Sign Up for the OCR Privacy Listserv - OCR has established a listserv to inform the public about health information privacy FAQs, guidance, and technical assistance materials as they are released.
Your Health Information Is Protected By Federal Law
Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.
Who Must Follow These Laws
We call the entities that must follow the HIPAA regulations “Covered Entities” .
Covered entities include:
- Health Plans. including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
nursing homes, pharmacies, and dentists.
In addition, Business Associates of Covered Entities must follow parts of the HIPAA regulations.
Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “Business Associates.” Examples of business associates include:
- Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims.
- Companies that help administer health plans.
- People like outside lawyers, accountants, and IT specialists.
- Companies that store or destroy medical records.
Covered Entities must have contracts in place with their Business Associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business Associates must also have similar contracts with subcontractors. Business Associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.