Health Insurance Portability and Accountability Act
The HIPAA Act of 1996 required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, establishes a national set of security standards for protecting health information that is held or transferred in electronic form.
The Security Rule operationalizes the protections in the Privacy Rule by addressing the technical and non-technical safeguards that organizations—known as "covered entities"—must implement to secure individuals' electronic protected health information (e-PHI).
Within HHS, the Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules through voluntary compliance activities and civil money penalties.
Summary
Name: Health Insurance Portability and Accountability Act
Short Name: HIPAA
Effective Date: August 21, 1996
Region | State: CA, US
Applicable Industries
HIPAA primarily applies to industries and organizations that handle protected health information. Key industries and entities include:
- Healthcare Providers
- Health Plans
- Business Associates
- Healthcare Contractors
- Telemedicine and Health Tech Companies
- Pharmaceutical Companies
- Clinical Research Organizations
- Employers
HIPAA Privacy Rule – Individual Rights
| SNo |
Rights |
Description |
Also Referred As |
Reference |
| 1 |
Right to Notice of Privacy Practices |
Covered entities must provide a notice of privacy practices explaining how they use and share individuals’ health information. This notice also outlines an individual’s privacy rights. Typically provided during the first provider visit or by mail from the health plan. |
Right to Notice |
45 C.F.R. §§ 164.520(a), (b) |
| 2 |
Right to Receive Paper Copy of Privacy Notice |
Covered health care providers must deliver a privacy practices notice to patients. Individuals have the right to request a paper copy of the Notice of Privacy Practices (NPP), which outlines how their PHI may be used or shared. |
|
45 C.F.R. § 164.520(c) |
| 3 |
Right to Access |
Individuals have the right to review and obtain a copy of their PHI within a designated record set used to make decisions about them. This includes medical and billing records or health plan records. |
Right to Know, Right to Information |
45 C.F.R. § 164.524 |
| 4 |
Right to Amendment |
Individuals can request corrections to their PHI in the designated record set if the information is inaccurate or incomplete. |
Right to Rectification |
45 C.F.R. § 164.526 |
| 5 |
Right to Disclosure Accounting |
Individuals may request a record of disclosures of their PHI made by a covered entity or its business associates over the past six years (excluding disclosures before the Privacy Rule compliance date). |
|
45 C.F.R. § 164.528 |
| 6 |
Right to Authorization for Use or Disclosure |
Covered entities must obtain written authorization before using or disclosing PHI for purposes not related to treatment, payment, or health care operations unless otherwise permitted by law. |
|
45 C.F.R. § 164.508 |
| 7 |
Right to Restrict Use or Disclosure |
Individuals can request restrictions on how their PHI is used or disclosed for treatment, payment, or health care operations, or shared with others involved in their care. While covered entities are not obligated to agree, some restrictions must be honored by law. |
Restriction Request |
45 C.F.R. § 164.522(a) |
| 8 |
Right to Review Denial of Access |
In specific situations where access to PHI is denied (e.g., potential harm to the individual), the individual has the right to request a review of the denial by a licensed healthcare professional. |
|
45 C.F.R. § 164.524(a)(3) |
