HIPAA: Health Insurance Portability Accountability Act
HIPAA, the Health Insurance Portability and Accountability Act, was passed by Congress in 1996. The U.S. Department of Health and Human Services Office of Civil Rights (OCR) enforces HIPAA.
The HIPAA regulations established a Privacy Rule, Security Rule, and Enforcement Rule which regulate and protect the use and disclosure of protected health information (PHI). HIPAA established a floor for the protection of PHI. This means that when state laws are more protective of PHI than HIPAA, the state law controls instead of the federal HIPAA law.
Several Tennessee privacy laws are more protective of citizen’s health information than federal law.The Tennessee Department of Health is a hybrid entity under HIPAA.
HIPAA Frequently Asked Questions
- Health Care Providers
- Health Care Clearinghouse
- Health Plans
PHI is all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Individually identifiable health information is information, including demographic data, that relates to:
- The individual’s past, present or future physical or mental health or condition;
- The provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual; and
- That identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Individually identifiable health information includes many common identifiers, such as name, address, birth date, and Social Security number.
A patient has the right to submit a complaint if they believe their health provider has:
- Improperly used or disclosed their PHI;
- Concerns about their HIPAA Privacy policies; or,
- Concerns about the provider’s compliance with its privacy policies.
The patient may file the complaint with either of the following:
- The provider’s Chief Privacy Officer; or,
- The US Department of Health and Human Services, Office of Civil Rights.
- Centers for Medicare and Medicaid Services
- Center for Medicare and Medicaid Services - Questions and Answers
- Office of Assistant Secretary for Planning and Evaluation - Administration Simplification Act
- Office of Civil Rights - View Privacy Rule, questions and answers
- Washington Press Corporation - Implementation Guides for Standard Transactions and information about Code Sets
Contact - TDH Privacy Officer
Email: [email protected]
Privacy Hotline: (615) 253-5637 or 1-877-280-0054
HIPAA Hybrid Designation
TDH operates as a hybrid entity under HIPAA. A hybrid entity is an organization that performs both covered and non-covered business operations under HIPAA and has designated which offices operate as covered health care components. State confidentiality laws continue to apply to all TDH Offices.
For more information regarding TDH’s status as a hybrid entity under HIPAA click the link to view TDH’s Hybrid policy: