Traditionally, ethical health care has always included the need to keep patients’ medical information confidential. However, the Health Insurance Portability and Accountability Act (HIPAA—see www.hhs.gov/ocr/privacy/) has codified the responsibility of health care providers, health plans, health care clearinghouses, and their business associates who electronically transmit health and related information (eg, health records, enrollment, billing, eligibility verification). Collectively, these are covered entities under HIPAA. Key provisions of HIPAA are embodied in three rules: the Privacy, Security, and Breach Notification rules, all of which are intended to protect the privacy and security of protected health information (PHI).
The Privacy Rule sets standards for the protection of PHI and gives patients important rights with respect to their health information. The Security Rule establishes safeguards that covered entities and their business associates must implement to protect the privacy, integrity, and security of electronic PHI. The Breach Notification Rule requires covered entities to notify affected individuals, the federal government, and in some cases, the media of a breach of unsecured PHI. The U.S. Department of Health and Human Services, Office for Civil Rights, enforces these three rules and provides guidance on complying with the rules.
Key aspects of the Privacy Rule are elaborated below.