The Health Insurance Portability and Accountability Act of 1996 was designed to protect your private medical information. HIPAA established strict guidelines for record keeping, record storage and communication in the medical and health insurance fields. Everyone, from doctors' offices to pharmacists to those who answer the phones at your insurance agency, has to follow the same procedures.
Protected Health Information (PHI)
HIPAA's guidelines make clear exactly what information about patients is protected. Called PHI, this information includes anything that would identify a patient, from name, Social Security numbers and addresses to broader identifiers like race, age and home state. Information about the person's health care needs or medical history is also considered PHI. HIPAA guidelines dictate that this information cannot be shared except in particular instances, including when the individual patient herself requests it, or when a privacy investigation by the Department of Health and Human Services requires it.
Arguably the cornerstone of the HIPAA guidelines is the "minimum necessary" requirement. The health care providers and health plan administrators who have to adhere to HIPAA's guidelines must limit what personal health information -- PHI -- they share to the minimum amount necessary to accomplish the task. For example, age, race, or other demographic information might be required for a researcher to draw fair conclusions about their otherwise anonymous subjects. It would be within HIPAA guidelines to share that information, so long as the necessity could be proved and all efforts were made to protect the patient's identity.
HIPAA guidelines state that all professionals and other employees who come into contact with patient information must be trained in the HIPAA practices. A "privacy officer" and contact person must be designated in the workplace, and that person serves as the resource for HIPAA and patient privacy related issues. Each business that falls under HIPAA's rules must create a written set of policies and procedures that meet HIPAA requirements for record storage. Employees must have access to this information at any time. The company also must employ a system to keep track of all patient information disclosures so that their handling of sensitive medical information can be reviewed at any time.