Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules establish federal requirements for keeping your health information secure. The HIPAA Privacy Rule generally requires health care providers and health plans to safeguard your health information. This requirement applies to both paper and electronic records. The HIPAA Security Rule more specifically details the steps your health care providers and others must take to keep your electronic protected health information secure.
Privacy protections apply to your "individually identifiable health information," which means:
- Information that relates to your past, present, or future physical or mental health or condition; to the provision of health care to you; or to past, present, or future payment for the provision of health care to you.
- Information that identifies you or for which there is a reasonable basis to believe it can be used to identify you.
This information can include:
- Information your doctors, nurses, and other health care providers put in your medical record
- Conversations your doctor has about your care or treatment with nurses and others
- Information about you in your health insurer's computer system
- Billing information about you at your clinic
- Information used by companies or individuals that provide data, billing, or other services to doctors, hospitals, health insurers, and other health care organizations. This includes computer and data services providers, accountants, and other professional services firms.
When this information is held by an individual or organization that must follow HIPAA, it is called "protected health information."
The HIPAA Security Rule protections apply to electronic protected health information.
There are organizations that may have health information about you but do not have to follow the HIPAA Rules. For example, life insurers, employers, and workers' compensation carriers are not required to follow these Rules. However, privacy protections may be required through other laws they have to follow. The same is true for many schools and school districts, State agencies such as child protective service agencies, law enforcement agencies, and municipal offices.
The people and organizations required to follow the HIPAA Privacy and Security Rules must:
- Follow the Rules about who can look at, receive, and share your health information
- Reasonably limit uses and sharing to the minimum necessary amount needed to accomplish their intended purpose. However, providers may disclose more than the minimum necessary when they are sharing information for treatment purposes.
- Have agreements in place with their service providers to ensure that they only use and share your health information according to the law
- Have procedures in place to limit who can access your health information as well as implement training programs for employees about how to protect your health information
- Put in place administrative, technical, and physical safeguards to protect your health information
The HIPAA Security Rule requires providers to assess the security of their electronic health record systems. The Rule sets technical safeguards for protecting electronic health records against the risks that are identified in the assessment. Some of the steps that may be taken to reduce the risks include:
- Access controls such as passwords or PIN numbers that limit access to your information to authorized individuals, like your doctors or nurses
- Encryption of your information, which means your health information cannot be read or understood except by someone who can "decrypt" it, using a "key" made available only to authorized individuals
- Audit trails, which record who accessed your information, what changes were made, and when they were made, provide an additional layer of security
- Workstation security, which ensures that computer terminals that can access your health records cannot be used by unauthorized persons
Your providers must have risk management policies and procedures in place — to assess security risks, and to ensure that known risks are addressed and prevented.
Learn more about the types of safeguards that are in the HIPAA Security Rule.
The HIPAA Breach Notification Rule requires most doctors, hospitals, other health care providers, and health insurance companies to notify you of a "breach" if unsecured information about you is seen by someone who is not supposed to see it. This Federal law also requires health care providers and insurance companies to promptly notify the Secretary of the U.S. Department of Health and Human Services if there is any breach of unsecured protected health information and notify the media and public if the breach affects more than 500 people.
This requirement helps patients know if unsecured protected health information has been breached and helps keep providers accountable for the protection of your health information. Health information that has been encrypted so that people cannot read it is considered to be secure. Health care providers do not have to report if someone who is not authorized attempts to access encrypted information.
Some websites offer a place to store your health records online. These are often called "personal health records." Some personal health records are offered by health care providers and health plans and are covered by the HIPAA Privacy, Security, and Breach Notification Rules. Other personal health records (PHRs) are offered by stand-alone companies. If these PHR companies are not covered by HIPAA, they must follow the Federal Trade Commission's Health Breach Notification Rule and notify you if there is a breach of your information.