Minimizing Disclosure Risk in HHS Open Data Initiatives. 3. Health Insurance Portability and Accountability Act of 1996


HIPAA applies to health plans, clearinghouses, and health care providers. This legislation is often considered to represent the “high water mark” for how entities “balance risks to privacy against valuable uses of information” (Ohm 2010). There are two key regulations that emerge from HIPAA: the Privacy Rule and the Security Rule.

a. Standards for Privacy of Individually Identifiable Health Information (Privacy Rule)

Under the Privacy Rule, HIPAA-covered entities cannot disclose individually identifiable health information—known as protected health information (PHI)—unless the individual has authorized the release in writing or the disclosure or use is permitted under the Privacy Rule’s exceptions. These exceptions allow for the information to be shared within the covered entity for treatment, payment, or health care operations or for public interest and benefit activities—for example, law enforcement purposes, or public health activities (HHS 2003). De-identified PHI can be disclosed if the data no longer identifies the individual or provides a reasonable basis to identify the individual. HIPAA-covered entities must de-identify data using one of two methods: (1) by receiving a formal determination of de-identification by a qualified statistician, or (2) by removing 18 specific identifiers (the “Safe Harbor” method), such as names, addresses, and account number. The full list of 18 identifiers may be found on p. D-3, Appendix D.

b. The Security Standards for the Protection of Electronic PHI (The Security Rule)

The Security Rule established a national security standard to safeguard health information and addresses the technical and non-technical safeguards that entities must put in place to uphold the Privacy Rule standards. Under the Security Rule, entities must “ensure the confidentiality, integrity, and availability” of all PHI that are created, received, maintained, or transmitted electronically, identify and protect against “reasonably anticipated threats” to security or integrity of data and uses or disclosures, and ensure workforce compliance. The rule includes physical and technical safeguards and other organizational and policy requirements that entities must implement.7

7 “Summary of the HIPAA Security Rule.” Available at [ srsummary.html]. Accessed June 3, 2014.

View full report


"rpt_Disclosure.pdf" (pdf, 1.01Mb)

Note: Documents in PDF format require the Adobe Acrobat Reader®. If you experience problems with PDF documents, please download the latest version of the Reader®