The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to protect the privacy of patient health information. Under HIPAA, covered entities – which include healthcare providers, health plans, and clearinghouses – must take steps to safeguard the confidentiality of patient health information. In addition, covered entities must provide patients with access to their own health information upon request. Finally, covered entities must also contact patients if their health information has been breached. By following these rules, HIPAA helps to ensure that patient health information is protected from unauthorized access.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information held by covered entities. The Rule requires covered entities to provide individuals with notice of their rights and sets limits and conditions on the uses and disclosures that may be made of protected health information. The Privacy Rule is balanced to protect an individual’s privacy interests while permitting uses and disclosures that are in the individual’s best interest, and that are necessary for important public policy objectives. When a covered entity uses or discloses protected health information in a manner not permitted by the Privacy Rule, it is considered a violation of HIPAA. Depending on the nature and circumstances of the violation, a HIPAA violation may result in criminal or civil penalties. Protected health information includes any information about an individual’s health, including medical records, lab results, insurance information, and demographic data. If this information is released without the individual’s consent, it is considered a HIPAA violation.