The U.S. federal regulation commonly referred to as "HIPAA" or the "Privacy Rule" establishes a foundation of protection for the privacy of individual health information. This rule does not replace any other Federal, State or local law that grants even greater privacy protections, and health care entities are free to be more protective. The Privacy Rule:
Further development of the HIPAA regulations include the "Security Rule" that addresses administrative, physical and technical safeguard requirements for electronic health information.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, U.S. Public Law 104-191, included requirements to develop and adopt national standards for privacy protection of individually identifiable health information and for electronic health care transactions
The privacy protection standards were developed by the U.S. Department of Health and Human Services, Office of Civil Rights (HHS, OCR), published in December of 2000, and modified into a final rule in August of 2002 after extensive public comment. The final rule, "Standards for Privacy of Individually Identifiable Health Information," required compliance by April 14, 2003 for health care providers, health plans, and health care clearinghouses with an extension of one year for small health plans. This regulation is codified in 45 CFR 164 Security and Privacy, Subpart E Privacy of Individually Identifiable Health Information, 164.500 - 164.534.
These regulations were modified and expanded in February of 2003. A new section was added to 45 CFR 165: Subpart C Security Standards for the Protection of Electronic Protected Health Information, 164.302-164.318. This Subpart is commonly referred to as the "Security Rule" or "Security Standard" and required compliance by April 20, 2005.
*Based on guidance posted on the US Office of Civil Rights website, last revised May 16, 2006, at http://www.hhs.gov/ocr/hipaa/privacy.html and on the US Centers for Medicare and Medicaid website, last modified May 06, 2008, at http://www.cms.hhs.gov/SecurityStandard/
HIPAA sets standards for how health care information flows from health care providers, health plans, and health care clearinghouses. Researchers requiring use and access of this information will be impacted indirectly because of the regulations on this flow.
Researchers will be required to obtain use and access to medical information from these "covered entities" in the following ways:
The Privacy Rule regulates the way certain health care groups, organizations, or businesses, called covered entities under the Rule, handle the individually identifiable health information known as protected health information (PHI). Researchers should be aware of the Privacy Rule because it establishes the conditions under which covered entities can use or disclose PHI for many purposes, including for research. Although not all researchers will have to comply with the Privacy Rule, the manner in which the Rule protects PHI could affect certain aspects of research.
It is important to understand that many research organizations that handle individually identifiable health information will not have to comply with the Privacy Rule because they will not be covered entities. The Privacy Rule will not directly regulate researchers who are engaged in research within organizations that are not covered entities even though they may gather, generate, access, and share personal health information. For instance, entities that sponsor health research or create and/or maintain health information databases may not themselves be covered entities, and thus may not directly be subject to the Privacy Rule. However, researchers may rely on covered entities for research support or as sources of individually identifiable health information to be included in research repositories or research databases. The Privacy Rule may affect such independent researchers, as it will affect their relationships with covered entities.
http://privacyruleandresearch.nih.gov/pdf/HIPAA_Privacy_Rule_Booklet.pdf (NIH publication)
For additional information on how to comply with the HIPAA regulations see the HIPAA FAQs.