The Health Insurance Portability and Accountability Act (HIPAA) is a federal regulation designed to improve the portability and continuity of health insurance, combat waste, fraud, and abuse, and promote the use of medical savings accounts.
HIPAA also required the creation of national standards to protect sensitive patient health information from disclosure without the patient’s consent or knowledge.
HIPAA Privacy Rule
The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirements of HIPAA. The standards address the use and disclosure of individuals’ health information (known as Protected Health Information or PHI) by those subject to the Privacy Rule. These individuals and organizations are called “covered entities” (see details below).
The Privacy Rule also outlines standards for individuals’ rights to control how their health information is used. The rule permits important uses of information while protecting the privacy of people seeking care and healing.
HIPAA Security Rule
The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. This includes
all individually identifiable health information created, received, maintained, or transmitted in electronic form by a covered entity. This is called electronic protected health information, or e-PHI. The Security Rule does not apply to PHI shared orally or in writing.
To comply with the HIPAA Security Rule, covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI
- Detect and safeguard against anticipated threats to information security
- Protect against anticipated impermissible uses or disclosures not allowed by the rule
- Certify compliance by their workforce
HIPAA violations may result in civil monetary or criminal penalties.
Covered Entities
Individuals and organizations subject to the Privacy Rule are considered covered entities. Including:
- Health care providers
- Health plans (Exception: A group health plan with fewer than 50 participants administered and maintained solely by the employer is not a covered entity.)
- Health care clearinghouses
- Business associates
For complete information concerning covered entities, related hybrid entities, and business associates, visit the U.S. Department of Health and Human Services website.