HIPAA Confidentiality Rules

HIPAA stands for the Health Insurance Portability and Accountability Act. HIPAA was enacted in 1996 as a means to help ensure the right for a member of an insurance plan to continue insurance coverage after losing or changing jobs. Provisions of HIPAA also include guidelines and requirements to help protect an insured's right to privacy during the electronic transmission of health care transactions as well as an individual's rights to confidentiality of insurance and health information.

Privacy Rule

The HIPAA privacy rule sets a national standard for protecting the privacy of an individual's health information. The privacy rule allows an individual to set restrictions on who can access her health records and any relevant information contained therein. Protected health information, or PHI, is information about a person's health that is deemed to be individually identifiable in that a person could be identified through the information contained in the health records. The privacy rule restricts the release, use and transfer of protected health information. Patients can also gain access to their own medical and health records and learn how their information may have been used, or to whom it may have been released.

Security Rule

In recent years, electronic data storage has become the main type of record-keeping in many industries, including the area of health information record management. Electronic records that may be transmitted through e-mail or fax and may be stored on a computer database are susceptible to theft, damage or tampering by unauthorized parties. The HIPAA security rule requires that administrators of health care records implement reasonable and appropriate safeguards to protect the integrity and confidentiality of all health information that may be created, received, maintained or transmitted from one health care facility or administrator to another. Reasonable and appropriate safeguards may include the use of computer passwords, data encryption software and secure databases.

Unidentifiable Data

Unidentifiable data is considered to be aggregate statistical data or data that has been stripped of individual identifiers, and this type of unidentifiable data is not subject to the same confidentiality regulations spelled out in the privacy rule or the security rule. Unidentifiable data may be released for use by certain entities or health organizations to construct health profiles of a certain locale or a particular age group.


HIPAA confidentiality rules also require that all members must be notified of their rights under HIPAA. Written notification must be sent to each member regarding the privacy rule and the security rule. Any individual who feels his rights have been violated also has the right to pursue legal action if necessary.