The Health Insurance Portability and Accountability Act (HIPAA) privacy rule relates to the protection of medical records. The rule was created to provide greater protection against involuntary disclosure of an individual’s medical information, particularly as that information is stored and exchanged electronically among health care providers, insurance companies and employers. Most of the burdens imposed by these rules fall on organizations known as “covered entities,” typically a health care provider, health insurance plan, third-party administrator (TPA) or health care clearinghouse that collects and maintains health care records. Generally, you have few obligations under the privacy rules, unless you also fall into one of the categories of “covered entities” described in this section.
This section is not intended to be an exhaustive description of the HIPAA privacy rules, but rather to alert you to:
- The possibility that you might be a “covered entity” and the obligations that status entails
- Other impacts of HIPAA privacy rules on your status as an employer
HIPAA’s privacy and security rules are enforced by the U.S. Department of Health and Human Services’ Office of Civil Rights, which also provides information on HIPAA compliance.