Skip Navigation

 

Search

Font Size Reduce Text SizeEnlarge Text Size     Print Send this page to printer     Download Reader  Download PDF readerHHS Home|HHS News|About HHS

Health Information Privacy

Office for Civil RightsCivil RightsHealth Information Privacy

OCR Home > Health Information Privacy > Understanding HIPAA Privacy > For Covered Entities

HIPAA

Understanding HIPAA Privacy

For Consumers

For Covered Entities

Special Topics

Related Links

Summary of the HIPAA Privacy Rule

Summary of the HIPAA Security Rule

Training Materials

HIPAA Administrative Simplification Statute and Rules

Enforcement Activities & Results

How to File a Complaint

News Archive

Frequently Asked Questions

PSQIA

Understanding PSQIA Confidentiality

PSQIA Statute & Rule

Enforcement Activities & Results

How to File a Complaint

General Overview

45 CFR Part 160 and Subparts A and E of Part 164  (Download a copy in PDF)

The following overview provides answers to general questions regarding the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), promulgated by the Department of Health and Human Services (HHS).
To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, included “Administrative Simplification” provisions that required HHS to adopt national standards for electronic health care transactions. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

In response to the HIPAA mandate, HHS published a final regulation in the form of the Privacy Rule in December 2000, which became effective on April 14, 2001. This Rule set national standards for the protection of health information, as applied to the three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct certain health care transactions electronically. By the compliance date of April 14, 2003 (April 14, 2004, for small health plans), covered entities must implement standards to protect and guard against the misuse of individually identifiable health information. Failure to timely implement these standards may, under certain circumstances, trigger the imposition of civil or criminal penalties.
Secretary Tommy Thompson called for an additional opportunity for public comment on the Privacy Rule to ensure that the Privacy Rule achieves its intended purpose without adversely affecting the quality of, or creating new barriers to, patient care. After careful consideration of these comments, in March 2002 HHS published proposed modifications to the Rule, to improve workability and avoid unintended consequences that could have impeded patient access to delivery of quality health care. Following another round of public comment, in August 2002, the Department adopted as a final Rule the modifications necessary to ensure that the Privacy Rule worked as intended.

The Privacy Rule establishes, for the first time, a foundation of Federal protections for the privacy of protected health information. The Rule does not replace Federal, State, or other law that grants individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices.

Please review the Frequently Asked Questions about the Privacy Rule.

OCR HIPAA Privacy
December 3, 2002 Revised April 3, 2003

Back to Top

Guidance: Significant Aspects of the Privacy Rule


horizontal line

HHS Home | Questions? | Contacting HHS | Accessibility | Privacy Policy | FOIA | Disclaimers | Inspector General | No FEAR Act/Whistleblower | Viewers & Players
The White House | USA.gov | HHS Archive | Pandemic Flu

U.S. Department of Health & Human Services · 200 Independence Avenue, S.W. · Washington, D.C. 20201