Common Questions About HIPAA


What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a legislative act that was passed in 1996. HIPAA addressed many other topics including the portability of health insurance. However, HIPAA has become most well-known for its Privacy and Security requirements. In 2009, the HIPAA Privacy and Security provisions became revised.  This became part of the Health Information Technology for Economic Clinical Health Act (“the HITECH Act”). This was enacted as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”).

Who Must Comply with HIPAA?

The HIPAA Privacy and Security Rules apply to all “covered entities”. Covered entities generally include all healthcare plans, healthcare providers who transmit health care information in electronic form (using a standard transaction), and healthcare clearinghouses (including billing companies). The regulations refer to these groups as “covered entities.” However, the HITECH Act expanded the reach of HIPAA to business associates of these covered entities.

What Kind of Information Does HIPAA Protect?

The Privacy Rule defines “Protected health information” as “individually identifiable health information” that transmits to any format. All information pertaining to an individual and held by a covered entity is considered “protected health information”. The only exception happens when it becomes a “de-identified” pursuant to the regulations. The Security Rule governs “electronic protected health information” and requires covered entities to ensure the confidentiality, integrity, and availability of all protected health information that is created, received, maintained or transmitted by the covered entity in the electronic form.

What Rights Do Individuals Have Under HIPAA?

In general, the HIPAA Privacy Rule gives individuals the right to request a restriction.  This restriction applies to uses and disclosures of their protected health information. The individual receives also the right to request confidential communications or that a communication of protected health information comes by alternative means, such as sending correspondence to the individual’s office instead of the individual’s home. With limited exceptions, individuals also have the right to inspect and obtain a copy of their own protected health information and to request amendments of their protected health information.

What Do Healthcare Providers and Other “Covered Entities” Need To Do In Order To Comply With The HIPAA Privacy Rule?

Examples of the issues that covered entities will need to address in order to comply with the Privacy Rule include:

  • appointment of a privacy officer and contact person to receive complaints
  • development of consent
  • notice and authorization form for patients
  • development of numerous required privacy policies and procedures
  • drafting of agreements with all business associates
  • training of staff on privacy issues

What Does The HIPAA Security Rule Require?

The rule requires covered entities to conduct a risk analysis to identify any risks to electronic protected health information and to address such risks. In general, covered entities are also required to implement administrative procedures, physical safeguards, and technical security services to guard the integrity, confidentiality, and availability of patient data. The HIPAA Security Rule also requires covered entities to implement technical security mechanisms to prevent unauthorized access to patient data.