US health records laws

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with two goals:

• Portability: To ensure individuals can maintain health insurance between jobs
• Accountability: To mandate national standards for health transactions and patient privacy protections Where HIPAA overlaps with state law, HIPAA serves as a “floor” of minimum protections.

HIPAA required the US Department of Health and Human Services (HHS) to promulgate regulations detailing these protections. In 2003, HHS put into law the following sets of HIPAA regulations or “Rules”:

• Transactions and Code Sets
• Privacy Rule - The individual’s view of what a covered entity does with his/her health information. A set of “individual rights” to be exercised by the individual.
• Security Rule - The covered entity’s view of how it protects an individual’s health information. A set of standards to be implemented to protect the confidentiality and privacy of the individual’s health information

The Health Information Technology for Economic and Clinical Health Act (HITECH) was part of the American Recovery and Reinvestment Act of 2009 and called for revisions to HIPAA and the HIPAA Rules in the areas of breach notification, business associate liability, the enforcement authority of state attorneys general.

Under HIPAA all “covered entities” are required to implement these standards. Covered entities are health plans, healthcare clearinghouses and healthcare providers who transmit health information in a HIPAA transaction. HITECH adds business associates and vendors of personal health records.

A "covered entity" is a health care provider (e.g. physicians, clinics, pharmacies, nursing homes), a health plan (e.g. a health insurer or HMO), or a health care clearinghouse, including any entities that process nonstandard health information they receive from another entity into a
standard information.

A "business associate" is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  Examples of business associates include a third party administrator that assists a health plan with claims processing, an attorney whose legal services to a health plan involve access to protected health information, and a data processor that handles or stores "protected health information" on behalf of a "covered entity." 

Under HIPAA, "covered entities" are required to comply with the Security Rule and the Privacy Rule. "Covered entities" are also responsible for compliance  of their "business associates" with the security rule.

No uses or disclosures of protected health information without the patient’s permission or authorization – with some exceptions

A patient’s “health information” is more than just his or her medical record, and includes what is on paper as well as what is stored or communicated electronically.