Privacy and Security of Health Records

The Standards for Privacy of Individually Identifiable Health Information ("Privacy Rule") establishes a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services ("HHS") issued the Privacy Rule to implement the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Privacy establishes a set of national standards for the protection of certain health information; addresses standards for the use and disclosure of individuals' health information (called "protected health information"); outlines standards for individuals' privacy rights, as well as individuals' rights to understand and control how their health information is used.

The HIPAA Privacy Rule is a set of federal standards to protect the privacy of patients' medical records and other health information maintained by covered entities (health plans, which include many governmental health programs, such as the Veterans Health Administration, Medicare, and Medicaid; most doctors, hospitals, and many other healthcare providers and healthcare clearinghouses) and by their business associates. The Privacy Rule provides patients with access to their medical records and with other important rights. Compliance with the Privacy Rule was required as of April 14, 2003, for most entities covered by HIPAA, and by September 23, 2013, for their business associates.

The HIPAA Security Rule establishes national standards for the security of electronic protected health information (PHI). The security rule specifies a series of administrative, technical, and physical security safeguards for covered entities and their business associates to assure the integrity, availability, and confidentiality of electronic PHI. Compliance with the security rule was required as of April 20, 2005, for most entities covered by HIPAA, and by September 23, 2013, for their business associates.

The Health Information Technology for Economic and Clinical Health Act (HITECH) was signed into law as part of the Title XIII of the American Recovery and Reinvestment Act (ARRA) of 2009. HITECH sets forth a federal standard for security-breach notifications relating to the unauthorized dissemination of PHI. The HIPAA Breach Notification Rule requires covered entities and their business associates to notify the HHS Secretary, individuals, and in some cases, the media, regarding breaches of unsecured PHI. Compliance with the standards was required as of September 23, 2009.

Additional information regarding HIPAA privacy and security requirements refer to the Health Information Privacy web page on the Health and Human Services website at hhs.gov. Indiana Health Coverage Programs (IHCP) policies and practices are outlined in the HIPAA Standards for Electronic Transactions and Code Sets module, as well as other provider reference modules available on the Provider Reference Materials page at indianamedicaid.com.

IHCP Notice of Privacy Practices

Pursuant to the HIPAA Privacy Rule, the IHCP routinely mails the IHCP Notice of Privacy Practices to all active IHCP members. New IHCP members receive a copy of the notice shortly after enrolling in the program.

A copy of the IHCP Notice of Privacy Practices is available for reference and can be found on the IHCP member website at indianamedicaid.com.