Health Insurance Portability and Accountability Act (HIPAA)

The law known as “HIPAA” stands for the Health Insurance Portability and Accountability Act of 1996. Congress passed this landmark law to provide consumers with greater access to health care insurance, to protect the privacy of health care data, and to promote more standardization and efficiency in the health care industry. While HIPAA covers a number of important health care issues, this informational series focuses on the Administrative Simplification portion of the law – specifically HIPAA’s Electronic Transactions and Code Sets requirements.

There are four parts to HIPAA’s Administrative Simplification:

Electronic transactions and code sets standards requirements
Privacy requirements
Security requirements
National identifier requirements

View the Combined Regulation text of Privacy and Security Rule

Use and Disclosure of Protected Health Information (PHI)- read more

HIPAA and research

The HIPAA Privacy Rule contains provisions that apply to research involving the use or disclosure of Protected Health Information (PHI). PHI is health information that is individually identifiable.

PHI may be used for research through several mechanisms - read more about HIPAA and research

HIPAA: Designated Record Set

HIPAA allows patients to request access to (and if they’d like, to obtain a copy of) what is called the Designated Record Set (DRS). This is all of the information held by OHSU that we use to make decisions about patients. The lists below are posted to help people understand what is included in the DRS.

Designated Record Set

A patient's Health Record, which includes;

List of Exclusions

HIPAA Impact on patient care areas

Questions or concerns

If you have an information privacy or security question or concern:
Patients: contact the HIPAA/Information Privacy & Security line at 503-494-0219
Employees: E-mail HIPAA / Information Privacy & Security questions and concerns to oips@ohsu.edu or contact the office directly at 503-494-0219.

HIPAA outside resources

Phoenix Health Systems
Includes an overview of HIPAA regulations, FAQ's, list-servs, deadlines for compliance.

U.S. Department of Health and Human Services
Full text of the HIPAA regulations, as well as the Final Rules.

Office for Civil Rights
HIPAA page of the Office for Civil Rights, a division within the Department of Health and Human Services. OCR will ultimately be responsible for enforcing HIPAA regulations. This page contains the full text of the July 6, 2001 Guidance published by OCR, which clarifies specific implications of HIPAA.

Workgroup for Electronic Data Interchange (WEDI)
Information about electronic information standards, HIPAA glossary.

American Hospital Association
Legislative developments, HIPAA education resources.

Oregon Association of Hospitals and Health Systems
An outstanding site which includes specific information on steps to compliance, privacy and consent requirements, HIPAA on parents and minors, and sample forms. An especially good resource for HIPAA's implications in light of existing Oregon state laws.

National Committee on Vital and Health Statistics (NCVHS)
Public advisory body to the Secretary of Health and Human Services in the area of health and data statistics. Transcripts of all hearings and some written testimony.