Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Background

HIPAA Privacy Rule

The Privacy Rule standards address the use and disclosure of individuals' protected health information (PHI) by entities subject to the rule. These individuals and organizations are called "covered entities."

The Privacy Rule also contains standards for individuals' rights to understand and control how their health information is used. It protects individual health information while allowing necessary access to health information, promoting high-quality healthcare, and protecting the public's health. The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing.

Covered Entities

The following types of individuals and organizations are subject to the Privacy Rule and considered covered entities:

• Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include:
  • Claims
  • Benefit eligibility inquiries
  • Referral authorization requests
  • Other transactions for which HHS has established standards under the HIPAA Transactions Rule.
• Health plans:
  Health plans include:
  • Health, dental, vision, and prescription drug insurers
  • Health maintenance organizations (HMOs)
  • Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers
  • Long-term care insurers (excluding nursing home fixed-indemnity policies)
  • Employer-sponsored group health plans
  • Government- and church-sponsored health plans
  • Multi-employer health plans

Exception: A group health plan with fewer than 50 participants administered solely by the establishing and maintaining employer, is not covered.

• Healthcare clearinghouses: Entities processing nonstandard information received from another entity into a standard format or vice versa. Healthcare clearinghouses receive identifiable health information when providing processing services to a health plan or healthcare provider as a business associate.
• Business associates: A non-member of a covered entity's workforce using individually identifiable health information to perform functions for a covered entity. These functions, activities, or services include:
  • Claims processing
  • Data analysis
  • Utilization review
  • Billing

Permitted Uses and Disclosures

The law permits a covered entity to use and disclose PHI, without an individual's authorization, for the following situations:

• Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual)
• Treatment, payment, and healthcare operations
• Opportunity to agree or object to the disclosure of PHI
  • An entity can obtain informal permission by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object
• Incident to an otherwise permitted use and disclosure
• Limited dataset for research, public health, or healthcare operations
• Public interest and benefit activities—The Privacy Rule permits use and disclosure of PHI, without an individual's authorization or permission, for 12 national priority purposes:

1. When required by law
2. Public health activities
3. Victims of abuse or neglect or domestic violence
4. Health oversight activities
5. Judicial and administrative proceedings
6. Law enforcement
7. Functions (such as identification) concerning deceased persons
8. Cadaveric organ, eye, or tissue donation
9. Research, under certain conditions
10. To prevent or lessen a serious threat to health or safety
11. Essential government functions
12. Workers' compensation

HIPAA Security Rule

While the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called electronic protected health information, or e-PHI. The Security Rule does not apply to PHI transmitted orally or in writing.

To comply with the HIPAA Security Rule, all covered entities must:

• Ensure the confidentiality, integrity, and availability of all e-PHI
• Detect and safeguard against anticipated threats to the security of the information
• Protect against anticipated impermissible uses or disclosures that are not allowed by the rule
• Certify compliance by their workforce

Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.

For more information, visit HHS's HIPAA website.