Skip to Content

Privacy & Security

Since its inception, the HIPAA Privacy Rule’s ensured right of an individual to access protected health information (PHI) about him or her held by a health care provider or other organization has operated in a primarily paper-based environment. While it has been common for health care providers to create, maintain, and exchange PHI in paper form, an increasing number of providers are beginning to utilize new forms of health information technology (health IT), which often involve the transition of PHI from paper to electronic form. Many health care providers, for example, are adopting comprehensive electronic health records (EHRs) to enhance the quality and efficiency of care they deliver. Health IT also may create mechanisms by which individuals can electronically request access to their PHI and by which providers can respond by providing or denying access electronically.

An individual’s right to access his or her PHI is a critical aspect of federal and state privacy rule and regulations, the application of which naturally extends to an electronic environment. The current rule establishes, with limited exceptions, an enforceable means by which individuals have a right to review or obtain copies of their PHI, to the extent it is maintained in the provider’s health IT system(s). These rules layout specific, yet flexible, standards also address individuals’ requests for access and timely response.

The HIPAA Privacy Rule provides the first national standards for protecting the privacy of health information. The HIPAA regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records. Among other provisions, the Privacy Rule:

  • gives patients more control over their health information;
  • sets boundaries on the use and release of health records;
  • establishes appropriate safeguards that the majority of health-care providers and others must achieve to protect the privacy of health information;
  • holds violators accountable with civil and criminal penalties that can be imposed if they violate patients' privacy rights;
  • strikes a balance when public health responsibilities support disclosure of certain forms of data;
  • enables patients to make informed choices based on how individual health information may be used;
  • enables patients to find out how their information may be used and what disclosures of their information have been made;
  • generally limits release of information to the minimum reasonably needed for the purpose of the disclosure;
  • generally gives patients the right to obtain a copy of their own health records and request corrections; and
  • empowers individuals to control certain uses and disclosures of their health information.