Skip Utility Navigation
Skip Main Navigation

Information Sharing: Health Insurance Portability and Accountability Act of 1996 (HIPAA)

What Is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule, protect the privacy and security of individually identifiable health information, called “protected health information” or “PHI.” Such information is held by health plans, health care clearinghouses, and most health care providers, collectively known as “covered entities,” and their business associates (entities that have access to individuals’ health information to perform work on behalf of a covered entity).

The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards to protect the privacy of individuals’ identifiable health information. In doing so, the Privacy Rule sets forth the circumstances under which covered entities and their business associates may use or disclose an individual’s health information, requires safeguards to protect the information, and gives individuals rights, including rights to examine and obtain a copy of their health records and to request corrections.

A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care, and to protect the public's health and well-being. Given that the health care marketplace is diverse, the Privacy Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

The Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, establishes a national set of security standards for protecting health information that is held or transferred in electronic form. The Security Rule sets out the technical, administrative, and physical safeguards that covered entities and business associates must put in place to secure individuals’ electronic health information. The Security Rule is designed to be flexible and scalable, and technology neutral, so a covered entity or business associate can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ electronic health information. The U.S. Department of Health and Human Services Office for Civil Rights has responsibility for administering and enforcing the Privacy and Security Rules.

How Does HIPAA Apply in Institutions of Higher Education?

Basic Principle. A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.

Generally, HIPAA does not apply to health information in student records maintained by an IHE. While IHEs may maintain student health records, these records are in most cases not protected by HIPAA. Rather, student health information maintained at an IHE would be considered education or treatment records protected by FERPA.

HIPAA may apply, however, to patient records at a university hospital, which may include records on students and non-students, or to the health records of non-students at a university health clinic.

During the emergency planning process, if you believe health information to which access may be needed is covered by HIPAA, you should consult the guidance and resources section for further information about how HIPAA applies.

HIPAA Guidance and Resources

The Office for Civil Rights has developed, and continues to develop, extensive guidance pertaining to the implementation of HIPAA Privacy Rule and emergency situations. The Office for Civil Rights website has guidance about the intersection between HIPAA and FERPA, and the release of PHI for common emergency preparedness issues and public health purposes, such as terrorism preparedness and outbreak investigations. For more detailed information or additional guidance, please see the Office for Civil Rights website at http://www.hhs.gov/ocr/privacy/index.html.