Health Insurance Portability and Accountability Act Privacy Rule
n. (abbr. HIPAA Privacy Rule)an amendment to United States law (Public Law 104–191, 45 CFR Part 160 and Subparts A and E of Part 164) governing access to a person’s health records and informationBehrnd-Klodt 2008, 143–144The Privacy Rule facilitates the use and sharing of health information for medical treatment and payment for health care, but all other uses and disclosures of personal health information, including scholarly and historical research uses, require individual written authorization or strict compliance with HIPAA’s “safe harbor” provisions.Pyatt 2008, 215The Privacy Rule (Title 45 Code of Federal Regulations, parts 160 & 164) establishes the conditions under which records containing Personal Health Information (PHI) may be used or disclosed for research purposes.White 2012, 120In 2000, the United States Department of Health and Human Services issued the Privacy Rule (formally known as the Standards for Privacy of Identifiable Health Information) to ensure that paper health records are kept private while enabling sharing and use of paper health records for medical treatments and payment of health-care services.Novak Gustainis and Letocha 2015, 164The adoption of the Privacy Rule under HIPAA, which went into effect on April 14, 2003, has had a major impact on archivists responsible for collections documenting the health sciences and on the researchers who want to use these collections. HIPAA was the first comprehensive federal law on access to and use of health information; the first general federal medical privacy law to extend rights of privacy beyond the file unit of the medical record to individually identifiable health information in all types of file systems, documents, formats, and media; and the first federal law to extend rights of privacy beyond health information of living individuals to health information of the deceased.Lawrence 2016, 44According to the HIPAA Privacy Rule, such information includes all identifiable information about the “past, present, or future physical or mental health or condition of an individual [or] the provision of health care to an individual.” This means that even the information that a person is, was, or will be a patient of a health care provider (e.g. doctor, hospital) is protected.Holden and Roeschley 2020, 87Repositories might also model their restrictions on the HIPAA Privacy Rule, which protects health information for fifty years after the date of death of the individual.Galloway 2021, 169The regulations of the Privacy Rule are only imposed on medical professionals, agencies, and businesses like hospitals (called “covered entities”) that provide, bill for, and receive payment for medical care, when protected data already in electronic form are transmitted. Furthermore, if nonelectronic data are stored by a covered entity, they also fall under HIPAA’s privacy regulations.