The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Frequently Asked Questions

  • What's HIPAA?

    The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

    The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

  • What's the HIPAA Privacy Rule?

    The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.

  • Which individuals are covered by the HIPAA Privacy Rule?

    Healthcare providers: Every healthcare provider, regardless of the size of practice, who electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.

    Health plans: Entities that provide or pay the cost of medical care. Health plans include health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans.

    Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.

    Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.

    Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.

  • What's the HIPAA Security Rule?

    While the HIPAA Privacy Rule safeguards protected health information (PHI), the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.

  • What entities need to do in order to comply with the HIPAA Security Rule?
    *Ensure the confidentiality, integrity, and availability of all electronic protected health information *Detect and safeguard against anticipated threats to the security of the information *Protect against anticipated impermissible uses or disclosures *Certify compliance by their workforce Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.
  • How does the HIPAA Privacy Rule affect my rights under the Federal Privacy Act?

    The Privacy Act of 1974 (U.S. Department of Justice) protects personal information about individuals held by the Federal government. Covered entities that are Federal agencies or Federal contractors that maintain records that are covered by the Privacy Act not only must obey the Privacy Rule’s requirements, but also must comply with the Privacy Act.

  • Can telemarketers obtain my health information and use it to call me to sell good and services?

    Under the HIPAA Privacy Rule, a covered entity can share protected health information with a telemarketer only if the covered entity has either obtained the individual’s prior written authorization to do so or has entered into a business associate relationship with the telemarketer for the purpose of making a communication that is not marketing, such as to inform individuals about the covered entity’s own goods or services.

    If the telemarketer is a business associate under the Privacy Rule, it must agree by contract to use the information only for communicating on behalf of the covered entity, and not to market its own goods or services (or those of another third party).

  • Can my health care provider discuss my health information with an interpreter?

    Yes.  HIPAA allows your health care provider to share your health information with an interpreter who works for the provider to help communicate with you or your family, friends, or others involved in your care.  If the interpreter is someone who does not work for your health care provider, HIPAA also allows your provider to discuss your health information with the interpreter so long as you do not object.

  • Does the HIPAA Privacy Rule require my doctor to send my medical records to the government?

    No. The Rule does not require a physician or any other covered entity to send medical information to the government for a government data base or similar operation. This Rule does not require or allow any new government access to medical information, with one exception: the Rule does give the Department of Health and Human Services Office for Civil Rights (OCR) the authority to investigate complaints that Privacy Rule protections or rights have been violated, and otherwise to ensure that covered entities comply with the Rule.

  • Will this HIPAA Privacy Rule make it easier for police and law enforcement agencies to get my medical information?

    No. The Rule does not expand current law enforcement access to individually identifiable health information. In fact, it limits access to a greater degree than currently exists, since the Rule establishes new procedures and safeguards that restrict the circumstances under which a covered entity may give such information to law enforcement officers.



    First Healthcare Compliance HIPAA Privacy and Security

    First Healthcare Compliance HIPAA Privacy and Security is a user-friendly resource designed to help healthcare, administrative, and compliance professionals, whether they serve as a covered entity or a business associate, better understand their compliance responsibilities under the Health Insurance Portability and Accountability Act. The book explains HIPAA privacy, security, enforcement...

    Read more




    Security Officer – Definition

    As required by the HIPAA Security Rule, the individual responsible for the development and implementation of the policies and procedures required by the HIPAA Security Rule and for identifying and reporting breaches of electronic Protected Health Information to the Privacy Officer and facilitating the required reporting associated with these breaches.

    Read more

    LIMITATION ON PREEXISTING CONDITION EXCLUSION PERIOD; CREDITING FOR PERIODS OF PREVIOUS COVERAGE.—Subject to subsection (d), a group health plan, and a health insurance issuer offering group health insurance coverage, may, with respect to a participant or beneficiary, impose a preexisting condition exclusion only if

    Read more


    Welcome Back!

    Create New Account!

    Retrieve your password

    Please enter your username or email address to reset your password.

    Add New Playlist