The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a set of federal rules designed in part to protect the privacy of an individual’s health information.
Compliance, Ethics & Risk Management
Health Sciences Campus
Health Information – Any information, whether oral or recorded in any form or medium, that (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Individually Identifiable Health Information – Information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual .
Protected Health Information - PHI is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.
HIPAA Signed into Law by President Clinton
August 1996
Effective Date of the HIPAA Privacy Rule
April 2003
Effective Date of the HIPAA Security Rule
April 2005
Effective Date of the HIPAA Breach Enforcement Rule
March 2006
Effective Date of HITECH and Breach Notification Rule
September 2009
Effective Date of the Final Omnibus Rule
March 2013
The federal privacy regulations under HIPAA grants individuals certain rights to be informed about and to control their PHI.
Rights Under HIPAA |
Here’s Where to Look |
|
Right to inspect and copy of their PHI, including receiving electronic copies of all records included in the designated record set |
|
|
Right to amend their PHI |
|
|
Right to receive an accounting of disclosures of their PHI |
|
|
Right to receive a Notice of Privacy Practices |
|
|
Right to receive confidential communications of PHI |
|
|
Right to restrict disclosure on certain uses and disclosures of their PHI |
|
|
Right to file a complaint about a covered entity’s privacy practices to the covered entity as well as to the Office for Civil Rights (OCR). |
|
Patient’s consent is permitted but not required for uses or disclosures of PHI for treatment, payment, or hospital operations.
Authorization is required for all uses or disclosures of PHI not allowed in the privacy rule. Voluntary consent is not sufficient.
Required elements: