Links to Final HIPAA Regulations:

U.S. Department of Health and Human Services
Contains links to Transactions, Code Sets and Identifiers (EDI), Privacy and Security final regulations. FAQ’s are also presented in this website. This is the general site for HHS descriptions for HIPAA Administrative Simplification.

Centers for Medicare and Medicaid Services (CMS)
Contains general HIPAA Administrative Simplification information and links to further information, including an FAQ section. CMS will be the authority for EDI regulation enforcement.

Office for Civil Rights (OCR)
The Office for Civil Rights is the enforcement agent for the Privacy regulations addressed by HIPAA Administrative Simplification. Included in this website are guidelines on HIPAA Privacy, instructions and forms for reporting breaches of privacy and other health information privacy information.

House Resolution 1975 (May 23, 2001)
To modify the deadline for initial compliance with the standards and implementation specifications promulgated under section 1173 of the Social Security Act, and for other purposes.

Bill introduced into the House of Representatives by Rep. John Shadegg (R-Arizona), and co-sponsored by 12 others, this legislation intends to extend the deadlines for initial compliance with Administrative Simplification standards for health information. This bill excludes the privacy rule and the individual identifier.

Link to Bill Summary and Status Info.

Link to full text of the legislation.

Public Law 104-191 (H.R. 3103)
Bill Summary & Status for the 104th Congress
A link to all of the details about the Health Insurance Portability and Accountability Act of 1996, including the text of the legislation.

ACLU of Washington -  Legislation Would Protect Medical Record Privacy

Monday, January 24, 2000

OLYMPIA, WA -- Responding to citizen demands for action to safeguard sensitive personal information, the American Civil Liberties Union of Washington has drafted House and Senate bills to protect the privacy of people's medical information.

The bills would prohibit non-health care providers with legitimate access to medical records from disclosing the information to anyone else for further use. The bills would also bar insurance companies from marketing medical records to third parties.

"Washington citizens have a right to expect that their medical records will be used to help health care providers give the best medical care possible, not as a marketing tool of insurance companies," said Jerry Sheehan, Legislative Director for the ACLU of Washington.

The ACLU said it is especially important to put these protections in place now, when the legislature is considering adoption of a patients' Bill of Rights.

"Protecting privacy should be an important component of a patients' Bill of Rights," Sheehan said.

House Bill 2901 is sponsored by Representative Dow Constantine, and Senate Bill 6684 is sponsored by Senator Pat Thibaudeau. Both measures were introduced in the state legislature today.

Standards for Privacy of Individually Identifiable Health Information
Notice of Proposed Rule Making
Published November 3, 1999
Comment period closes January 3, 2000

Summary of Proposed Standards for Privacy of Individually Identifiable Health Information
To download the complete Notice of Proposed Rulemaking click below:

Statutory Requirement
Section 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, enacted August 21, 1996, requires that, if legislation establishing privacy standards is not enacted “by the date that is 36 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act.”

The statutory deadline for Congress to enact legislation was August 21, 1999. Absent legislation, HHS has developed its proposed rule.

The proposed rule would:

  • allow health information to be used and shared easily for the treatment and for payment of health care;
  • allow health information to be disclosed without an individual’s authorization for certain national priority purposes (such as research, public health and oversight), but only under defined circumstances;
  • require written authorization for use and disclosure of health information for other purposes, and
  • create a set of fair information practices to inform people of how their information is used and disclosed, ensure that they have access to information about them, and require health plans and providers to maintain administrative and physical safeguards to protect the confidentiality of health information and protect against unauthorized access.

Entities covered by the proposed rule

  • Health care providers who transmit health information electronically
  • Health plans
  • Health care clearinghouses

Health information covered by the proposed rule (“Protected health information”)

  • Protection would start when information becomes electronic, and would stay with the information as long as the information is in the hands of a covered entity.
    • Information becomes electronic either by being sent electronically as one of the specified Administrative Simplification transactions or by being maintained in a computer system.
    • The paper progeny of electronic information is covered; the information would not lose its protections simply because it is printed out of the computer.
    • HIPAA protects the information itself, not the record in which the information appears.
  • The information must be “identifiable.” If the information has any components that could be used to identify the subject, it would be covered.