Krystal Skaggs, MS, LPC

The federal Health Insurance Portability and Accountability Act (HIPAA) requires providers of health care (including mental health care) to ensure the privacy of patient records and health information and requires the federal Department of Health and Human Services (HHS) to adopt implementing rules. HIPAA and its rules apply to health care providers, health plans and other entities that process health insurance claims and these are referred to as "HIPAA covered entities." The business associates of these covered entities that receive protected health information (PHI) must also comply with the HIPAA rules.

​

On March 26, 2013, HHS' Final Omnibus Rule adopted pursuant to HIPAA and related federal laws goes into effect. This final rule includes the Privacy Rule, the Security Rule and the Breach Notification Rule.

​

The HIPAA Privacy Rule gives consumers rights over their health information and sets limits on who can look at and receive a consumer's protected health information (PHI). That Rule applies to all forms of PHI, whether oral, electronic or written.

The HIPAA Security Rule protects PHI that is in electronic form and requires entities covered by HIPAA to maintain reasonable safeguards to ensure that electronic PHI is secure.

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notice to affected consumers and to HHS in the event of a breach of unsecured PHI.

​

To learn more about HIPAA and its related rules, click here.

HIPAA also provides that if a state law grants more privacy protection to a patient, the state law will apply.