The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule, protect the privacy and security of individually identifiable health information, called protected health information or PHI, held by health plans, health care clearinghouses, and most health care providers, collectively known as covered entities, and their business associates (entities that have access to individuals’ health information to perform work on behalf of a covered entity).
The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards to protect the privacy of individuals’ identifiable health information. In doing so, the Privacy Rule sets forth the circumstances under which covered entities and their business associates may use or disclose an individual’s health information, requires safeguards to protect the information, and gives individuals rights, including rights to examine and obtain a copy of their health records and to request corrections.
A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being. Given that the health care marketplace is diverse, the Privacy Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.
The Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, establishes a national set of security standards for protecting health information that is held or transferred in electronic form. The Security Rule sets out the technical, administrative, and physical safeguards that covered entities and business associates must put in place to secure individuals’ electronic health information. The Security Rule is designed to be flexible and scalable, and technology neutral, so a covered entity or business associate can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ electronic health information.
The HHS Office for Civil Rights (OCR) has responsibility for administering and enforcing the Privacy and Security Rules.
Generally, HIPAA does not apply to student health information maintained by a school. While schools and school districts may maintain student health records, these records are in most cases not protected by HIPAA. Rather, student health information maintained at a school would be considered education records protected by the Family Educational Rights and Privacy Act (FERPA).
HIPAA may apply however to patient records at a university hospital, which may include records on students and non-students, or to the health records of non-students at a university health clinic.
During the emergency planning process, if you believe health information to which access may be needed is covered by HIPAA, you should consult the guidance and resources for further information about how HIPAA applies.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has developed, and continues to develop, extensive guidance pertaining to the implementation of HIPAA Privacy Rule and emergency situations. The OCR website has guidance about the intersection between HIPAA and FERPA and the release of PHI for common emergency preparedness issues and public health purposes, such as terrorism preparedness and outbreak investigations. For more detailed information or additional guidance, please see the HHS OCR website at privacy and the U.S. Department of Health and Human Services/U.S. Department of Education HIPAA/FERPA guide at uide.pdf