HIPAA Data Requirements

A person's personal health information is confidential. The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. Department of Health and Human Services program to enforce the standards for protecting individual health information. HIPAA also has a provision to protect electronic medical information as more medical information is being stored and transmitted electronically. In general, HIPAA defines which data is protected and the requirements to protect the data.

Definition of Protected Data

Any information placed in your medical records by health care providers such as doctors and nurses is protected data as well as any discussion between doctors and other health providers. Any billing information is protected as is information held by your insurance company. This information is called Protected Health Information (PHI). PHI information also includes such information as social security number, address, phone number or birth date. HIPAA protects for, "past, present or future physical or mental health condition."

Data Protection Guidelines

The facility that holds your records such as a doctor's office or hospital is referred to as the "covered entity." According to HIPAA rules, the covered entity must establish methods to protect your personal health information. They must limit any disclosure of medical information to what is considered reasonable. Covered entities must ensure that people who contract with the organization protect the information by the same standards. Procedures for data protection and training on the procedures must be developed and in use to protect the data from being accessed by unauthorized personnel.



Along with the non-disclosure of PHI, physical records must be placed in an area with limited access. Security measures to prevent unauthorized people must be in place. This provision is called "Facility Access and Control."

Electronic Data Requirements

HIPAA has a separate provision for electronic medical records that are stored or transmitted. It is call the, "Security Rule," for personal health information or e-PHI. How a hospital or clinic is supposed to protect the e-PHI is not defined specifically. In general, the covered entity must protect the integrity of the electronic data as well as the confidentiality and availability. The covered entity must guard against "reasonably anticipated threats."



Examples of protection may be hardware backup systems, firewalls and security passwords for access to the data.

General Policies on Data

The health center or insurance company must create policies and procedures to identify who has accessed physical and electronic data. If a violation occurs, "reasonable steps" to rectify the situation must be taken. The covered entity must create the policies and procedures they intend to use and those records must be kept for six years from the last date they were effective.