What Is the HIPAA Law and Privacy Rule?

The HIPAA Law and Privacy Rule Explained

medical technology concept, human body and vital sign
••• chombosan / Getty Images

The Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA Privacy Rule set the standard for protecting sensitive patient data by creating the standards for the electronic exchange, privacy, and security of patient medical information by those in the health care industry.

If you wonder what your health care provider is doing to protect your personal and health information, it helps to know about the HIPAA Law and Privacy Rule. Here's how to know who you can trust with your personal data and what HIPAA means for you.

What Is the HIPAA Law and Privacy Rule?

The HIPAA Law and Privacy Rule was designed to protect patient confidentiality, while allowing for medically necessary information to be shared while respecting the patient's rights to privacy.

Most health care providers, health organizations and health insurance providers, and government health plans that use, store, maintain, or transmit patient health care information are required to comply with the privacy regulations of the HIPAA law. This includes protecting any personal health information (PHI) and individually identifiable health information.

How the HIPAA Law and Privacy Rule Works

HIPAA Privacy and Security Rules have been in place to protect your private health care data since 1996. As technology has changed and information has become more accessible, there have been many revisions to the original compact. All of these regulations have been put in place to help keep your private information secure.

With so much information changing hands between medical providers, health insurers, and other parties in the health care services world, the HIPAA law is focused on simplifying the health care system and ensuring security for patients. Along with federally ensuring your privacy, the HIPAA law aims to reduce fraudulent activity and improve data systems.

Here's one example of the HIPAA law in action. When a patient visits the doctor, they are usually asked to sign a privacy form, which is a HIPAA notice. Among other information on the form, it explains that the patient's authorization is necessary before their health information is shared—even with a spouse or other close family member.

Note

HIPAA isn't the only law that protects patient confidentiality and health records. As a federal law, HIPAA is the baseline standard, and each state may add to it and have their own additional standards

What Are the 4 Rules of HIPAA?

Under the HIPAA law, there are four specific rules that must be followed by health care providers and other health companies:

  • HIPAA Privacy Rule: Protects the type of data that is communicated
  • HIPAA Security Rule: Protects the databases and data for security
  • HIPAA Enforcement Rule: Indicates procedures for enforcement and procedures for hearings and penalties
  • HIPAA Breach Notification Rule: Requires health care providers to notify individuals when there has been a breach of protected health information

What Is the Purpose of the HIPAA Security Rule?

The HIPAA Security Rule addresses the requirements for compliance by health service providers regarding technology security. It provides standards for the appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of protected health information.

What Is Protected Health Information (PHI)?

Protected Health Information, or PHI, includes any information that may be transmitted or kept that includes individually identifiable health information.

Individually identifiable health information is information that may identify the patient as an individual, such as name, address, date of birth, or Social Security number. It also includes—in either the present, past, or future—any information related to the patient's physical or mental health, the provision of health care to the individual, or information regarding payment for the provision of health care to the patient. Under the HIPAA Privacy Rule, this information is protected.

What Is De-Identified Health Information?

De-identified health information cannot be tied back to an individual as it has been stripped of all individualized details that could identify the individual and therefore has no identifying properties and provides no risk. There are no restrictions on de-identified health information.

Does HIPAA Apply to Everyone?

Health plans, health care clearinghouses, health care providers who transmit health information, and other health care entities have standards that they must abide by, but there are also companies who do not have to follow these rules. Here are some examples:

  • Direct-to-consumer (DTC) genetic testing companies
  • Mobile apps used for health and fitness purposes
  • Alternative medicine practitioners
  • State agencies, like child protective services
  • Law enforcement agencies
  • Life insurance companies
  • Schools
  • Your employer

How Do Providers Apply HIPAA?

Some health care providers have taken steps such as controlling access to offices with medical files by electronic key card systems and allowing employees limited access to only the minimum amount of information needed. Many medical facilities and insurance providers use special services to ensure the security of electronic transactions.

If you have concerns about what your health care provider or physician is doing to comply with the HIPAA law, ask them what steps they have taken to ensure your privacy.

Note

If your health insurance is from a small, self-administered health organization, they may not have to comply with the HIPAA regulations. It is important to check with them to see if they are complying, and if not, what steps are they taking on their own to ensure your privacy.

Are There Any Privacy Exceptions to the HIPAA Law?

HIPAA's privacy laws give health care providers and other health care entities exceptions in some areas, in which case they don't have to follow the rules outlined. These are situations such as a patient being incapacitated or otherwise unable to make decisions, or when there is a serious threat to health or safety. Learn more about HIPAA privacy exceptions.

Key Takeaways

  • The HIPAA Privacy Rule set the standard for protecting sensitive patient data by creating regulations for the electronic exchange, privacy, and security of patient medical information by those in the health care industry.
  • Most entities that use, store, maintain, or transmit patient health care information are required to comply with the privacy regulations, though some certain types of companies don't have to follow HIPAA law.
  • Protected health information (PHI) and individually identifiable health information are types of protected information that can't be shared without your authorization.
  • There are few cases in which health care providers or other health entities are not required to follow HIPAA regulations.