Information Sharing: Health Insurance Portability and Accountability Act of 1996 (HIPAA)
What Is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and
its implementing regulations, commonly known as the HIPAA Privacy Rule and
the HIPAA Security Rule, protect the privacy and security of individually
identifiable health information, called protected health information or PHI, held
by health plans, health care clearinghouses, and most health care providers, collectively
known as covered entities, and their business associates (entities that have access
to individuals’ health information to perform work on behalf of a covered entity).
The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information,
establishes national standards to protect the privacy of individuals’ identifiable
health information. In doing so, the Privacy Rule sets forth the circumstances under
which covered entities and their business associates may use or disclose an individual’s
health information, requires safeguards to protect the information, and gives individuals
rights, including rights to examine and obtain a copy of their health records and
to request corrections.
A major goal of the Privacy Rule is to ensure that individuals’ health information
is properly protected while allowing the flow of health information needed to provide
and promote high quality health care and to protect the public's health and well-being.
Given that the health care marketplace is diverse, the Privacy Rule is designed
to be flexible and comprehensive to cover the variety of uses and disclosures that
need to be addressed.
The Security Rule, or Security Standards for the Protection of Electronic
Protected Health Information, establishes a national set of security standards
for protecting health information that is held or transferred in electronic form.
The Security Rule sets out the technical, administrative, and physical safeguards
that covered entities and business associates must put in place to secure individuals’
electronic health information. The Security Rule is designed to be flexible and
scalable, and technology neutral, so a covered entity or business associate can
implement policies, procedures, and technologies that are appropriate for the entity’s
particular size, organizational structure, and risks to consumers’ electronic health
The HHS Office for Civil Rights (OCR) has responsibility for administering and enforcing
the Privacy and Security Rules.
How Does HIPAA Apply in Schools?
Generally, HIPAA does not apply to student health information maintained
by a school. While schools and school districts may maintain student health records,
these records are in most cases not protected by HIPAA. Rather, student health
information maintained at a school would be considered education records protected
by the Family Educational Rights and Privacy Act (FERPA).
HIPAA may apply however to patient records at a university hospital, which
may include records on students and non-students, or to the health records of non-students
at a university health clinic.
During the emergency planning process, if you believe health information to which
access may be needed is covered by HIPAA, you should consult the guidance
and resources for further information about how HIPAA applies.
HIPAA Guidance and Resources
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has
developed, and continues to develop, extensive guidance pertaining to the implementation
of HIPAA Privacy Rule and emergency situations. The OCR website has guidance
about the intersection between HIPAA and FERPA and the release of
PHI for common emergency preparedness issues and public health purposes, such as
terrorism preparedness and outbreak investigations. For more detailed information
or additional guidance, please see the HHS OCR website at privacy and the U.S. Department
of Health and Human Services/U.S. Department of Education HIPAA/FERPA guide