What is the HIPAA Privacy Rule?

The Health Insurance Portability and Accountability Act of 1996, often referred to as HIPAA, is a United States law setting out certain requirements for health care eligibility, information sharing, and health data security. There are two main sections of the act, called “titles.” Title I makes certain guarantees about health coverage availability, and prohibits discrimination in the issuance of health insurance services. In Title II, the act sets out definitions of “protected health information,” and establishes “Administration Simplification” rules related to how that information can be shared and stored online and in electronic databases. Collectively, the Administration Simplification rules are known as the HIPAA privacy rule.

Although the HIPAA legislation was enacted in 1996, the HIPAA privacy rule did not become actionable law until 2003. The data shielding and compliance requirements that the HIPAA privacy rule requires are significant, and affect a great number of entities. Many companies, hospitals, and doctor’s offices needed time to update their medical records systems and IT security plans to comply with the rule’s many stipulations.

In many respects, the HIPAA privacy rule was born out of a desire to encourage the use of electronic health programs. Digital health records, pharmacy files, and medical charts can make treatments much more efficient in many circumstances. Electronic programs can collate information in such a way that dangers like potential drug side effects can be noticed, and all of a patient’s relevant history can be readily viewed by doctors rending treatment, no matter where the doctors are located. Files stored in electronic format carry a far greater risk of misuse than do hard copy files, however. Digital files can be easily manipulated or accidentally shared, making the risk of privacy invasion — and sometimes even data and identity theft — a very real possibility.

United States law grants individuals a legal right to privacy in individual health information. This right extends to diagnoses and treatments as much as it does to medical history and family statistics. One of the aims of the HIPAA privacy rule is to integrate those privacy rights into the growing field of e-health, to ensure that privacy is maintained no matter how sophisticated the technology becomes. The rule sets out certain obligations for health care providers and other entities who access medical information, and elucidates a spectrum of rights for patients and individuals.

The Office for Civil Rights of United States Department of Health and Human Services (HHS) enforces the HIPAA privacy rule. That HHS office is responsible for both responding to individual complaints, and for conducting independent investigations. Because HIPAA is a federal law, perceived violations are typically referred to lawyers at the U.S. Department of Justice for further investigation and prosecution.