HIPAA, Privacy & Confidentiality

Health Insurance Portability and Accountability Act of 1996

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule seeks to protect individually identifiable health information from uses and disclosures that may unnecessarily compromise a person’s privacy. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities, but balances that protection with permitting the disclosure of personal health information needed for patient care and other important purposes.

The Privacy Rule applies to health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of Health and Human Services has adopted standards under HIPAA (defined as “covered entities”). Many organizations that use, collect, access, and disclose individually identifiable health information will not be covered entities under the rule, and thus will not have to comply with the Privacy Rule. In the realm of emergency response, HIPAA can create an environment in which the aging services providers and other organizations may have concerns about sharing the names of older adults who might require assistance. Local and state agencies and organizations should understand how HIPAA may impact planning and response efforts.

Guidance Memorandum to Administration on Aging

Only covered entities are subject to HIPAA’s controls. Organizations must first determine whether they qualify as a covered entity under the Rule. The U.S. Department of Health and Human Services released a guidance memo [PDF–177K] explaining that programs operating under the Older Americans Act do not meet the criteria for a covered entity as a health plan, but may meet the criteria for a health care provider, and may collect the type of personal health information covered under the Rule. Some aging programs, therefore, may be subject to HIPAA’s privacy rules.

Disclosures for Emergency Preparedness

The U.S. Department of Health and Human Services has created a decision tool to assist entities in determining how the Privacy Rule applies to certain disclosures within the realm of emergency preparedness, planning, and response.