To ensure that your patient’s health and medical information and records are private and protected, a federal law, called the Health Insurance Portability and Accountability Act of 1996 (HIPAA), has associated rules about who can look at, receive, and use patients’ health information as well as measures to take to protect the confidentiality, integrity, and security of the information.
The HIPAA Privacy Rule sets national standards to protect the privacy of individually identifiable health information. The HIPAA Security Rule sets national standards for the security of electronic personal health information (PHI).
Under HIPAA, covered entities must:
- Put in place safeguards to protect patients’ health information.
- Reasonably limit uses and sharing to the minimum necessary to accomplish your intended purpose.
- Have agreements in place with any service providers they use perform functions or activities on their behalf. These agreements are to ensure that these services providers (referred to as "business associates") only use and disclose patients' health information properly and safeguard it appropriately .
- Have procedures in place to limit who can access your patients’ health information as well as implement training programs for you and your employees about how to protect your patients’ health information.
For a summary of HIPAA Privacy Rule and Security Rule , see
Additionally, the Breach Notification Rule requires most health care providers, HIPAA to notify patients when there is a breach of unsecured PHI.The Breach Notification Rule also requires then entities to promptly notify the Secretary of Health and Human Services if there is any breach of unsecured protected health information and notify the media and public if the breach affects more than 500 patients.
For guidance regarding the confidentiality of behavioral health information and the HIPAA Privacy Rule, please see 42 CFR Part 2 and The Substance Abuse and Mental Health Services Administration (SAMHSA) Summary of Selected Federal Laws and Regulations Addressing Confidentiality, Privacy and Security [PDF – 158 KB].