Language Translation
Provider Enrollment Provider Enrollment
Provider References Provider References
Provider Education Provider Education
Business Transactions Business Transactions
Clinical Services Clinical Services
About IHCP Programs About IHCP Programs
  Close Menu

Privacy and Security of Health Records

The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule addresses standards for the use and disclosure of individuals' health information (called "protected health information") and outlines standards for individuals' privacy rights, as well as individuals' rights to understand and control how their health information is used.

The HIPAA Privacy Rule is a set of federal standards to protect the privacy of patients' medical records and other health information maintained by covered entities (health plans, which include many governmental health programs [such as the Veterans Health Administration, Medicare and Medicaid], most doctors, hospitals, and many other healthcare providers and healthcare clearinghouses) and by their business associates. The Privacy Rule provides patients with access to their medical records and with other important rights. Compliance with the Privacy Rule was required as of April 14, 2003, for most entities covered by HIPAA, and by September 23, 2013, for their business associates.

The HIPAA Security Rule establishes national standards for the security of electronic protected health information (PHI). The security rule specifies a series of administrative, technical and physical security safeguards for covered entities and their business associates to assure the integrity, availability and confidentiality of electronic PHI. Compliance with the Security Rule was required as of April 20, 2005, for most entities covered by HIPAA, and by September 23, 2013, for their business associates.

The Health Information Technology for Economic and Clinical Health Act (HITECH) was signed into law as part of the Title XIII of the American Recovery and Reinvestment Act (ARRA) of 2009. HITECH sets forth a federal standard for security-breach notifications relating to the unauthorized dissemination of PHI. The HIPAA Breach Notification Rule requires covered entities and their business associates to notify the HHS Secretary, individuals and, in some cases, the media, regarding breaches of unsecured PHI. Compliance with the standards was required as of September 23, 2009.

For additional information regarding HIPAA privacy and security requirements, refer to the Health IT Privacy and Security Resources for Providers page on the Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) website at HealthIT.gov. Indiana Health Coverage Programs (IHCP) policies and practices are outlined in the Electronic Data Interchange module, as well as other provider reference modules available on the IHCP Provider Reference Modules page of this website.

IHCP Notice of Privacy Practices

Pursuant to the HIPAA Privacy Rule, the IHCP routinely mails the IHCP Notice of Privacy Practices to all active IHCP members. New IHCP members receive a copy of the notice shortly after enrolling in the program.

A copy of the IHCP Notice of Privacy Practices is available on the Member Rights & Responsibilities page of the IHCP member website at in.gov/medicaid/members.

Provider News & Events

See More