About HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of statutes designed to improve the efficiency and effectiveness of the US health care system:

  • Title I: HIPAA's Title I establishes rules to "improve the portability and continuity of health insurance coverage" for workers when they change employers.
  • Title II: HIPAA's Title II establishes rules to prevent health care fraud and abuse. Its "Administrative Simplification" section sets standards for enabling the electronic exchange of health information, and includes provisions establishing rules for protecting the privacy and security of personal health information:
    • Privacy Rule: The HIPAA Privacy Rule protects the privacy of individually identifiable personal health information.
    • Security Rule: The HIPAA Security Rule defines national security standards for protecting electronic data that contain protected health information ( PHI).
    • Enforcement Rule: The HIPAA Enforcement Rule empowers the Secretary of the US Department of Health and Human Services (HHS) to impose civil money penalties on entities that violate HIPAA rules.
    • Breach Notification Rule: The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to notify affected individuals, the HHS Secretary, and (in certain circumstances) the media following any breaches of unsecured PHI.

The HHS Office for Civil Rights (OCR) administers and enforces compliance with the HIPAA Privacy and Security Rules.

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted to strengthen HIPAA enforcement rules. Subtitle D of the HITECH Act improved privacy and security provisions found in the original HIPAA privacy and security rules. In 2013, relevant provisions of HITECH and the Genetic Information Non-discrimination Act (GINA) of 2008 were combined to create the HIPAA "Final Rule".

For more about HIPAA and the HITECH Act, see these HHS pages:

Additionally, see the US Department of Labor's HIPAA fact sheet and the US Government Printing Office's online copy of the HIPAA statute.

At Indiana University, compliance with HIPAA's privacy and security rules is coordinated through the Office of the Chief Privacy Officer. For policies, procedures, and additional details about HIPAA compliance at IU, see HIPAA Privacy and Security Compliance, or email hipaa@iu.edu.

SecureMyResearch, a joint initiative of Indiana University's Center for Applied Cybersecurity Research (CACR), OVPIT Information Security, and UITS Research Technologies, provides self-service resources and one-on-one consulting to help IU researchers, faculty, and staff meet cybersecurity and compliance requirements for processing, storing, and sharing research data, including PHI. If you have questions about securing HIPAA-regulated research data at IU, email securemyresearch@iu.edu. To learn more about properly ensuring the safe handling of PHI on UITS systems, see the UITS IT Training video Securing HIPAA Workflows on UITS Systems. To learn about division of responsibilities for securing PHI, see Shared responsibility model for securing PHI on UITS systems.

This is document ayyy in the Knowledge Base.
Last modified on 2020-03-24 13:59:59.

Contact us

For help or to comment, email the UITS Support Center.