Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Acronyms, Abbreviations, and Initialisms
|Short Form||Full Form|
|ePHI||Electronic Protected Health Information|
|HHS||Department of Health and Human Services|
|HIPAA||Health Insurance Portability and Accountability Act|
|HITECH||Health Information Technology for Economic and Clinical Health|
|PHI||Protected Health Information|
|OCR||Office for Civil Rights|
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to improve the efficiency and effectiveness of the nation’s health care system.
The law includes provisions to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also defines requirements for the privacy and security of protected health information.
HIPAA is comprised of several rules, each of which outline different requirements for compliance:
Privacy Rule Security Rule Enforcement Rule Omnibus Rule Breach Notification Rule
The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as "protected health information (PHI)" and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. The Rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections.
The Privacy Rule protects all PHI held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
The Security Rule applies only to electronic protected health information (ePHI).
The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.
The Omnibus Rule (the "final rule") implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act to strengthen the privacy and security protections for health information established under HIPAA.
The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
HHS' Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules.
- The Privacy Rule provides the patient control over their medical records.
- The Privacy Rule protects all PHI whether electronic, paper, or oral.
- The Security Rule applies only to electronic protected health information (ePHI).