Last updated: 12/2004

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), required the creation of Congress to pass comprehensive standards to protect individual ly identifiable health information by 1999. The first standard issued was the Privacy Rule. Department of Health and Human Services (HHS) issued the Privacy Rule in December 2000 to carry out HIPAA's mandate that HHS establish Federal standards for safeguarding the privacy of individually identifiable health information. Persons, institutions and organizations covered by HIPAA are called 'covered entities.' It became effective in April 2003. In April 2005 the Security Rule becomes effective. Provisions of both rules apply to researchers who use individually identifiable health information, otherwise known as Protected Health Information or PHI.

The Privacy Rule applies to health information in any form or media, whether electronic, paper or oral. The Security Rule will apply only to PHI in electronic form.

Covered entities under HIPAA consist of: Health Care Providers who conduct certain electronic health care transactions such as billing (i.e. Cornell), health plans and health care clearing houses. To remain in compliance with HIPAA, a covered entity needs to protect the privacy of a person's identifiable health information (which is commonly referred to as personally identifiable health information 'PHI'). The law mandates that a covered entity can only collect and share the minimal amount of PHI necessary to carry out a research study.

The Privacy Rule was enacted on April 14 th, 2003, to protect all PHI held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Security Rule will apply only to PHI in electronic form.

The Main Purposes of HIPAA 's Privacy Rule: The major goal of the Privacy Rule the Privacy Rule is to assure that individual's health information is protected while allowing health information needed to provide quality healthcare and to protect the public's health and well being. The goal of the rule is to strike a balance that allows the uses of information, while protecting the privacy of people who seek care. Generally the HIPAA Privacy Rule is an attempt to set minimum federal standards for safeguarding the privacy of individually identifiable health information.

Patients Rights: The Privacy Rule give patients the right to receive a notice of privacy, receive a listing of uses and disclosures of their health information, inspect, copy and request amendments to their medical records, file a formal complaint about violations of privacy and establishes criminal and civil penalties for improper use and disclosure.

The new regulations will affect how clinical investigators access and use existing health information (medical/database record reviews) and how identifiable information is handled and created as part of clinical research.

Visit the Helpful HIPAA Links webpage for more information.