HIPAA: Health Insurance Portability Accountability Act

What is HIPAA?

HIPAA, the Health Insurance Portability and Accountability Act, was passed by Congress in 1996. The U.S. Department of Health and Human Services Office of Civil Rights (OCR) enforces HIPAA.

The HIPAA regulations established a Privacy Rule, Security Rule, and Enforcement Rule which regulate and protect the use and disclosure of protected health information (PHI).

HIPAA established a “floor” for the protection of PHI. This means that when state laws are more protective of PHI than HIPAA, the state law controls instead of the federal HIPAA law. Several Tennessee privacy laws are more protective of citizen’s health information than federal law.

The Tennessee Department of Health is a hybrid entity under HIPAA.

 Who must comply with HIPAA?

  • Health Care Providers
  • Health Care Clearinghouse
  • Health Plans

What is Protected Health Information (PHI)?

PHI is all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number)[1]

What are my rights as a patient?

  • Right to receive a notice of the privacy practices.
  • Right to review or request a copy of your PHI.
  • Right to request that changes be made to correct errors in your records or to add information that has been omitted.
  • Right to request a list of certain disclosures that have been made of your PHI.
  • Right to request a restriction which limits how your PHI is used or disclosed.
  • Right to request confidential communications.
  • Right to file a complaint.

A health provider can disclose an individual’s PHI without the patient’s authorization if the disclosure deals with treatment, payment, operations, or if the information is mandated by law. Otherwise, for most other uses, the patient will need to authorize the provider to make the disclosure.


How to File a HIPAA Complaint:

A patient has the right to submit a complaint if they believe their health provider has:

  • Improperly used or disclosed their PHI;
  • Concerns about their HIPAA Privacy policies;
  • Concerns about the provider’s compliance with its privacy policies.

The patient may file the complaint with either of the following:

Contact information for the TDH Privacy Officer: