Various Red Cross courses tell students to become familiar with the Health Insurance Portability and Accountability Act of 1996/2003 (HIPAA). This is info for students in my classes.

The Department of Health and Human Services (HHS) issued (from their website) “patient privacy protections as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA included provisions designed to encourage electronic transactions and also required new safeguards to protect the security and confidentiality of health information. The final regulation …(which took effect on April 14, 2003) …covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., enrollment, billing and eligibility verification) electronically.”

HIPAA limits “the ways that health plans, pharmacies, hospitals and other covered entities” … private sector and public sector… “can use patients’ personal medical information. The regulations protect medical records and other individually identifiable health information, whether it is on paper, in computers or communicated orally.”

Here are excerpts of the key provisions from a HHS press release:

Access To Medical Records. Patients generally should be able to see and obtain copies of their medical records and request corrections if they identify errors and mistakes.

Notice of Privacy Practices. Covered health plans, doctors and other health care providers must provide a notice to their patients how they may use personal medical information and their rights under the new privacy regulation.

Limits on Use of Personal Medical Information. The privacy rule sets limits on how health plans and covered providers may use individually identifiable health information. To promote the best quality care for patients, the rule does not restrict the ability of doctors, nurses and other providers to share information needed to treat their patients. In other situations, though, personal health information generally may not be used for purposes not related to health care, and covered entities may use or share only the minimum amount of protected information needed for a particular purpose. In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, a bank, a marketing firm or another outside business for purposes not related to their health care.

Prohibition on Marketing. The final privacy rule sets new restrictions and limits on the use of patient information for marketing purposes. Pharmacies, health plans and other covered entities must first obtain an individual’s specific authorization before disclosing their patient information for marketing.

If State laws are stronger they override the HIPAA law

Confidential communications. Under the privacy rule, patients can request that their doctors, health plans and other covered entities take reasonable steps to ensure that their communications with the patient are confidential. For example, a patient could ask a doctor to call his or her office rather than home, and the doctor’s office should comply with that request if it can be reasonably accommodated.

Complaints. Consumers may file a formal complaint regarding the privacy practices of a covered health plan or provider.

All health plans, pharmacies, doctors and other covered entities must establish policies and procedures to protect the confidentiality of protected health information about their patients. These include, but are not limited to written privacy procedures, employee training, a designated person responsible for ensuring the procedures are followed, and appropriate disciplinary action.

Public Responsibilities. In limited circumstances, the final rule permits — but does not require –covered entities to continue certain existing disclosures of health information for specific public responsibilities. These permitted disclosures include: emergency circumstances; identification of the body of a deceased person, or the cause of death; public health needs; research that involves limited data or has been independently approved by an Institutional Review Board or privacy board; oversight of the health care system; judicial and administrative proceedings; limited law enforcement activities; and activities related to national defense and security. The privacy rule generally establishes new safeguards and limits on these disclosures. Where no other law requires disclosures in these situations, covered entities may continue to use their professional judgment to decide whether to make such disclosures based on their own policies and ethical principles.

Civil and Criminal Penalties. Congress provided civil and criminal penalties for covered entities that misuse personal health information. For civil violations of the standards, ” (The HHS’ Office for Civil Rights) “may impose monetary penalties up to $100 per violation, up to $25,000 per year, for each requirement or prohibition violated. Criminal penalties apply for certain actions such as knowingly obtaining protected health information in violation of the law. Criminal penalties can range up to $50,000 and one year in prison for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under “false pretenses”; and up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer or use protected health information for commercial advantage, personal gain or malicious harm.

(optional) You can read details at:

and see:


A trash bin at a restroom accessible to the public at a local hospital says on it:

DO NOT throw items with patient or confidential information in this bin.
DO NOT throw medical waste, syringes, or medical vials or anything with visible blood in this bin.
Do not throw biohazardous waste in this bin.

trash can