HIPAA, the Health Insurance Portability and Accountability Act, was signed into law in 1996. Its primary purpose is to provide continuous insurance coverage for workers who change jobs so that health insurance is "portable" from one employer to the next. Are you a Covered Entity? Click here to find out.

hippa overview


The following 18 items have been identified as Protected Health Information:

  • Names
  • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any unique identifying number, characteristic, or code.

Learn more about HIPAA guidelines.


Transactions and Code Sets
This Rule creates standards involving the electronic transmission of health information and data and the codes that must be utilized to report healthcare services and goods to health plans, clearinghouses and providers. Learn more about HIPAA Transactions and Code Sets.

This Rule creates national standards to protect individuals' personal health information and gives patients increased access to and control over their medical records. It also defines how their information can be used for marketing and research purposes. Learn more about HIPAA Privacy.

The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. Learn more about HIPAA Marketing guidelines.

Employer Identifier
This Rule mandates that the Employer Identification Number (EIN) provided to employers by the Internal Revenue Service be utilized as the Employer Identifier when electronically submitting claims to insurers. Learn more about Employer Identification.

Provider Identifier
This Rule, which goes into effect on May 27, 2007, mandates the use of the National Provider Identifier when submitting claims to all insurers, including, but not limited to, Medicare and Medicaid. Every provider and facility needs its own, unique identifier. Learn more about the Provider Identifier.

Audiologists can apply for a National Provider Identifier (NPI) or see a NPI Registry; Learn more here.


Effective April 20, 2005

This Rule creates standards to protect the confidentiality and integrity of electronically maintained and submitted identifiable health information. Learn more about the specifics of the Security Rule.


Effective February 17, 2010

The Administrative Simplification rules were established to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care, resulting in reduced costs. The rules also protect and secure an individual’s identifiable personal and health related information.

Following the requirements of the Administrative Simplification Compliance Act, the United States Department of Health and Human Services established national standards in three areas: Privacy, Security and Electronic Data Interchange. In late 2008, the Office of Civil Rights (OCR) provided additional guidance on the Electronic Exchange of Protected Health Information and HIPAA. View the HIPAA Privacy Rule and Health Information Technology (HIT).

The American Recovery and Reinvestment Act of 2009 (ARRA) added provisions, known as Health Information Technology for Economic and Clinical Health (HITECH) Act. These provisions affect security and breach notification, specifically as it pertains to Business Associates, the use and disclosure of protected health information for marketing and fundraising purposes, the sale of protected health information and electronic medical records. It is important to familiarize yourselves with HITECH and make the appropriate modifications to the office Privacy, Security and Business Associate policies and documents to reflect these changes. HITECH’s implementation date was February 17, 2010. Learn more about ARRA and HITECH.


Effective September 23, 2013

The US Department of Health and Human Services (HHS) recently announced new changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that can have a significant effect on audiology practices and the way they handle, manage and disclose a patient’s protected health information (PHI), business associates and an audiologists’ responsibilities related to their management of the PHI they are provided by your practice, and marketing. It also has strengthened enforcement and fines for non-compliance. The new rules take effect on March 26, 2013 and providers and business associates are required to comply with the applicable requirements by September 23, 2013. Learn more about new rules.

Additional Resources: