The HIPAA Privacy Rule set national standards for the protection of Protected Health Information (“PHI”). PHI is individually identifiable health information transmitted or maintained in any form by the three types of covered entities (health plans, health care clearinghouses, and health care providers), who conduct certain health care transactions electronically, and their business associates.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic PHI (“ePHI”) that is created, received, used, or maintained by a covered entity or their business associates.
The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI.
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which was updated in 2009 by the Health Information Technology for Economic and Clinical Health Act (HITECH), included provisions that required the U.S.
Department of Health and Human Services (“HHS”) to adopt national standards for electronic healthcare transactions. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information.
Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy and security protections for individually identifiable health information. These are embodied in the Privacy Rule, Security Rule, and Breach Notification Rule.