Health Insurance Portability and Accountability Act of 1996

The Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards to protect individuals’ medical records and other personal health information. The HIPAA Privacy Rule also gives individuals rights over their health information, like getting a copy of their records and seeking correction. The Rule applies to 3 types of HIPAA covered entities, like health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically to safeguard protected health information (PHI) entrusted to them.

For more information on HIPAA, visit hhs.gov/hipaa/index.html

CMS’ Original Medicare (fee-for-service) health plan, which includes Medicare Part A (Hospital Insurance) and Part B (Medical Insurance), is a HIPAA covered entity. CMS ensures Original Medicare’s uses and disclosures of PHI meet HIPAA privacy standards while providing and promoting high quality health care for beneficiaries.

Other Medicare plans that CMS administers, like Medicare Advantage (Part C) and Medicare Drug Plans (Part D), are HIPAA covered entities in their own right and responsible for their own HIPAA compliance. State Medicaid and Children’s Health Insurance Programs as well as Marketplace plans are also HIPAA covered entities in their own right.