The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) create national standards to regulate how individuals’ health information (known as “protected health information” or “PHI”) is used, collected, stored, and shared. HIPAA provides individuals with important privacy rights, which encourage individuals to seek necessary treatment and promote individuals’ trust in their healthcare providers. At the same time, HIPAA recognizes that sharing health information may be necessary in certain circumstances to ensure individuals receive the best treatment, or for other important purposes such as protecting the health or safety of a patient or others.

What Information Does HIPAA Protect?

HIPAA protects the privacy and security of information in any form that can identify an individual and relates to their past, current, or future physical or mental health conditions, or the provision of healthcare services. Examples of protected health information include names, social security numbers, addresses, email addresses, phone numbers, fingerprints, diagnoses, clinical notes, laboratory results, and prescription histories.

Who Must Follow HIPAA?

HIPAA applies to covered entities and their business associates. “Covered entities” include almost all healthcare providers, health plans, and healthcare clearinghouses. “Business associates” include entities or individuals who are not members of the covered entity but who receive, maintain, generate or transmit protected health information on behalf of the covered entity.

See this resource for more information about covered entities and business associates.

For more information about HIPAA and how it applies to protected health information, please visit our Resource Library.