So you want to learn about the HIPAA Privacy Rule? Be warned: it is a long and complicated regulation, so this "tour" is necessarily a long one. It makes use of our glossary entries for Privacy Rule, which are numerous and, in some cases, rather lengthy.

It is not expected that you will remember everything you read (or glance at) in these entries. The point is to gain an overall familiarity with the material and, of equal importance, a sense of where you can find information when specific questions arise.

As you read entries, you can use your browser's "back" button to return to this page, or you can pursue links within each entry that will take you on a different path. There is no one right way to use the materials here.

Who and what is covered by HIPAA

• covered entities
• covered entities' workforce
• covered entities' business associates
• protected health information

Patients' rights under HIPAA

• patient rights overview
• access to records
• amendment of records
• accounting for disclosures of records
• request of additional protections
• request for confidential communications
• notice of privacy practices
• acknowledgement of receipt of notice
• authorization
• four information categories

Covered entities' general responsibilities under HIPAA

• privacy policies and procedures
• workforce training
• security policies and procedures
• privacy office/officer
• privacy board
• mitigation
• documentation

Specific rules for use and disclosure of patient information

• use and disclosure overview
• minimum necessary
• incidental uses and disclosures
• direct vs indirect treatment relationships
• hybrid organizations
• payment functions
• health care operations functions
• directory information
• personal representatives
• minors' privacy rights
• psychotherapy notes
• genetic information
• organ and tissue donation
• marketing
• fundraising
• research
• public health
• health system oversight
• specialized governmental functions
• judicial and administrative proceedings
• law enforcement
• abuse, neglect, domestic violence
• workforce crime victims
• disposal of records
• preemption by/of state law

Routine office practices and privacy/security requirements

• oral communication
• telephone use
• facsimile (fax) devices
• photocopiers and printers
• electronic mail
• general computer security
• portable computing devices
• wireless network devices

Dealing with privacy problems

• patient complaints
• compliance reviews
• workforce disciplinary actions
• criminal and civil penalties

Timetable for implementation

• HIPAA regulatory calendar

Other parts of HIPAA

• "administrative simplification" overview
• transaction and code set standards
• identifier standards
• security standards

More background information

• privacy and confidentiality basics
• security and data protection basics
• fair information principles and practices
• professional codes and data protection obligations

last modified: 16-Jul-2003 [RC]