The Health Insurance Portability and Accountability Act (HIPAA) addresses the privacy of individuals’ health information and how the health information can be used and disclosed.

Generally, entities covered by HIPAA will have to comply with HIPAA rules regarding any health or medical information of identifiable individuals, which includes medical records, medical billing records, clinical and research databases and tissue bank sample. Covered entities generally include health care providers, health plans and health care clearing houses.

An entity covered by HIPAA cannot use or disclose protected health information for any purpose other than treatment, payment or health care operations without the authorization of the individual involved or under one of the HIPAA regulation exceptions.

Patient Rights

HIPAA, while also limiting the use and disclosure of protected health information, also gives patients the rights to access their health information and to know who the covered entity has disclosed their information to. HIPAA’s goal is to restrict disclosures to the absolute minimum needed to accomplish the intended purpose. HIPAA has established criminal and civil penalties and fines for improper use and disclosure by covered entities.

HIPAA Requirements

HIPAA requires covered entities to:

  1. Adopt or institute a required level of security for all health information and limit disclosures of information to the minimum required for the requested activity;
  2. Designate a privacy officer or HIPAA contact person;
  3. Establish entity wide privacy and disclosure policies to comply with HIPAA;
  4. Educate all employees on privacy policies
  5. Sanction employees who do not adhere to the privacy policies;
  6. Establish a system to respond to HIPAA complaints, requests for corrections of health information by a patient, and to track disclosures of health information;
  7. Notify patients concerning the use and disclosure of their protected health information;
  8. Establish a process for HIPAA review of research protocols; and
  9. Include consent for disclosures for treatment (for health care providers).