […]

Read More