Frequently Asked Questions: Privacy

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law, Public Law 104-191, which includes Administrative Simplification provisions requiring the Department of Health and Human Services (HHS) to adopt national standards for electronic health transactions and code sets, unique health identifiers, and security.  

In addition, HIPAA requires the adoption of federal privacy protections for individually identifiable health information. HIPAA includes the Privacy Rule, Security Rule and Enforcement Rule.  

Covered entities, including health plans, healthcare clearinghouses, and any healthcare provider who transmits health information electronically in connection with transactions for which HHS has adopted a standard, are required to comply with HIPAA.  

If a covered entity engages a business associate to help carry out its healthcare activities and functions, it must have a written business associate contract or another arrangement with the business associate. Business associates must comply with these contractual obligations and are directly liable for compliance with certain provisions of the HIPAA Rules. standard are required to comply with HIPAA. If a covered entity engages a business associate to help carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate. Business associates must comply with these contractual obligations and are directly liable for compliance with certain provisions of the HIPAA Rules.  

The HIPAA Privacy Rule creates national standards to protect individuals’ medical records and other personal health information.  The Privacy Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of information without an individual’s authorization. The Privacy Rule also contains standards for individuals’ rights over their protected health information.  

Protected Health Information (PHI) is individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral.  

Individually identifiable health information is information, including demographic data, that relates to: the individual’s past, present or future physical or mental health or condition, the provision of healthcare to the individual, or the past, present, or future payment for the provision of healthcare to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Examples of common identifiers include birth date, name, and address. 

Under the HIPAA Privacy Rule, individuals have a right to receive notice of a covered entity’s privacy practices, which describe ways that the covered entity may use and disclose protected health information. In addition, individuals have the right to:  

• Review and obtain a copy of their PHI in a covered entity’s designated record set.  
• Have covered entities amend their PHI in a designated record set when that information is inaccurate or incomplete.  
• An accounting of the disclosures of their PHI by a covered entity or the covered entity’s business associates. 
• Request that a covered entity restrict the use or disclosure of PHI for treatment, payment or healthcare operations, disclosure to persons involved in the individual’s health care or payment for healthcare, or disclosure to notify family members or others about the individual’s general condition, location, or death. 
• Request an alternative means or location for receiving communications of PHI.  

Covered entities are required to disclose Protected Health Information (PHI) in two situations, including:  

1. to individuals (or their personal representatives) when they request access to, or an accounting of disclosures of, their PHI 
2. to HHS for the purposes of a compliance investigation or review, or enforcement action 

Covered entities are permitted, but not required, to use and disclose PHI, without an individual’s authorization, for the below purposes. Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make. 

1. To the Individual (unless required for access or accounting of disclosures)  
2. Treatment, Payment, and Healthcare Operations 
3. Opportunity to Agree or Object  
4. Incident to an otherwise permitted use and disclosure 
5. Public Interest and Benefit Activities 
6. Limited Data Set for research, public health or health care operations. 

Covered entities must obtain the individual’s written authorization for any use or disclosure of PHI that is not for treatment, payment,  healthcare operations or otherwise permitted or required by the Privacy Rule.  

The Office for Civil Rights (OCR) enforces the HIPAA Privacy and Security Rules by investigating complaints, conducting compliance reviews, and performing education and outreach. In addition, OCR works with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA.