:: About HIPAA
Notice of Privacy Practices 

Background and General Information
(taken from U.S. Department of Health & Human Services)
The privacy provisions of the federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), apply to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses. The Department of Health and Human Services (HHS) has issued the regulation "Standards for Privacy of Individually Identifiable Health Information," applicable to entities covered by HIPAA. The Office for Civil Rights (OCR) is the Departmental component responsible for implementing and enforcing the privacy regulation. (See the Statement of Delegation of Authority to the Office for Civil Rights, as published in the Federal Register on December 28, 2000).

For the average health care provider or health plan, the Privacy Rule requires activities, such as:

  • Notifying patients about their privacy rights and how their information can be used.
  • Adopting and implementing privacy procedures for its practice, hospital, or plan.
  • Training employees so that they understand the privacy procedures.
  • Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
  • Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.
Responsible health care providers and businesses already take many of the kinds of steps required by the Rule to protect patients' privacy. Covered entities of all types and sizes are required to comply with the Privacy Rule. To ease the burden of complying with the new requirements, the Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. The scalability of the Rule provides a more efficient and appropriate means of safeguarding protected health information than would any single standard. For example,
  • The privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board.
  • The training requirement may be satisfied by a small physician practice's providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.
  • The policies and procedures of small providers may be more limited under the Rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.
Please see my Notices of Privacy Practices statement.