The Health Information Portability and Accountability Act of 1996 is specifically geared to regulate the privacy and security of Protected Health Information (PHI). Enacted on 21 August, 1996 as Public Law Number 104-191, 110 Statute 1936, this law made amendments to the Employee Retirement Income Security Act (ERISA), the Public Health Service Act, and the Internal Revenue Code. The Department of Health and Human Services Office for Civil Rights (OCR) is responsible for receiving complaints about violations , you can download a PDF document from their website that explains how to report a violation. The law is usually called HIPAA.
For the purposes of identity theft, the law can be broken down into bite-sized pieces – who the law applies to (and who it does not apply to), what information is protected, and how it is protected. Also, there are two classifications for the rules in HIPAA – privacy rules, and security rules.
HIPAA applies to "covered entities" – which includes healthcare providers (anyone who is involved with your healthcare directly), health insurance providers (which would include certain people in your human resources department, as well as government programs like Medicare and Medicaid), and third-parties that facilitate moving health information from one place to another (which would include the health information exchanges required to facilitate Obama's socialized healthcare law.) They must comply with privacy rules as well as security rules.
However, there are exceptions. For instance, if you work for a hospital, your patient records are covered by HIPAA, however your employment record is not. (This means if there is medical information in your employment record, it is not protected by HIPAA.) Also, HIPAA does not keep your boss or HR from asking for a doctor's note if they need the information for something work-related, for example FMLA or worker's compensation. Life insurance companies, as well as most schools and government agencies are exempt from compliance.
The information protected by HIPAA includes anything that is put into your medical file by your doctor (or anyone else involved with giving you medical care) as well as conversations you have with your doctor. HIPAA also makes provisions to protect your billing and insurance information.
When it comes to the security rules, HIPAA becomes a tangle for medical providers. The law requires safeguards to be put on your medical information – which can mean keeping your health information under lock and key in the doctor's office, or password protections and file encryption on digital information stored on a hospital's network. Covered entities must also have policies and procedures in place to limit access to your information, and even if someone needs to see it to provide medical care, they should be limited to only what they need to see to provide that care. For example, the billing department may need to see what services were provided to give you a detailed breakdown of what your bill is for, however they probably don't need to see the doctor's notes on your treatment.
Doctors, dentists, hospitals and health insurance companies and agents are the primary focus of HIPAA. In order to make sure they are not disclosing information they shouldn't, most healthcare providers have adopted a system for "coding" services that they provide. For example, the Centers for Medicare and Medicaid (CMS) have this set of codes to tell them where you received medical service. Many of these code sets are used by insurance companies as well, which allows the doctor to file a claim on your insurance without violating HIPAA.
HIPAA further requires your doctor to give you a notice telling you all about HIPAA and how she complies with the law. This notice will also tell you how to make a complaint to HHS as well as to the provider herself if you feel your privacy has been violated. HIPAA also makes sure you can dispute information that is in your health record, and requires covered entities to keep a record of who your information has been given to, as well as what information they gave out to that individual or organization. This can be obtained by asking your healthcare provider for a Notice of Disclosures. When your doctor gives you this notice, they will ask you to sign a document saying they gave it to you. That document doesn't release any information, nor does it give them permission to use your PHI in any specific way – it is just something to cover the bases and make sure they are doing what they are supposed to do according to HIPAA.
It may be worthwhile to note that, although you can file a complaint about a violation of HIPAA, some sources are saying that the OCR has been swamped with complaints, and will generally simply ignore them.