Use HIPAA External Icon

The Health Insurance Portability and Accountability Act of 1996 was a United States Federal law enacted by the 404th United States Congress. It is one of the most important pieces of public health legislation in existence. The primary purpose of HIPAA was to protect private health information. This privacy legislation was designed to enhance patient care and provide access to records of medical treatments and physician visits, as well as to facilitate claims for those treatments and procedures. HIPAA changed the private health insurance landscape forever.


One of the most popular provisions of HIPAA is the Physician Privacy Rule. Under this rule, any healthcare provider who discloses a patient’s privacy will have to inform the patient or the designated representative that they did so. This includes healthcare providers who do business online, by phone, or in person. HIPAA even applies to financial and insurance accounts where privacy rules are applied.

Two other pieces of major importance are Security Rule and Identification Rule. The Security Rule regulates the storage and transmission of personally identifiable medical information (identity) by healthcare providers. According to the Security Rule, all healthcare providers are required to protect against unauthorized use of protected health information. The Identification Rule requires that protected health information is encrypted or restricted to unauthorized parties.

Two separate parts of HIPAA impact private individuals’ privacy regarding their individually identifiable health information. First, HIPAA puts control measures in place to limit the ability of an individual to disclose the privacy rights to others. This includes limiting how much healthcare information can be shared with third parties, what kind of information can be shared, the conditions under which it may be shared, and whether or not the disclosure of the information would be considered a violation of HIPAA’s security rules. Second, HIPAA puts controls in place regarding what a covered entity is allowed to do when it receives a legally required disclosure.

As noted above, the Privacy Rule addresses the privacy rights of a covered entity. However, the final rule of HIPAA addresses the benefits of HIPAA to organizations and individuals. According to the final rule, covered entities are prohibited from engaging in unnecessary HIPAA disclosures. For example, if a business wanted to share the data it holds about its employees, it had to take out a private individual health plan.

There are two groups of people that should be concerned about HIPAA compliance. First, those who provide direct care services to patients are directly affected by HIPAA. Insurance companies that issue medical coverage rely on the availability of HIPAA claims processing. Similarly, hospitals that receive federal financial aid for patient care also need to meet HIPAA claims processing mandates. Lastly, businesses that give patients medical advice are also directly affected by HIPAA.

According to the final rule of HIPAA, insurers must ensure “the privacy of the personal health information of individuals.” The rule states that insurers must take “all reasonable steps” to protect the privacy of patient data. In addition to this requirement, the final rule requires healthcare organizations to only use personal health information “in accordance with the privacy laws of the state.” For example, an insurer could be in violation of HIPAA if it sold health plan data to a state-based online pharmacy or insurance agency even though the online agency did not have the proper security measures in place to protect the data.

HIPAA contains some technical definitions but the overall spirit of the law is simple. According to this comprehensive piece of legislation, covered entities are bound to safeguard personal health information within their control. They can only use that information for “diagnosis, treatment, or care.” Furthermore, healthcare organizations are not permitted from using the protected health information of covered entities for advertising or marketing purposes. This external icon should serve as a reminder to businesses to adhere to HIPAA rules when handling confidential and sensitive customer information.