skip navigation

Health Insurance Portability and Accountability Act

This page provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) as it applies to local government agencies, including examples of local policies.

Overview

The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, requires the following actions:

  • Continuity of healthcare coverage for individuals who change jobs
  • Management of health information
  • Simplification of the administration of health insurance
  • Combat of waste, fraud, and abuse in health insurance and health care

For counties, cities, and towns, the chief concern comes under Title II, dealing with security and privacy matters, also known as "Administrative Simplification."

Title II includes requirements to ensure the security and privacy of individuals' medical information in order to maintain the right of individuals to keep private information about themselves. The United States Department of Health and Human Services has been charged with developing and issuing regulations to address these requirements; its final privacy rule was released April 14, 2001 and required compliance beginning in April 14, 2003. The security rule was adopted February 13, 2003, and compliance has been required by April 2005.

Protected Information

HIPAA regulations protect medical records and other "individually identifiable health information," regardless of whether the information is communicated orally, on paper, or electronically. "Individually identifiable health information" includes any information, including demographic information collected from an individual, and any information that identifies an individual, or could be reasonably believed to identify an individual. HIPAA protects such information where it relates to the past, present, or future physical or mental health condition of an individual, the provision of health care or the payment for such care.

Who is covered?

HIPAA requirements apply to four different kinds of entities:

  • A person, business, or agency that is a covered health care provider
  • A business or agency that is a health care clearinghouse
  • A private benefit plan that is a health plan
  • A government-funded program that is a health plan

If the entity is covered:

  • Its patients should be able to see and obtain copies of their medical records and request correction if errors are identified.
  • Covered health plans, doctors, and other health care providers must provide a notice to their patients on how they may use personal medical information and their rights under the new privacy regulation.
  • Limits are set on how health plans and covered providers may use individually identifiable health information. There are no restrictions on the ability of doctors, nurses and other providers to share information needed to treat their patients. In other situations, though, personal health information generally may not be used for purposes not related to health care, and covered entities may use or share only the minimum amount of protected information needed for a particular purpose. In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, a bank, a marketing firm or another outside business for purposes not related to their health care.
  • Restrictions and limits are placed on the use of patient information for marketing purposes.
  • Patients can request that their doctors, health plans, and other covered entities take reasonable steps to ensure that their communications with the patient are confidential.
  • Consumers may file a formal complaint regarding the privacy practices of a covered health plan or provider either directly with the covered provider or health plan or to Health and Human Services Office for Civil Rights (OCR).
  • Have written privacy procedures, including a description of staff that has access to protected information, how it will be used, and when it may be disclosed.
  • Train employees in their privacy procedures and designate an individual to be responsible for ensuring the procedures are followed.

Enforcement will be primarily on a complaint-driven basis. The OCR will investigate complaints and work to make sure that consumers receive the privacy rights and protections required under the new regulations. When appropriate, OCR can impose civil monetary penalties for violations of the privacy rule provisions. Potential criminal violations of the law would be referred to the U.S. Department of Justice for further investigation and appropriate action.

Security Rule

The Department of Health and Human Services adopted a security rule applicable to electronic protected health information (EPHI) in February 2003. The rule is designed to protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted. It requires that covered entities (health plans, health care clearinghouses, or health care providers who transmit any protected health information in electronic form) maintain reasonable and appropriate administrative, physical, and technical safeguards to protect against any reasonably anticipated threats or hazards to the security or integrity of the EPHI.

The administrative safeguards require documented policies and procedures be adopted for day-to-day operations; management of the conduct of employees with protected health information; and the management of the selection, development, and use of security controls. Physical safeguards need to be adopted to protect the entities' electronic information systems, as well as related buildings and equipment, from natural hazards, environmental hazards, and unauthorized intrusion. Technical safeguards are required to be adopted for the protection and control of access to EPHI.

Most covered entities had until April 21, 2005 to comply. The rule is available through the Health and Human Services website.

Legal References

Examples of Policies

Recommended Resources


Last Modified: January 12, 2017