HIPAA General Information


Privacy Rule

In response to the HIPAA mandate, HHS published a final regulation in the form of the Privacy Rule in December 2000, which became effective on April 14, 2001. This Rule set national standards for the protection of health information, as applied to the three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct certain health care transactions electronically. As such, Stony Brook University Medical Center must implement standards to protect and guard against the misuse of individually identifiable health information.

The Privacy Rule establishes, for the first time, a foundation of Federal protections for the privacy of protected health information. The Rule does not replace Federal, State, or other law that grants individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices.

Q: What does the HIPAA Privacy Rule do?

  • The HIPAA Privacy Rule for the first time creates national standards to protect individuals' medical records and other personal health information.
    • It gives patients more control over their health information.
    • It sets boundaries on the use and release of health records.
    • It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
    • It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients' privacy rights
    • And it strikes a balance when public responsibility supports disclosure of some forms of data - for example, to protect public health.

    For patients - it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.

    • It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
    • It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
    • It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
    • It empowers individuals to control certain uses and disclosures of their health information

Source: Office for Civil Rights Guidance. December 3, 2002

Complete Regulation Text for Privacy Rule (Parts 160 and 164), as modified (05/31/02, 08/14/02) published by the Office for Civil Rights (OCR): http://www.hhs.gov/ocr/privacy



Private health plans, health care providers, and health care clearinghouses must assure their customers (such as patients, insured, providers, and health care plans) that the confidentiality and privacy of health care information they electronically collect, maintain, use, or transmit is secure. Security of health information is especially important when health information can be directly linked to an individual. Confidentiality is threatened not only by the risk of improper access to electronically stored information, but also by the risk of interception during electronic transmission of the information.

The Security Rule mandates health plans, health care clearinghouses, and health care providers to have security standards in place to comply with the statutory requirement that health care information and individually identifiable health care information
be protected to ensure privacy and confidentiality when health information is electronically stored, maintained, or transmitted.

Source: Federal Register: August 12, 1998 (Volume 63, Number 155)

For more information please visit: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule

Transactions & Code Sets

Congress and the health care industry have agreed that standards for the electronic exchange of administrative and financial health care transactions are needed to improve the efficiency and effectiveness of the health care system. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of Health and Human Services to adopt such standards.

National standards for electronic health care transactions will encourage electronic commerce in the health care industry and ultimately simplify the processes involved. This will result in savings from the reduction in administrative burdens on health care providers and health plans. Today, health care providers and health plans that conduct business electronically must use many different formats for electronic transactions. For example, about 400 different formats exist today for health care claims. With a national standard for electronic claims and other transactions, health care providers will be able to submit the same transaction to any health plan in the United States and the health plan must accept it. Health plans will be able to send standard electronic transactions such as remittance advices and referral authorizations to health care providers. These national standards will make electronic data interchange a viable and preferable alternative to paper processing for providers and health plans alike.

What health care transactions are required to use the standards under this regulation?

As required by HIPAA, the Secretary of Health and Human Services is adopting standards for the following administrative and financial health care transactions:

  1. Health claims and equivalent encounter information.
  2. Enrollment and disenrollment in a health plan.
  3. Eligibility for a health plan.
  4. Health care payment and remittance advice.
  5. Health plan premium payments.
  6. Health claim status.
  7. Referral certification and authorization.
  8. Coordination of benefits.

Standards for the first report of injury and claims attachments (also required by HIPAA) will be adopted at a later date.

Source: U.S. Department of Health and Human Services. Transactions and Code Sets Frequently Asked Questions. Sept. 8, 2000.


Copyright © 2012, Stony Brook University Medical Center. All rights reserved

Last Updated