Human Research Protection Program

An In-depth Look at HIPAA, the Privacy Rule and Research

In 1996, the Health Insurance Portability and Accountability Act, commonly known as HIPAA, was passed with the goal of increasing the efficiency and accessibility of health insurance coverage, and establishing minimum federal standards for protecting the privacy of an individual’s identifiable health information.

The Administrative Simplification Provisions

In part a response to the technological advancements that impact the electronic standards for health data, the act was concerned with, among other things, the computerization of patient medical records and the transmission and sharing of patient information. HIPAA's administrative simplification provisions directed the U.S. Department of Health and Human Services to create privacy standards and safeguards for the use of such electronic health care information. As a response, HHS put forward five main rules:

  1. The Unique Identifiers Rule (resulting in the Standard Unique Employer Identifier, the National Provider Identifier and the National Health Plan Identifier).

  2. The HIPAA Privacy Rule (discussed below).

  3. The Transactions and Code Sets Rule (for the uniformity of electronic data exchange transactions when submitting, processing and paying claims).

  4. The HIPAA Security Rule (for the establishment of national standards for the protection of individuals' electronic personal health information* created, received, used or maintained by a covered entity**).

  5. The Enforcement Rule (for the enforcement of the Privacy and Security Rules).

* Protected Health Information: Individually identifiable health information such as any information related to an individual's physical or mental health, health care or payment for health care (covered in more detail below).

** Covered Entities: Those entities that handle health care information and are subject to HIPAA:

  1. Health care providers (doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, etc.).

  2. Health plans (health insurance companies, HMOs, company health plans, Medicare, Medicaid, VA health care programs, etc.).

  3. Health care clearinghouses (entities that process nonstandard health information they receive from another entity into a standard electronic format or data).