The Health Information Portability And Accountability Act (HIPAA)

—Updated 1/4/2016

hipaa-smThe Health Information Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996. Under HIPAA, Congress tasked the U.S. Department of Health and Human Services (HHS) to come up with national standards for the safe electronic transfer of health data if Congress did not enact privacy legislation within three years of HIPAA’s passage. Because Congress was unable to do so, HHS developed what is known as the HIPAA Privacy Rule. After two public comment periods and over 60,000 comments, the final Privacy Rule was published on August 14, 2002.

HIPAA Privacy Rule
The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information by health care providers, health plans and health care clearinghouses. According to HHS, Protected Health Information includes all individually identifiable health information held or transmitted by a HIPAA-covered entity or its business associate, in any form or media, whether electronic, paper or oral. Individually identifiable health information includes information relating to your past, present or future physical or mental health or condition, the provision of health care to you, or the past, present or future payment for the provision of health care to you that that identifies you, or for which there is a reasonable basis to believe it can be used to identify you.

These regulations establish a federal baseline of privacy for accessing and handling medical information. While states are free to add additional laws on top of HIPAA, the protections under HIPAA are guaranteed to all citizens of the United States. These guarantees include:

  • The right to see, copy and request to amend your medical records. While you could be charged for copies of your records, HIPAA sets limits on those fees. Before HIPAA, you were not guaranteed access to your medical files by federal law.
  • You can find out who has accessed your records over the previous six years. However, there are limitations to these accounts. Any disclosure of records involving treatment, payment or health care operations are not required to be disclosed.
  • You must be given a notice of HIPAA privacy practices by your health care facility. This notice must be available in the facility and must inform you how to exercise you rights under HIPAA, including how to file a complaint with your health care provider and with the HHS Office of Civil Rights.
  • Criminal and civil penalties are authorized under the HIPAA Privacy Rule if the federal government brings a lawsuit for violations.
  • You can choose to have your medical information discussed with designated immediate family members, close friends, or relatives.

2013 HIPAA Omnibus Rule – Requirements added to standard HIPAA privacy and security rules

Who Must Comply With The HIPAA Privacy Rule?

Concerns with HIPAA


Read more: