HHS Office for Civil Rights Celebrates the 28th Anniversary of Health Information Privacy and Security Law - HIPAA

Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) celebrates the 28th anniversary of the signing of the Health Insurance Portability and Accountability Act of 1996 (better known as “HIPAA”). Twenty-eight years ago today, President Bill Clinton signed this historic bipartisan legislation into law. HIPAA ushered in many needed health care reforms. Today, HIPAA is best associated with requiring, for the first time, a set of standards for safeguarding the privacy and security of individually identifiable health information; it is administered and enforced by OCR.

“HIPAA is the cornerstone law that advances patient privacy, data protection, and health information security in our nation’s health care system. Importantly, HIPAA, through the HIPAA Rules, empowers patients and consumers to take their own health data into their own hands and instills trust in the patient-provider relationship to allow for better care and outcomes,” said Melanie Fontes Rainer, Director of the Office for Civil Rights. “With the rise of cyberattacks breaching patient privacy, HIPAA is more relevant than ever. OCR continues to prioritize health information privacy by updating and rigorously enforcing the HIPAA Rules that safeguard our national security in the health care system.”

OCR has implemented the requirements of HIPAA and related statutes with the creation and modifications of the HIPAA Privacy, Breach Notification, Security, and Enforcement Rules. These rules set forth the requirements that health plans, health care clearinghouses, and most health care providers, and their business associates (e.g., third party administrator that assists a health plan with claims processing, accountant providing services to a health care provider, medical transcriptionist services to a physician) must follow relating to the privacy and security of protected health information (e.g., medical records, personally identifiable information). The HIPPA Rules work together to protect the privacy and security of health information and ensure continuity of our nation’s health care systems, including critical protections against cybersecurity threats, specifically:

• The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records, sets limits and conditions on the uses and disclosures of protected health information, and gives individuals certain rights, including the right to timely access and to obtain a copy of their health records.
• The HIPAA Breach Notification Rule establishes requirements for health care providers, health plans and health care clearinghouses, and their business associated when a breach occurs to help notify the public, ensure patients understand the implications of the breach to their privacy and ensure continuity of care.
• The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information, and ensure the confidentiality, integrity, and security of electronic protected health information.
• The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.

Key Biden-Harris Administration advancements on HIPAA:

• HIPAA Privacy Rule To Support Reproductive Health Care Privacy Final Rule, Fact Sheet, Social Media Tool Kit, and Video
• Confidentiality of Substance Use Disorder Patient Records Final Rule, Fact Sheet, and Webinar
• The HIPAA Security Rule Risk Analysis Requirement Video
• How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks Video
• Guidance on Telehealth Privacy and Security Tips for Patients
• Guidance on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth
• HIPAA Recognized Security Practices Video
• Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet Guidance
• HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care Guidance
• HIPAA and Audio-Only Telehealth Guidance
• HIPAA and Disclosures of Protected Health Information for Extreme Risk Protection Orders
• HIPAA, COVID-19 Vaccinations and the Workplace Guidance
• 55 Completed HIPAA Enforcement Actions by OCR, including ransomware, hacking, phishing, protected health information (PHI) on unsecured servers, media access to PHI, improper disposal of PHI, malicious insiders, and patients access to their health information

If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at: https://www.hhs.gov/ocr/complaints/index.html.