The HIPAA privacy rules, which healthcare providers must comply with beginning April 14th, 2003, are part of a broad band of legislation contained in the Health Insurance Portability and Accountability Act, or HIPAA, which Congress adopted into law in 1996.

Congress enacted the HIPAA privacy rules to regulate the maintenance, transmission, security and privacy of personal health information. The rules define this information as individually identifiable “protected health information” (PHI).

The HIPAA privacy rules will apply to all protected health information whether it is written in records, discussed orally, or communicated electronically. Health care providers that submit or receive electronic transactions (including claims) through a clearinghouse, a vendor, or via the internet, or if paper claims are submitted to a billing service for conversion to electronic transactions, the provider is a “covered entity” under the HIPAA rules.

Under these rules, health care providers must have in place a written privacy policy, and they must appoint a staff member to be a privacy officer. The HIPAA privacy rules also say that patients have the right to gain access to their records, request corrections and an accounting for any unauthorized use of their PHI.

Health care providers will be required to protect against unauthorized use of patient information and threats to security, maintain necessary safeguards to protect confidentiality, make sure their employees are on a “need to know” basis with a patient’s health information, and they must work to reduce the chance of inadvertent disclosure. Health care providers will also be required to gain written consent from patients before disclosing any protected health information under non-routine circumstances to most third parties including the patient’s employer.