Health Insurance Portability and Accountability Act

Protecting Patient Privacy

The Health Insurance Portability and Accountability Act (HIPAA) is comprised of two overarching parts – the Privacy Rule and Security Rule. The HIPAA Privacy Rule provides federal protections for personal health information and provides patients with an array of rights with respect to that information. The Privacy Rule balances patients’ rights with permissible disclosure of personal health information necessary for patient care and other important purposes. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.

On January 25, 2013, The U.S. Department of Health and Human Services (HHS) published its Final Rule entitled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” (Omnibus Rule).  The Omnibus Rule implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA and finalizing the Breach Notification Rule. There are three (3) specific areas under the Omnibus Rule:

  1. Privacy, Security, and Breach Notification policies and procedures
  2. Notice of Privacy Practices (NPP)
  3. Business Associate (BA) Agreements