skip navigation
MRSC logo

Have a Research Question?

Ask MRSC

Have a Research Question?

Ask MRSC
Share this:


Health Insurance Portability and Accountability Act

This page provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) as it applies to local government agencies, including examples of local policies.

Overview

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, requires the following actions from "covered entities" (as described below):

  • Continuity of healthcare coverage for individuals who change jobs
  • Management of health information
  • Simplification of the administration of health insurance
  • Combat of waste, fraud, and abuse in health insurance and health care

For Washington local governments, the chief concern comes under Title II, dealing with security and privacy matters, also known as "Administrative Simplification."

Title II includes requirements to ensure the security and privacy of individuals' medical information in order to maintain the right of individuals to keep private information about themselves. The United States Department of Health and Human Services (HHS) has been charged with developing and issuing regulations to address these requirements. The most significant regulations are the privacy rule and the security rule.

Privacy Rule – Protected Information

HIPAA regulations protect medical records and other "individually identifiable health information," regardless of whether the information is communicated orally, on paper, or electronically. "Individually identifiable health information" includes any information, including demographic information collected from an individual, and any information that identifies an individual, or could be reasonably believed to identify an individual. HIPAA protects such information where it relates to the past, present, or future physical or mental health condition of an individual, the provision of health care or the payment for such care.

Who is a "Covered Entity"?

HIPAA requirements apply to four different kinds of entities:

  • A person, business, or agency that is a covered health care provider
  • A business or agency that is a health care clearinghouse
  • A private benefit plan that is a health plan
  • A government-funded program that is a health plan

If the entity is covered:

  • Its patients should be able to see and obtain copies of their medical records and request correction if errors are identified.
  • Covered health plans, doctors, and other health care providers must provide a notice to their patients on how they may use personal medical information and their rights under the new privacy regulation.
  • Limits are set on how health plans and covered providers may use individually identifiable health information. There are no restrictions on the ability of doctors, nurses and other providers to share information needed to treat their patients. In other situations, though, personal health information generally may not be used for purposes not related to health care, and covered entities may use or share only the minimum amount of protected information needed for a particular purpose. In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, a bank, a marketing firm or another outside business for purposes not related to their health care.
  • Restrictions and limits are placed on the use of patient information for marketing purposes.
  • Patients can request that their doctors, health plans, and other covered entities take reasonable steps to ensure that their communications with the patient are confidential.
  • Consumers may file a formal complaint regarding the privacy practices of a covered health plan or provider either directly with the covered provider or health plan or to HHS Office for Civil Rights (OCR).
  • Have written privacy procedures, including a description of staff that has access to protected information, how it will be used, and when it may be disclosed.
  • Train employees in their privacy procedures and designate an individual to be responsible for ensuring the procedures are followed.

Enforcement is primarily on a complaint-driven basis. The OCR investigates complaints and works to make sure that consumers receive the privacy rights and protections required under the new regulations. When appropriate, OCR can impose civil monetary penalties for violations of the privacy rule provisions. Potential criminal violations of the law are referred to the U.S. Department of Justice for further investigation and appropriate action.

Security Rule

HHS adopted a security rule applicable to electronic protected health information (EPHI) in February 2003. The rule is designed to protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted. It requires that covered entities (health plans, health care clearinghouses, or health care providers who transmit any protected health information in electronic form) maintain reasonable and appropriate administrative, physical, and technical safeguards to protect against any reasonably anticipated threats or hazards to the security or integrity of the EPHI.

The administrative safeguards require documented policies and procedures be adopted for day-to-day operations; management of the conduct of employees with protected health information; and the management of the selection, development, and use of security controls. Physical safeguards need to be adopted to protect the entities' electronic information systems, as well as related buildings and equipment, from natural hazards, environmental hazards, and unauthorized intrusion. Technical safeguards are required to be adopted for the protection and control of access to EPHI.

The rule is available through the Health and Human Services website.

Legal References

Examples of Policies

Recommended Resources


Last Modified: January 19, 2023