The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
The Privacy Rule establishes national standards for the protection of individually identifiable health information, called protected health information (“PHI”), as well as standards for individuals' privacy rights to understand and control how their health information is used.
The Security Rule establishes a national set of security standards for protecting individually identifiable health information that is created, received, maintained, or transmitted in electronic form (“e-PHI”). The Security Rule specifies a series of administrative, technical, and physical security procedures to assure the confidentiality, integrity, and availability of e-PHI.
Who is covered?
HIPAA applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (“covered entities”). If a covered entity engages a business associate to help carry out health care activities and functions, the covered entity must have a written business associate agreement that requires the business associate to comply with HIPAA. In addition to contractual obligations, business associates are directly liable for compliance with certain HIPAA rules.
What Information is protected under HIPAA?
Protected Health Information is "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and
- that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Within HHS, the Office for Civil Rights (OCR) has responsibility for administering and enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties and may conduct complaint investigations and compliance reviews.