beige arrow Home
beige arrow Contact Details

Line

Health Information Privacy and Security

Confidential FoldersHealth Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, also known as the Kennedy/Kassebaum Act (PL 104-191), was originally intended to ensure portability of health insurance when an individual moves from one health plan to another. As the bill progressed through the federal legislative process, its scope expanded. Title II requirements are expressed through the Privacy Rule, the Security Rule, and rules regarding Transaction and Code Sets.

Privacy Rule
Under the Privacy Rule:
  • A covered entity and its business associates must protect individually identifiable health information.
  • A covered entity is a health care provider who transmits any health information electronically in connection with certain transactions; or a health plan or health care clearinghouse.
  • A business associate is a person who performs a function or activity on behalf of, or provides services to, a covered entity that involves individually identifiable health information. A business associate is not a workforce member. A covered entity can be a business associate to another covered entity.
  • A covered entity may not use or disclose protected health information except as permitted or required by the Privacy Rule.
  • Protected health information (PHI) is individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity or business associate.
  • Any person who believes a covered entity is not complying with the Privacy Rule may file a written complaint.
Security Rule

The Security Rule establishes standards for protecting individually identifiable health information when it is maintained or transmitted electronically. Under HIPAA security standards, health insurers, certain healthcare providers, and healthcare clearinghouses must establish procedures and mechanisms to protect the confidentiality, integrity, and availability of electronic protected health information. The rule requires covered entities to implement administrative, physical, and technical safeguards to protect electronic protected health information in their care.

The major difference between the Security Rule and the Privacy Rule is that the former concentrates on electronic information and the latter encompasses electronic, oral and physical information.

The second significant difference between the Security Rule and the Privacy Rule is the enforcement agency. The federal Centers for Medicare & Medicaid Services (CMS) is responsible for implementing and enforcing the security standards, the transactions standards, and other HIPAA administrative simplification provisions, except for the privacy standards. HHS' Office for Civil Rights is responsible for implementing and enforcing the privacy rule.

Complaints

You have the right to file a complaint if you believe that the County of San Bernardino has given out or used your personal health information inappropriately. You may contact either:

  • County of San Bernardino HIPAA Complaints Official  HIPAAComplaints@cao.sbcounty.gov                                            

157 West Fifth Street, First Floor 

San Bernardino CA 92415-0400                                                        

(909) 387-8950 fax                                                                           

(909) 387-4500 phone

Under the HIPAA rules it is unlawful for an employee of San Bernardino County to take an action against you because you:

  • Filed a complaint;
  • Helped with an investigation; or
  • Opposed a practice that you think is unlawful under HIPAA.

If you believe that an action was taken against you contact the complaints officer.

Additional Information

Additional information regarding the Privacy Rule is available at www.hhs.gov/ocr/hipaa/.

 

Confidentiality of Medical Information Act (CMIA)