What is the HIPAA Law?

HIPAA or the Health Insurance Portability and Accountability Act was signed into law by President Bill Clinton on August 21, 1996. Most healthcare insurance companies and providers have adhered to the HIPAA regulation guidelines since October 2002 (October 2003) for smaller health plans. The HIPAA law is a multi-step approach that is geared to improve the health insurance system. One approach of the HIPAA regulations is to protect privacy. This is in Title IV which defines rules for protection of patient information. All healthcare providers, health organizations, and government health plans that use, store, maintain, or transmit patient health care information are required to comply with the privacy regulations of the HIPAA law. Excluded are certain small, self-administered health organizations.

What is the HITECH Law?
HITECH or the Health Information Technology for Economic and Clinical Health Act was signed into law by President Barack Obama in September 2009 with an enforcement date of February 2010.  The HITECH Act is a portion of the American Recovery and Reinvestment Act (“The Stimulus Act”) which enhances HIPAA security regulations to keep patient information confidential, safe, available, and accurate. It requires healthcare organizations to:

  • develop risk / harm analysis processes for all security breaches involving unsecured protected health information (PHI);
  • notify patients, media, and the Department of Health and Human Services of security breaches involving unsecured PHI under certain circumstances;
  • adhere to restriction requests under certain circumstances;
  • meet “meaningful use” guidelines and federal government reporting requirements;
  • account for all disclosures (including treatment, payment, and healthcare operations) which involve the electronic health record and;
  • hold all staff and Business Associates accountable to all HIPAA privacy and security rules.

How do the HIPAA and HITECH laws affect me?
The complete HIPAA law is concentrated in simplifying the health care system and ensuring privacy and security for protected health information. Title IV is a safeguard ensuring the protection of privacy for your medical information. Along with federally ensuring your privacy, the HIPAA law is intended to lead to reduced fraudulent activity and improved data systems.  These regulations provide rights to patients regarding their medical information as well as require health care systems to notify patients how their information is used and if a breach of their information has occurred.

How do I make sure my healthcare provider is taking dteps to comply with the HIPAA and HITECH regulations?
Some health care providers have taken steps such as controlling access to offices with medical files by electronic key card systems and only allowing employees limited access to the minimum amount of information needed. In addition, the use of special services to make electronic transactions secure is also being used by many medical facilities and insurance providers. If you have concerns about what your health care provider or physician is doing to comply with the HIPAA and HITECH laws, ask them what steps they have taken to ensure your privacy and if they are taking more prevention measures in the future. If your health insurance is from a small, self-administered health organization, they may not have to comply with the HIPAA regulations. It is important to check with them to see if they are complying with the HIPAA regulations, and if not, what steps are they taking on their own to ensure the security of electronic health information and your privacy.

What do I do if I suspect my confidentiality has been breached?
It is important to document all conversations with your health care provider about your breach of privacy. Also, if you have any paper documentation that relates to the concern, you will want to hold on to those. Contact your state insurance commissioner to report fraud from private insurance organizations or call 1-800-HHS-TIPS to report fraud and abuse in
Medicare and Medicaid programs.  You may also contact the Office of Civil Rights (OCR) If you believe that your health care provider has violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule. The OCR can investigate complaints against health care providers.  To file a complaint with the OCR you may access the following link: 

For more information, go to the following links and/or download the following documents:

Personal Health Records & Identity Theft

Communication with Those Involved in a Patient’s Care

The HIPAA Privacy Rule


Notice of Privacy Practices



Page last updated on Nov. 22, 2011