As technologies such as computerized physician order entry systems and electronic health records have been developed and evolved, health care providers in Kentucky and throughout the U.S. have implemented them into their practices. To ensure that patients’ privacy and information are protected, the Health Insurance Portability and Accountability Act of 1996 was developed by the U.S. Department of Health and Human Services. Medical professionals must comply with the HIPAA Privacy, Security and Breach Notification rules to avoid potentially facing fines, criminal charges or civil action.

According to HHS, covered entities and their business associates must adhere to the HIPAA rules. Covered entities include doctors, hospitals, clinics, pharmacies, nursing homes and other health care providers who bill electronically for their services. Health plans and health care clearinghouses also fall under the category of covered entities. Business associates are those who perform certain services to or for covered entities, or who otherwise perform certain functions or activities on their behalf and are not members of their workforce.

The HIPAA Privacy Rule establishes standards for protecting certain health information, including how such information can be used and disclosed. Health care providers must provide patients with a notice of their privacy practices at their initial visits and make it available thereafter should someone ask for a copy. With few exceptions, covered entities can use or disclose patient information for payment, treatment and other health care operations activities, or to ensure public health and safety.

According to the Centers for Medicare and Medicaid Services, the HIPAA Security Rule stipulates protections that covered entities and business associates must develop and put in place security measures that are reasonable and appropriate for the protection of their patients’ electronic protected health information. These safeguards should identify potential threats to the integrity or security of patients’ information and protect such information from uses or disclosures that are impermissible.

Should a breach of patients’ protected health information occur, covered entities are required by the HIPAA Breach Notification Rule to notify those who are affected. Additionally, they must inform HHS and, in some cases, may have to issue notice to the media.