Privacy

Please download the HIPPA Consent Form:
Consent Form

The shift of medical records from paper to electronic formats has increased the potential for individuals to access, use, and disclose sensitive personal health data. Although protecting individual privacy is a long-standing tradition among health-care providers and public health practitioners in the United States, previous legal protections at the federal, tribal, state, and local levels were inconsistent and inadequate. A patchwork of laws provided narrow privacy protections for selected health data and certain keepers of that data (1).

The U.S. Department of Health and Human Services (DHHS) has addressed these concerns with new privacy standards that set a national minimum of basic protections, while balancing individual needs with those of society. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was adopted to ensure health insurance coverage after leaving an employer and also to provide standards for facilitating health-care--related electronic transactions. To improve the efficiency and effectiveness of the health-care system, HIPAA included administrative simplification provisions that required DHHS to adopt national standards for electronic health-care transactions (2). At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated adoption of federal privacy protections for certain individually identifiable health information.

The HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) (3) provides the first national standards for protecting the privacy of health information. The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records. Among other provisions, the Privacy Rule

• gives patients more control over their health information;
• sets boundaries on the use and release of health records;
• establishes appropriate safeguards that the majority of health-care providers and others must achieve to protect the privacy of health information;
• holds violators accountable with civil and criminal penalties that can be imposed if they violate patients' privacy rights;
• strikes a balance when public health responsibilities support disclosure of certain forms of data;
• enables patients to make informed choices based on how individual health information may be used;
• enables patients to find out how their information may be used and what disclosures of their information have been made;
• generally limits release of information to the minimum reasonably needed for the purpose of the disclosure;
• generally gives patients the right to obtain a copy of their own health records and request corrections; and
• empowers individuals to control certain uses and disclosures of their health information.

The deadline to comply with the Privacy Rule is April 14, 2003, for the majority of the three types of covered entities specified by the rule [45 CFR § 160.102]. The covered entities are

• health plans,
• health-care clearinghouses, and
• health-care providers who transmit health information in electronic form in connection with certain transactions.

At DHHS, the Office for Civil Rights (OCR) has oversight and enforcement responsibilities for the Privacy Rule. Comprehensive guidance and OCR answers to hundreds of questions are available at http://www.hhs.gov/ocr/hipaa (4).