Skip to Main Content

HIE Privacy & Security

Protected health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.

One security feature of electronic health records is that they include an audit trail that shows who has looked at them. The government is continuing to develop rules about the privacy and security of PHI.

Privacy and security are vital to a successful switch to electronic health records and electronic health care information exchange. People's health information is protected under a law called the Health Insurance Portability and Accountability Act (HIPAA). This law:

  • Gives patients the right to see or get a copy of their health records
  • Sets rules about who can look at and receive patient health information

Since its inception, the HIPAA Privacy Rule has operated primarily in a paper-based environment to ensure the right of an individual to access protected health information (PHI) about him or her held by a health care provider or other organization. While it has been common for health care providers to create, maintain, and exchange PHI in paper form, an increasing number of providers are beginning to utilize new forms of health information technology (health IT), which often involve the transition of PHI from paper to electronic form. Many health care providers, for example, are adopting comprehensive electronic health records (EHRs) to enhance the quality and efficiency of care they deliver. Health IT also may create mechanisms by which individuals can electronically request access to their PHI and by which providers can respond by providing or denying access electronically.

An individual's right to access his or her PHI is a critical aspect of federal and state privacy rule and regulations, the application of which naturally extends to an electronic environment. The current rule establishes, with limited exceptions, an enforceable means by which individuals have a right to review or obtain copies of their PHI, to the extent it is maintained in the provider's health IT system(s). These rules layout specific, yet flexible, standards also address individuals' requests for access and timely response.

The HIPAA Privacy Rule provides the first national standards for protecting the privacy of health information. The HIPAA regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records. Among other provisions, the HIPAA Privacy Rule:

  • gives patients more control over their health information;
  • sets boundaries on the use and release of health records;
  • establishes appropriate safeguards that the majority of health-care providers and others must achieve to protect the privacy of health information;
  • holds violators accountable with civil and criminal penalties that can be imposed if they violate patients' privacy rights;
  • strikes a balance when public health responsibilities support disclosure of certain forms of data;
  • enables patients to make informed choices based on how individual health information may be used;
  • enables patients to find out how their information may be used and what disclosures of their information have been made;
  • generally limits release of information to the minimum reasonably needed for the purpose of the disclosure;
  • generally gives patients the right to obtain a copy of their own health records and request corrections; and
  • empowers individuals to control certain uses and disclosures of their health information.