| The Health Insurance Portability and Accountability | | | | permitted under the Privacy Rule. Such |
| Act, or HIPAA, went into effect in 1996, with an | | | | safeguards include physician and medical staff |
| aim to protect the privacy of individually | | | | discretion in discussing a patient's medical |
| identifiable medical records. In April 2003, a | | | | information, and structural safeguards such as |
| mandatory Privacy Rule to protect individually | | | | storing patient files in a secure location with |
| identifiable health information came into effect for | | | | controlled access, protecting electronic records |
| all health plans, health care clearinghouses, and | | | | with passwords and firewalls, etc. |
| providers who use electronic medical records. The | | | | Another guiding principle of the Privacy Rule is |
| Privacy Rule mandates the adoption of certain | | | | that when medical information is disclosed for |
| standards across the United States to protect, | | | | permitted purposes, the minimum necessary |
| and prevent the misuse of, individually identifiable | | | | information, and no more, should be revealed. The |
| medical information. Failure to do may carry civil | | | | minimum necessary standard does not apply to |
| and criminal penalties under federal law. HIPAA is | | | | disclosures to or requests by physicians for |
| not meant to replace any existing laws that | | | | patient information for treatment purposes. It also |
| protect individual medical records, and some | | | | does not apply if an individual wants to access his |
| states have even more stringent laws in place to | | | | or her own medical records, or authorizes others |
| protect patients' privacy. | | | | to access these records. Disclosures are also |
| An entity covered under HIPAA is permitted to | | | | permitted where dictated by HIPAA, including |
| use medical information and to make certain | | | | disclosures to the Department of Health and |
| incidental disclosures regarding medical information | | | | Human Services where such disclosure is required |
| if reasonable safeguards are in place to prevent | | | | for enforcement purposes. |
| the use of such information for purposes not | | | | |