What is HIPAA and to whom does it apply?

The Health Insurance Portability and Accountability Act of 1996, commonly referred to as "HIPAA," is a federal law that, among other things, protects the privacy and security of certain health information, called "Protected Health Information" or "PHI." PHI is individually identifiable health information in any form, whether media, electronic, paper, or oral.

HIPAA's Privacy Rule sets forth the circumstances under which an individual's PHI cannot, can, or must, be used or disclosed. HIPAA's Security Rule sets forth ways in which a Covered Entity must safeguard or protect PHI.

There is a common misconception that HIPAA applies to anyone and everyone. It doesn't! HIPAA applies to "Covered Entities," which include health plans, health care clearinghouses, and healthcare providers who transmit PHI in electronic form in a HIPAA-covered transaction. Providers include, among others, doctors, hospitals, health clinics, dentists, chiropractors, psychologists, and nursing homes. Health plans include health insurance companies, HMOs, company health plans, and government plans such as Medicare, Medicaid, or military health care programs.

HIPAA also applies to "Business Associates," which include individuals or entities who receive PHI from a Covered Entity in order to provide services for the Covered Entity. Business Associates may provide quality assurance, consulting, accounting, legal, administrative, or other services for the Covered Entity.

Even if HIPAA does not apply to a particular situation, there might be other privacy laws that apply to protect information about one's health, including a common law invasion of privacy.