Health Insurance Portability and Accountability Act (HIPAA)

The law known as “HIPAA” stands for the Health Insurance Portability and Accountability Act of 1996. Congress passed this landmark law to provide consumers with greater access to health care insurance, to protect the privacy of health care data, and to promote more standardization and efficiency in the health care industry. While HIPAA covers a number of important health care issues, this informational series focuses on the Administrative Simplification portion of the law – specifically HIPAA’s Electronic Transactions and Code Sets requirements.

There are four parts to HIPAA’s Administrative Simplification:

  1. Electronic transactions and code sets standards requirements
  2. Privacy requirements
  3. Security requirements
  4. National identifier requirements

HIPAA and research

The HIPAA Privacy Rule contains provisions that apply to research involving the use or disclosure of Protected Health Information (PHI).  PHI is health information that is individually identifiable.

PHI may be used for research through several mechanisms - read more about HIPAA and research


HIPAA: Designated Record Set

HIPAA allows patients to request access to (and if they’d like, to obtain a copy of) what is called the Designated Record Set (DRS). This is all of the information held by OHSU that we use to make decisions about patients. The lists below are posted to help people understand what is included in the DRS.

Designated Record Set

A patient's Health Record, which includes;


HIPAA Impact on patient care areas


Questions or concerns

If you have an information privacy or security question or concern:
Patients:  contact the HIPAA/Information Privacy & Security line at 503-494-0219
Employees:  E-mail HIPAA / Information Privacy & Security questions and concerns to or contact the office directly at 503-494-0219.