BOX 2-1HIPPA Privacy Provisions

History of the Privacy Rule: The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Public Law 104–191) was enacted to improve the portability and continuity of health insurance; combat waste, fraud, and abuse in health insurance and healthcare delivery; promote medical savings accounts; improve access to long-term care services and coverage; and simplify the administration of health insurance. The Administrative Simplification “Standards for Privacy of Individually Identifiable Health Information” (the Privacy Rule) arise from this last objective. HIPAA’s Administrative Simplification provisions focus on facilitating the electronic exchange of information for financial and administrative functions related to patient care. However, the very advances that make it easier to transmit information also present challenges to preserving the confidentiality of potentially sensitive personal information contained in medical records. Absent further congressional action, the Secretary of Health and Human Services (HHS) was required by the law to develop standards for protecting such information. Within HHS, the Office for Civil Rights (OCR) is responsible for implementing and enforcing the Privacy Rule. The compliance date for most of those affected by the Rule was April 14, 2003.

Provisions of the Privacy Rule: The Privacy Rule addresses the use and disclosure of health information contained in individual health records—“protected health information” (PHI)—by organizations subject to the Privacy Rule—“covered entities.” Covered entities include health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically. All “individually identifiable health information” held or transmitted by a covered entity is protected under the Privacy Rule and considered PHI. This includes data relating to: the individual’s past, present, or future physical or mental health or condition; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual. Common items like name, address, birth date, and Social Security Number are included in PHI. “De-identified” health information–information that does not identify an individual or provide the means to do so—is under no disclosure restrictions. The Privacy Rule defines the circumstances under which PHI may be used or disclosed by covered entities. PHI can be used by them in the normal course of providing medical care and the necessary administrative and financial transactions. Most other uses of PHI, including under most circumstances health research, require explicit written authorization by the individual (or personal representative). SOURCE: Adapted from NIH and OCR guidances accessed August 24, 2003 at and

NOTE: Excerpted, as background to the following paper on privacy, from a recent IOM workshop on the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Institute of Medicine 2006). This workshop, which brought together participants from a variety of public, private and scientific sectors, including researchers, research funders, and those who had participated in preparation of the Privacy Rule, identified a number of issues to be addressed when clinical data are used to generate evidence and cast light on the lack of data about the quantitative and qualitative effects of HIPAA on the conduction of clinical research. A formal IOM study of the issue is anticipated.

From: 2, The Evolving Evidence Base—Methodologic and Policy Challenges

Cover of The Learning Healthcare System
The Learning Healthcare System: Workshop Summary.
Institute of Medicine (US) Roundtable on Evidence-Based Medicine; Olsen LA, Aisner D, McGinnis JM, editors.
Washington (DC): National Academies Press (US); 2007.
Copyright © 2007, National Academy of Sciences.

NCBI Bookshelf. A service of the National Library of Medicine, National Institutes of Health.