Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) marks the 28th anniversary of the signing of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). On this day in 1996, President Bill Clinton signed this bipartisan legislation into law, introducing significant health care reforms. HIPAA is primarily known for establishing standards to safeguard the privacy and security of individually identifiable health information, which OCR administers and enforces.
“HIPAA is the cornerstone law that advances patient privacy, data protection, and health information security in our nation’s health care system. Importantly, HIPAA, through the HIPAA Rules, empowers patients and consumers to take their own health data into their own hands and instills trust in the patient-provider relationship to allow for better care and outcomes,” said Melanie Fontes Rainer, Director of the Office for Civil Rights. “With the rise of cyberattacks breaching patient privacy, HIPAA is more relevant than ever. OCR continues to prioritize health information privacy by updating and rigorously enforcing the HIPAA Rules that safeguard our national security in the health care system.”
OCR has implemented HIPAA requirements through various rules: Privacy, Breach Notification, Security, and Enforcement. These rules outline obligations for health plans, clearinghouses, most healthcare providers, and their business associates regarding protected health information.
The HIPAA Privacy Rule sets national standards to protect medical records and personal information while giving individuals rights such as timely access to their records. The Breach Notification Rule mandates procedures for notifying affected parties when a breach occurs. The Security Rule establishes standards for protecting electronic personal health information's confidentiality and integrity. The Enforcement Rule covers compliance investigations and penalties for violations.
Recent advancements under the Biden-Harris Administration include:
- Final rules supporting reproductive healthcare privacy.
- Confidentiality regulations for substance use disorder patient records.
- Educational videos on risk analysis requirements under the Security Rule.
- Guidance on telehealth privacy tips.
- Videos on recognized security practices.
- Guidance on using personal devices securely.
- Specific guidelines related to COVID-19 vaccinations in workplaces.
Additionally, OCR has completed 55 enforcement actions addressing issues like ransomware attacks, phishing incidents, improper disposal of protected health information (PHI), media access breaches, malicious insiders' activities, and ensuring patients' access to their information.
Individuals who believe their or another person's health information privacy or civil rights have been violated can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.
---
