HIPAA: Health Information Portability and Accountability Act

HIPAA is a sectoral law that was first developed in 1996, to enact several changes in the healthcare industry. Among these changes are a security rule and privacy rule which protect personal health information.

What is Protected Health Information?

Protected Health Information is any personally identifiable health information communicated in any form–oral, paper or electronic–that is maintained by a covered entity as defined by HIPAA (see below.) Personally identifiable health information may include a person’s age, gender and other demographic information as well as information about their diagnosis; prognosis; their past, present or future medical health or conditions; and payment for the provision of past, present or future medical care. Any information that may potentially identify an individual personally is considered to be protected health information (PHI.)

Who Must Comply With HIPAA?

In general any entity that handles protected health information must comply with HIPAA regulations. However, the law specifically mentions the following all of which are considered “covered entities” :

  • Health Care Providers – All hospitals, doctors, nurses, health care workers and any other healthcare service providers
  • Health Plans– Medicare and Medicaid; private insurance companies; group health plans
  • Business Associates– Any third part that may handle protected health information as a service, such as billing, data analysis, data aggregation, etc.

The Privacy Rule

The HIPAA Privacy rule attempts to strike a balance between the need for disclosure among health care professionals to ensure quality care, payment and  maintain public security, while still protecting the identity and personal health information of the patient.

Under the Privacy Rule a patient has the right to:

  • Notice of a covered entity’s privacy practices which include the type of information collected and its intended use.
  • Consent or object to the disclosure of protected health information to third parties other than those disclosures granted to business associates for the rendering of treatment or services. The Privacy Rule requires that a signed authorization from the individual be placed on record for each specific third party with which the patient wishes to share their information.
  • Access and amend their protected health information that an entity has on record about them. A minimal charge may be assessed to cover expenses associated providing access or changes to the their records.
  • Limited disclosure of protected health information. Disclosure must be limited to that which is minimally necessary. When a heath care provider or plan shares personal health information with a business associate for the purposes of rendering a service, (ie: billing, data analysis, research, etc) the covered entity must ensure that the business associate or third party will maintain the same standards of privacy.
  • Safeguarding of their protected health information. All entities handling personal health information must maintain the necessary physical, technical and administrative safeguards to protect the confidentiality, integrity and security of the patient’s information.

Exceptions to the Privacy Rule

The Privacy Rule makes provisions for the disclosure of protected health information without the limitations outlined above for the following situations:

  • Information needed for public health activities and safety
  • In coordination with law enforcement of judicial activities and proceedings
  • Certain research purposes
  • Special Government functions

The Security Rule

HIPAA’s Security Rule deals specifically with the protection of personal health information in its electronic form, which includes data stored on computer hard drives and magnetic or digital storage devices.

The Security Rule requires that covered entities take reasonable measures to:

  • Ensure the confidentiality, integrity, and availability of electronic health information
  • Protect against the unauthorized access, use or disclosure of protected health information.
  • Enforce HIPAA compliance in the work force.

Further more the Security Rule requires:

  • The creation of an individual entity to be responsible for implementing and enforcing the Security Rule
  • Initial and periodic risk assessments to determine the efficacy of current safeguards, evaluate new threats and implement the necessary protections to maintain the confidentiality and integrity of the data.
  • The creation of an ongoing training program to educate the workforce on complying with the Security Rule
  • The Covered entity to incorporate the Security Rule into Business Associate Contracts to ensure that all business associates maintain an equivalent level of protection.


The Health Care Portability and Accountability Act plays a significant role in the protection of the privacy of health information. HIPAA is a complex and far reaching law which pertains all professionals involved in the health care field. Education in HIPAA compliance must be ongoing, and compliance closely monitored to ensure the protection of health information.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

  • U.S. Public and Private Sector General Laws including HIPAA (I.A.b.i.)

3 comments to HIPAA: Health Information Portability and Accountability Act

  • brian hall

    I was working as a paramedic for a ambulance service for 2.5yrs. In Feb 2008 I discovered that my employer was throwing PHI/HIPPA items in the trash. I fished them out and and returned them to my boss but he didnt take me serious. During a period of March2010 to April2010 i discovered on 3 occasions 400-600 PHI in the dumpster to include very sensitive documents that were identifiable and could be used in identity theft, I pulled thenm out and filed a complaint w/ HHS/CivilRights. I constructively discharged myself from that company and was retaliated against and I am currently fighting against them, what is my next step?

  • Check into the whistle blower protections. I’m sure a ton of lawyers would love to take a case like that.

  • Keep It In House

    The care system is flawed like all systems. This situation would be best handled by following your administrative chain of command. Do report this error in judgment to a lawyer. That will only result in backfiring in your face. HR and Risk Management would be crawling down your back as short as your career there would probably be after that. I know whistle blowers protections are discreet but you get my point. The lawsuit would only create a worse situation for other employees as well as patients. The lawsuit would be huge and the funds would have to be compensated. Do you get my point? Report the issue to the next level in the chain of command if it still goes unnoticed every risk management program has discreet reporting available. If it is a small clinic your next step is the medical director. If that is who did the issue your next step the administration director. If that still is not working you can implement a strategic intervention with multiple employees.

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>