The Health Insurance Portability and Accountability Act (HIPAA) is a United States law that was enacted in 1996 by Congress. The law’s primary purpose is to protect the privacy of patient health information. The law also sets standards for the security and accuracy of health information.
The HIPAA Privacy Rule sets national standards for the privacy of individually identifiable health information. The HIPAA Security Rule sets national standards for the security of electronic protected health information.
The HIPAA Breach Notification Rule requires covered entities to notify individuals, the Secretary of the Department of Health and Human Services (HHS), and the media of certain breaches of unsecured protected health information.
Who is Affected by HIPAA?
The HIPAA Privacy Rule applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. These transactions are known as HIPAA transactions.
The HIPAA Security Rule applies to health plans, health care clearinghouses, and health care providers that electronically store or transmit protected health information.
The HIPAA Breach Notification Rule applies to health plans, health care clearinghouses, and health care providers that experience a breach of unsecured protected health information.
What is Protected Health Information?
Protected health information is information that is individually identifiable and that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the payment for the provision of health care to an individual.
How is Protected Health Information Used?
Protected health information may be used and disclosed for the following purposes:
- Treatment.
- payment.
- health care operations.
- research.
- public health purposes.
- law enforcement purposes.
- disclosure to a family member, friend, or other person involved in the individual’s care or payment for care.
What are the HIPAA Privacy Rule Requirements?
The HIPAA Privacy Rule requires covered entities to:
- establish and implement a written privacy policy.
- designate a privacy official.
- provide training on the privacy policy.
- issue a notice of privacy practices.
- obtain written authorization from the individual before using or disclosing protected health information.
- maintain the privacy of protected health information.
What are the HIPAA Security Rule Requirements?
The HIPAA Security Rule requires covered entities to:
- adopt administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of protected health information.
- develop and implement a risk management plan to identify and address potential threats to the security of protected health information.
