The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established a comprehensive set of rules regulating, among other things, the privacy and security of medical information. As originally adopted, HIPAA directly regulated only “covered entities,” i.e., health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with covered transactions. The HIPAA privacy rule established a set of patient rights, including the right of access to one’s medical information, and placed certain limitations on when and how health plans and health care providers may use and disclose protected health information (PHI). The HIPAA security rule specifies a series of administrative, technical, and physical security procedures for providers and plans to use to ensure the confidentiality of electronic health information. HIPAA did not regulate vendors to covered entities—or “business associates,” in the parlance of the final privacy and security rules. Covered entities are, however, required to enter into written agreements with “business associate covenants” in order to share PHI.
Please see full publication below for more information.