HIPAA Basics Overview

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted as part of a broad Congressional attempt at incremental healthcare reform. Signed into law on August 21, 1996 by the Clinton administration, HIPAA is considered to be the most significant  body of health-care legislation to be enacted since Medicare. HIPAA is made up of several provisions designed to protect the healthcare consumer in a number of ways – many of which are still not in effect. At a high level, HIPAA legislation includes the following:

Title I: Insurance portability – helping workers and their families maintain insurance coverage when they change or lose a job. Provides continuity and portability of health benefits to people in between jobs.

Title II: Administrative simplification – providing legislation around privacy, security and electronic data. Ensures security and privacy of individual health information.

Title III: Tax-related provisions – allowing employees to set up medical savings accounts. Reduces administrative expenses in the healthcare system; administrative costs have been estimated to account for nearly 25% of healthcare costs.

Title IV: Enforcement of group health care requirements. Provides uniform standards for electronic health information transactions.

Title V: Revenue offsets – for company-based life insurance plans. Provide measures to combat fraud and abuse in health insurance and health care delivery.

Many People Have Access to Your Health Information

Imagine you were admitted to the hospital for a minor procedure. After three days and two nights you are discharged. During that time, how many people had access to your health records? Ten? Twenty? Fifty? According to the American Health Information Management Association, an average of 150 people will have access to your private health information during that time period.

HIPAA ensures that those who have access to your health information are authorized and they will use it appropriately.

HIPAA has detailed rules regarding:

  • When you need to have a person’s written or oral permission to share health information.
  • When you should give a person a written privacy notice that tells the person how your agency will deal with his/her clinical information.
  • What your agency has to do in order to implement HIPAA.
  • How to avoid sharing health information with co-workers who may not have a “need to know.”
  • How to avoid discussing health information in public areas, or in telephone conversations that can be easily overheard by others.
  • Keeping and protecting written health information in the work environment from the eyes of others who do not need the information in order to perform their assigned job.
  • Making sure that casual visitors can’t wander into areas in which clinical or billing information is kept.
  • Recognizing when health information about a person can be shared without the person’s permission, and when written or oral permission of the person is required.
  • Making sure that if you have access to confidential or private information about a person, you follow all policies or procedures for safeguarding the confidentiality of that information.

Who is Covered

HIPAA applies to three fundamental types of organizations that collectively are referred to as Covered Entities, as they must comply with HIPAA. These Covered Entities are:

  • Health Plans – Individuals or groups that provide or pay for healthcare, such as insurance companies, health maintenance organizations and Medicare and Medicaid programs.
  • Health Care Clearinghouses – Organizations that facilitate the processing of health information such as billing services or transcription services.
  • Health Care Providers – Individuals, such as physicians, dentists, pharmacists, and larger organizations, such as hospitals, are Covered Entities when they electronically transfer patient information.

The following are specific examples of Covered Entities:

  • Hospitals and clinics
  • Nursing homes
  • Home health agencies
  • Most physicians, pharmacists, and dentists
  • Ambulance services
  • Managed care organizations
  • Some local health and social services departments
  • Laboratories
  • State Medicaid programs

Who is Not Covered – Examples

The following are NOT Covered Entities. Even though these agencies are involved with healthcare, since they do NOT pay for healthcare, provide healthcare, or process healthcare information, they are not considered Covered Entities: Workers compensation programs, Government programs that fund health care through grants, and Government oversight agencies.

Protected Health Information

The HIPAA privacy rule covers and sets standards for the collecting, sharing and storing of a person’s Protected Health Information, or PHI, for short. PHI is information that:

  • Relates to past, present or future physical or mental health or condition, payments and provisions about healthcare.
  • Identifies the individual in a personal way.
  • Provides a reasonable basis to be used to identify the individual.
  • Is created or received by a Covered Entity.

How Can You Determine if the Person/Organization is a Covered Entity?

Does the person, business, or agency furnish, bill or receive payment for health care in the normal course of business? If no, then the person, business, or agency is not a covered health care provider.

Are Parent Centers – such as the Utah Parent Center – Covered Entities?

No, but they may receive private health information about a child from a family, school or health care provider and they have an obligation to protect that information and the privacy of the families they serve. (Other Parent Training and Information Centers – PTIs or Community Parent Resource Centers – CPRCs could be considered a “Business Associate” if they have a contract to serve as case managers or similar provider.)

Parent Centers should observe the following privacy guidelines:

  • Do not share any information that was shared by the family unless the family has given permission
  • Secure documents with private information in locked cabinets or offices
  • Avoid using family names in hallways or in open areas, if discussing an individual family situation, go to a conference room
  • Remind professionals, when necessary to keep their voices down or request a private area to discuss personal information


  • US Department of Health and Human Services – Office for Civil Rights
  • HIPAA.org
  • New York State Office of Employee Relations
  • Medical Office Online
  • Florida Institute for Family Involvement


Adapted with permission from materials developed by

Technical Assistance Alliance for Parent Centers at PACER Center

8161 Normandale Blvd. l Minneapolis, MN 55437-1044 l www.taalliance.org