HIPAA
Standards for Privacy of Individually Identifiable Health
Information
Frequently Asked Questions
The following provides answers to general questions regarding the regulation, Standards for
Privacy of Individually Identifiable Health Information, as established in the enactment of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA)
Q: What does this regulation do?
A: The Privacy Rule became effective on April 14, 2001. Most health plans and health care providers
that are covered must comply by April 14, 2003.
The Privacy Rule for the first time creates national standards to protect individuals' medical records
and other personal health information.
Q: Why is this regulation needed?
A: Health care providers have a strong tradition of safeguarding private health information. But in
today's world, the old system of paper records in locked filing cabinets is not enough. With
information broadly held and transmitted electronically, the rule provides clear standards for all
parties regarding the protection of personal health information.
Q: What does the regulation require the average provider to do?
A: For the average health care provider, the Privacy Rule requires activities, such as:
• Providing information to patients about their privacy rights and how their information is used
• Adopting clear privacy procedures for its practice, hospital or plan.
• Training employees so that they understand the privacy procedures.
• Designating an individual to be responsible for seeing that privacy procedures are adopted
and followed.
• Securing patient records containing individually identifiable health information so that they are
not readily available to those who do not need them.
Responsible health care providers already take many of the kinds of steps required by the rule to
protect patients' privacy.
Q: Who must comply with these new privacy standards?
A: The Privacy Rule covers health plans, health care clearinghouses, and those health care
providers who conduct certain financial and administrative transactions electronically. These
electronic transactions are those for which standards are required to be adopted by the Secretary
under HIPAA, such as electronic billing and fund transfers. These entities are bound by the new
privacy standards even if they contract with others to perform some of their essential functions.
Q: When will covered entities have to meet these standards?
A: As Congress required in HIPAA, most covered entities have until April 14, 2003 to come into
compliance with these standards.
Q: Does the Privacy Rule permit covered entities or their collection agencies to obtain payment from
parties other than the patient, e.g., from spouses or guardians?
A: Yes, the Privacy Rule permits a covered entity, or a business associate acting on behalf of, or
providing a service to, a covered entity (e.g., a collection agency), to disclose protected health
information as necessary to obtain payment for health care, and does not limit to whom such a
disclosure may be made.
Q: Do hospitals or other covered entities need to monitor their business associates?
A: No, the Privacy Rule requires covered entities to enter into written contracts or other
arrangements with business associates who protect the privacy of protected health information; but
covered entities are not required to monitor or oversee the means by which their business
associates carry out safeguards or the extent to which the business associate abides by the privacy
requirements of the contract.
Q: Are changes expected to this rule before the compliance date?
A: HHS can and will issue proposed modifications to correct any unintended negative effects of the
Privacy Rule a health care quality or on access to such care.
Q: What changes might make the final rule?
A: Input from recent public comment helped determine what changes are appropriate to ensure that
the rule protects patient privacy as intended without harming consumers' access to care or the
quality of that care.
Some proposed changes effect:
• Phoned-in Prescriptions
• Referral Appointments
• Allowable Communications
• Minimum Necessary Scope
In addition, HHS may reevaluate the Privacy Rule to ensure that parents have appropriate access to
information about the health and well-being of their children.
This information is not intended as legal advice and may not be used as legal advice. It should not
be used to replace the advice of your own legal counsel. Any information contained in this material
is based on current research into the issues and on the specific facts involved herein.
PHR will be following HIPAA modifications and compliance issues closely. Please refer back to this
page as we will frequently update the information and pass on recent HIPAA news. Also, please
feel free to phone us
