Information about HIPAA

In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA). HIPPA addresses the following major areas: portability, nondiscrimination, administrative simplification, and privacy safeguards to protect the security and confidentiality of health information. The Privacy Rule portion of HIPPA became effective on April 14, 2001, with initial compliance dates of April 2003 and April 2004. The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.

Under the Privacy Rule, protected health information (PHI) is individually identifiable health information that is created or received by a health care provider, health plan, employer or health care clearinghouse which relates to the past, present or future physical or mental health condition of an individual. It includes paper, electronic and oral information.

Group health plans, health care providers, and health care clearinghouses must comply with the Privacy Rule. A group health plan that receives PHI is required to satisfy the following administrative requirements:

  • Develop written privacy policies and procedures
  • Create a privacy notice to be distributed to plan participants
  • Implement privacy policies and procedures
  • Enter into Business Associates Agreements
  • Amend plan documents to reflect the group health plan privacy policies and procedures

Self-Funded vs. Fully Insured

Self-Funded - Group health plans that provide health benefits through self-insured or partially insured products must meet all the administrative requirements. The requirements are detailed in §164.530 of the Privacy Rule.

Fully Insured - Group health plans that provide health benefits solely through an insurance contract with a health insurance issuer or an HMO and receive or create only "summary health information" are not required to have a privacy official, provide training or amend plan documents to include privacy policies and procedures.

Summary health information is claim information which has been stripped of individual identifiers.

Developing Privacy Policies and Procedures

Health plans are required to develop and document policies and procedures relating to the use, disclosure and access to PHI.

This documentation serves as a tool for educating employees about your policies and procedures and is also the source for your privacy notice. Each employer’s policy and procedures should reflect their unique privacy practices. You must assess your own needs and devise, implement and maintain appropriate privacy policies specific to your organization.

To Get Started

< Designate a privacy official who is responsible for developing and implementing your plan’s privacy policies and procedures.

This can be an existing employee or a new position depending on the needs of your organization.

< Audit your internal procedures to determine who has access to PHI, what type of PHI you collect or receive and for what purpose, and where and how it is being used or disclosed.

Who currently has access to PHI (for example: Human Resources, Accounting and Benefits Departments, etc.)?

What type of PHI is the plan now collecting or receiving (for example: claims payments, enrollment forms, EOBs, reinsurance data, case management reports, etc.)?

How, to whom and for what purpose is PHI currently being used or disclosed (reinsurer, claims administrator, broker/consultant, attorney, other personnel, etc.)?


< Identify the persons or classes of persons within your organization who must have access to PHI to perform their job duties.

List those, by job title, who must have access to PHI.

< Identify the minimum amount of PHI necessary for a particular type of disclosure or request.

Minimum necessary must be defined by the policies and procedures established by the plan. Identify the minimum PHI necessary to accomplish the intended purpose.

< Train members of your workforce regarding requirements and document that training took place.

Review your Privacy Policy and Procedures with all personnel who will come in contact with PHI.

< Document administrative procedures to guard data integrity and confidentiality including receipt, manipulation, storage dissemination, transmission and disposal of health information.

This includes both physical and electronic data.

< Establish a procedure to receive and document complaints concerning privacy policies. Health plans may not discriminate or take retaliatory action against any individual who files a complaint.

Identify a contact person or department responsible for receiving complaints about privacy violations.

< Establish sanctions against members of your workforce who fail to comply with the privacy policies and procedures.

Document what happens if an employee violates your company’s privacy policies and procedures.

Note: Health plans must retain documentation of their policies and procedures for six years from the date when the policies and procedures were last in effect.


After you have gathered and documented all the necessary information pertaining to your use, disclosure and access to protected health information, proceed by developing an internal manual or handbook which will be used by members of your workforce to assure that your company’s policies and procedures for PHI are followed. Additional information about the HIPPA privacy rule can be obtained at http://www.hhs.gov/ocr/hipaa/.