Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act, enacted by Congress in 1996, was intended to create a national standard for the protection of personally identifiable information relating to health care. HIPAA requires entities to: adopt written privacy procedures that describe who has access to protected information, how such information will be used, and when the information may be disclosed; require their business associates to protect the privacy of health information; train their employees in their privacy policies and procedures; take steps to protect against unauthorized disclosure of personal health records; and designate an individual to be responsible for ensuring the procedures are followed. Education institutions may be obligated to comply with HIPAA in connection with a broad range of activities.

HIPAA requires protection of "Protected Health Information." Protected health information is:

  • Individually identifiable health information
  • Maintained or transmitted
  • In whatever form the information exists, including oral communications

Individually identifiable health information is a subset of all health information collected from an individual that is:

  • Created or received by a health care provider, health plan, employer, or health care clearinghouse; and
  • Relates to the past, present or future physical or mental health or condition of an individual, provision of health care to an individual or payment for the provision of health care to an individual; and
  • Identifies the individual or could be used to identify the individual.

The term "individual" includes deceased persons and may include minors.

Typically, the following types of records and activities involve Protected Health Information and are subject to regulation:

  • Medical records, including electronic and paper medical records consisting of case histories, clinical records, diagnostic films and test results as well as treatment charts and progress reports. Medical information transmitted orally may also be considered Protected Health Information.
  • Other health information, including insurance information such as claims submission, adjudication and payment, eligibility determination and reporting, utilization review, referrals and authorizations, grievance and appeals, and medical management information such as utilization management.

More information on HIPAA may be found at
http://www.hhs.gov/ocr/hipaa