Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

HIPAA is the first comprehensive federal legislation that created standards that regulates the protection of sensitive patient health information (PHI). The Privacy Rule sets standards for the use and disclosure of an individual’s health information by covered entities (health care providers, health plans, clearinghouses, and other healthcare business associates).

These covered entities are permitted by HIPAA to disclose health information without the authorization of the individual in certain circumstances:

  • To the individual
  • Treatment, payment, and healthcare operators
  • Opportunity to agree/object to disclosure of PHI
  • Incident to an otherwise permitted use or disclosure
  • Public interest
  • Limited data for research, public health, or healthcare operations

Per the Security Rule, HIPAA also requires that covered entities ensure all electronic PHI is stored confidentially, with appropriate safeguards and anticipated threats, and to certify compliance by their staff.

Source: Health Insurance Portability and Accountability Act of 1996 (HIPAA) | CDC. (n.d.). Centers for Disease Control and Prevention. Retrieved January 8, 2022, from https://www.cdc.gov/phlp/publications/topic/hipaa.html#three