The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, enacted in 1996, is intended to ensure that an individual’s health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well-being.
The Privacy Rule of HIPAA seeks to protect all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, on paper, or oral. Such information includes many common identifiers, such as name, address, birth date, and Social Security number. Under the HIPAA definition, individually identifiable health information is information that does both of the following:
- Relates to an individual’s past, present, or future physical or mental health or condition, or the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual
- Identifies an individual or, it is reasonable to believe, could be used to identify an individual
The following describe the circumstances under which an individual’s protected health information may be released:
- Under certain circumstances, entities covered by HIPAA may disclose protected health information to appropriate government authorities regarding victims of abuse, neglect, or domestic violence. For example, state child abuse reporting laws take precedence over HIPAA’s confidentiality provisions and may require mandated reporters (who may also be HIPAA-covered entities) to disclose protected health information if they suspect that a child is a victim of abuse.
- Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under any of the following circumstances:
- As required by law, including court orders, court-ordered warrants, and subpoenas and administrative requests
- To identify or locate a suspect, fugitive, material witness, or missing person
- In response to a law enforcement official’s request for information about a victim or suspected victim of a crime
- To alert law enforcement of a person’s death, if the covered entity suspects that the death was caused by criminal activity
- When a covered entity believes that protected health information is evidence of a crime that occurred on its premises
- By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime
- HIPAA allows a health care provider to release records to a minor’s other “treatment provider(s)” without first obtaining a signed authorization. Community-based treatment providers are authorized under HIPAA to release information to treatment providers in schools—and vice versa—in order to ensure continuity of treatment.
Note: HIPAA does not permit covered entities to disclose psychotherapy notes without written authorization.
 HIPAA defines covered entities as health plans, health care clearinghouses, and health care providers (45 C.F.R. § 160.103).
 45 C.F.R. § 160.103.
 45 C.F.R. § 164.512(c).
 45 C.F.R. § 164.512(f).
 45 C.F.R. § 164.506(c).