Note: This message is displayed if (1) your browser is not standards-compliant or (2) you have you disabled CSS. Read our Policies for more information.
Congress passed HIPAA in 1996 and in the following years regulations were approved to enforce the statute. The federal agency charged with enforcement of HIPAA is the US Department of Health and Human Services’ Office of Civil Rights (OCR).
The regulations dealing with the release and protection of health information are known as the Privacy Rule and the Security Rule.
They established a “floor” for the protection of individually identifiable health information, and any state laws that do not have the same or greater level of protections or access are preempted by HIPAA.
HIPAA applies to and affects virtually all health care-related organizations which it refers to as “covered entities”. These covered entities include health plans, providers (such as hospitals, doctors labs, dentists, etc.) health care clearinghouses, and federal Medicare and State Medicaid programs. Other state and local government programs may be impacted too, even if they do not meet the definition of a covered entity. Furthermore, HIPAA regulates the use and disclosure of what it calls “protected health information” (PHI for short). PHI is defined as individually identifiable health information created or received by a covered entity that relates to the past, present or future physical or mental condition, provision of health care or payment for health care. PHI may be released by a covered entity if the purpose is for the treatment of the patient, payment for a health care provider's services or certain business operations of the covered entity.
HIPAA and the Indiana State Department of Health
The Indiana State Department of Health (ISDH) is a hybrid entity under HIPAA. This means that while the primary purpose of the ISDH is not to be a health care provider, health care plan or health care clearinghouse some of its components meet those definitions. The programs that can be classified as meeting HIPAA definitions of covered entities must comply with HIPAA's regulations.
The ISDH HIPAA covered programs are:
At the current time, other ISDH programs are not required to comply with HIPAA, although other laws may apply to them and require protection of individuals’ information.
The Regulations require:
Privacy and Confidentiality Standards – The HIPAA Privacy Rule created national standards for protecting an individual's medical records and other personal health information. The regulations established safeguards that health care providers and others must implement to protect the privacy of health information.
Security Rule - The Security Rule requires a series of administrative, technical, and physical security procedures that covered entities must implement to assure the confidentiality of electronic protected health information.
Electronic Health Transaction Standards - HIPAA requires every provider who conducts business electronically to use the same health care transactions, code sets, and identifiers.
If a covered entity engages in one or more of the following ten transactions electronically, the covered entity must comply with the standard for that transaction.
Unique Identifier - This component requires unique identifiers for employers, providers and health plans. Employers, providers and health plans must obtain standard national numbers from the Centers for Medicare and Medicaid Services (CMS) that identify them on standard transactions.