Although the Health Insurance Portability and Accountability Act (HIPAA)
became law in 1996, Title II, which contains the Privacy Rule, did not
take effect until April 14, 2003. The Privacy Rule establishes regulations
for the use and disclosure of Protected Health Information (PHI), which
generally includes any part of a patient’s medical record. However, the
HIPAA Privacy Rule applies only to "covered entities," defined
as a health plan, a health care clearinghouse, or a health care provider.
Importantly, the definition of "covered entities" does not
include employers unless the employer is the administrator of a group
health plan.
