45 CFR Part 160 and Subparts A and E of Part 164 (Download a copy in PDF)
The following overview provides answers to general questions regarding the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), promulgated by the Department of Health and Human Services (HHS).
To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, included “Administrative Simplification” provisions that required HHS to adopt national standards for electronic health care transactions. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.
In response to the HIPAA mandate, HHS published a final regulation in the form of the Privacy Rule in December 2000, which became effective on April 14, 2001. This Rule set national standards for the protection of health information, as applied to the three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct certain health care transactions electronically. By the compliance date of April 14, 2003 (April 14, 2004, for small health plans), covered entities must implement standards to protect and guard against the misuse of individually identifiable health information. Failure to timely implement these standards may, under certain circumstances, trigger the imposition of civil or criminal penalties.
Secretary Tommy Thompson called for an additional opportunity for public comment on the Privacy Rule to ensure that the Privacy Rule achieves its intended purpose without adversely affecting the quality of, or creating new barriers to, patient care. After careful consideration of these comments, in March 2002 HHS published proposed modifications to the Rule, to improve workability and avoid unintended consequences that could have impeded patient access to delivery of quality health care. Following another round of public comment, in August 2002, the Department adopted as a final Rule the modifications necessary to ensure that the Privacy Rule worked as intended.
The Privacy Rule establishes, for the first time, a foundation of Federal protections for the privacy of protected health information. The Rule does not replace Federal, State, or other law that grants individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices.
Please review the Frequently Asked Questions about the Privacy Rule.
OCR HIPAA Privacy
December 3, 2002 Revised April 3, 2003
Back to Top